Writeup: KringleCon 2018

The annual Holiday Hack Challenge by SANS and the Counterhack team takes place during Christmas time and is always entertaining and great for learning a new trick (or two). This year, the challenge was organized as an online conference, called KringleCon: https://holidayhackchallenge.com/2018/ with great talks and a well thought-out story.

Continue reading “Writeup: KringleCon 2018”

Wammer – WiFi jamming made easy

Latest posts by rdo (see all)

Since years the IEEE 802.11 WiFi protocol has a well-known design flaw which allows attackers to disconnected clients from the WiFi access point they’re connected to.

All he has to do, is to send “dauthentication frames” to the WiFi access point. Because the IEEE 802.11 WiFi standard doesn’t require encryption for such frames, an attacker is able to perform the attack even though he isn’t connected with that access point. Continue reading “Wammer – WiFi jamming made easy”

Bypass Kiosk Mode with Libre/Open Office

Given you have restricted access to a computer and can only open certain programs. Usually this is caused by the Kiosk Mode that has a white list which contains only trusted programs. Libre/Open Office is a widely used/unlocked program on such Kiosk Modes. Some vendors unlock the whole Libre/Open Office folder: “C:\Program Files\LibreOffice 5\program” or “C:\Program Files (x86)\OpenOffice 4\program” including all other binary files. Python version 3.5.4 (Libre Office) / 2.7.13 (Open Office) is automatically included in the default installation of Libre/Open Office. Now a user can create a Libre/Open Office macro to run a python shell: Continue reading “Bypass Kiosk Mode with Libre/Open Office”

Chrome Information Leakage – Prediction Service & Preload

Last year in February, I found a vulnerability at google chrome and submitted it(Bug Report). So far nothing has happened and now the vulnerability  has been published on twitter: https://twitter.com/zerosum0x0/status/958890437837692928 Continue reading “Chrome Information Leakage – Prediction Service & Preload”

Hooking Burp Suite in Client Software Communication

After learning to inspect security from all perspectives from Prof. Pfitzmann at the University, I am now working as Penetration tester and IT Security Consultant since 2009. I have seen many many different applications, architectures and technologies since then.
Web Applications, Web Services, Oracle, MySQL, Linux, SAP R3 are my focus technologies, while my activities are widely spreaded: manual penetration tests, static code analysis, code reviews, consulting, project management

Ever came across the issue to redirect HTTP(S) traffic to Burp Suite originating from client software that is not supporting to configure a proxy? Continue reading “Hooking Burp Suite in Client Software Communication”

Ergonomic Password Generator

Latest posts by Simon (see all)

To secure applications it is often necessary to verify the identity of the user, this process is called authentication. There are several methods to authenticate a user, with passwords being the most common one. Passwords are usually chosen by the user. Those user passwords are often not strong enough and can be easily guessed by brute forcing or simple deduction (e.g.  pet names etc.). Continue reading “Ergonomic Password Generator”

Immutable, reliable, secure – A brief history of blockchain security

Believes in Cryptoanarchy & hopes for the upcoming Age of digital Enlightment. Involved in the Blockchain Community & Cryptoeconomics. Research topics focused on Blockchain Applications regarding Security aspects.

Blockchain technology is marketed as the Web 3.0 and because of it’s distributed structure it wipes out single points of failure. But does that mean there are no points of failures at all? Let’s look at some important blockchain hacks / failures from the tech perspective.

[Remark: This is not about $$$ Bitcoin hacks, where lousy DB implementations, web applications, key handling or simply social engineering let to hacked bitcoin exchanges or wallets.] Continue reading “Immutable, reliable, secure – A brief history of blockchain security”

Fingerprinting of web browsers and the consequences for privacy

Franz is a pentester and interested in IT security topics. He has been working in IT security for three years now and studied business informatics before that.

Introduction

Fingerprinting of web browsers is a known technique to identify website users. This enables to track users and their habits across websites without the use of cookies. Approximately 93 percent of Web browsers have a unique fingerprint. Particularly meaningful are lists of installed plugins, screen resolution, time zone, language and fonts. In this case a unique hash for the user’s browsers is created. This hash can be used to (re-)identify visitors over different sessions and IP addresses. Continue reading “Fingerprinting of web browsers and the consequences for privacy”

Web Shells and Backdoors

Glia is an open minded security professional with a wide interest in different security topics.
Latest posts by glia (see all)

Introduction

In April 2016 researchers of the Stony Brook University and Ruhr-University Bochum published a study about (malicious) PHP web shells with the title “No Honor among Thieves: A Large-Scale Analysis of Malicious Web Shells”. [1] Their goal was to analyze how many PHP web shells contain backdoors or other malicious functions not in the interest of the user. That has to be seen regardless of the fact that web shells are often used for malicious activities themselves.

Here we summarize their findings which in our opinion are of interest for the wider audience in security and penetration test Continue reading “Web Shells and Backdoors”

PHP: Exploitation with $_REQUEST while validating $_GET

After learning to inspect security from all perspectives from Prof. Pfitzmann at the University, I am now working as Penetration tester and IT Security Consultant since 2009. I have seen many many different applications, architectures and technologies since then.
Web Applications, Web Services, Oracle, MySQL, Linux, SAP R3 are my focus technologies, while my activities are widely spreaded: manual penetration tests, static code analysis, code reviews, consulting, project management

While penetration testing and code reviewing a customer’s web-application I came across an interesting bug I’m going to describe in this article.

The application in question supports third party plugins which often follow their own coding-conventions.
During code review, a Cross-Site scripting vulnerability was detected in one of those plugins:

<?php
echo "<a href='index.php?plugin=".$_REQUEST['plugin']."'>Link text</a>";
?>

Continue reading “PHP: Exploitation with $_REQUEST while validating $_GET”