To secure applications it is often necessary to verify the identity of the user, this process is called authentication. There are several methods to authenticate a user, with passwords being the most common one. Passwords are usually chosen by the user. Those user passwords are often not strong enough and can be easily guessed by brute forcing or simple deduction (e.g. pet names etc.). Continue reading “Ergonomic Password Generator”
Immutable, reliable, secure – A brief history of blockchain security
Blockchain technology is marketed as the Web 3.0 and because of it’s distributed structure it wipes out single points of failure. But does that mean there are no points of failures at all? Let’s look at some important blockchain hacks / failures from the tech perspective.
[Remark: This is not about $$$ Bitcoin hacks, where lousy DB implementations, web applications, key handling or simply social engineering let to hacked bitcoin exchanges or wallets.] Continue reading “Immutable, reliable, secure – A brief history of blockchain security”
Fingerprinting of web browsers and the consequences for privacy
Introduction
Fingerprinting of web browsers is a known technique to identify website users. This enables to track users and their habits across websites without the use of cookies. Approximately 93 percent of Web browsers have a unique fingerprint. Particularly meaningful are lists of installed plugins, screen resolution, time zone, language and fonts. In this case a unique hash for the user’s browsers is created. This hash can be used to (re-)identify visitors over different sessions and IP addresses. Continue reading “Fingerprinting of web browsers and the consequences for privacy”
DefCon 24
Introduction
After Troopers 2016 and Hack In the Box, my year of conferences ends with the DefCon 24 in Las Vegas Bally’s & Paris Casino which was with about 22,000 attendees/hackers one of the largest hacker conferences. In this post I would like to give my personal impression of this great conference. Continue reading “DefCon 24”
Web Shells and Backdoors
Introduction
In April 2016 researchers of the Stony Brook University and Ruhr-University Bochum published a study about (malicious) PHP web shells with the title “No Honor among Thieves: A Large-Scale Analysis of Malicious Web Shells”. [1] Their goal was to analyze how many PHP web shells contain backdoors or other malicious functions not in the interest of the user. That has to be seen regardless of the fact that web shells are often used for malicious activities themselves.
Here we summarize their findings which in our opinion are of interest for the wider audience in security and penetration test Continue reading “Web Shells and Backdoors”
Using Chrome Logger in BurpSuite
In February of this year, a blog post by the OWASP ZAP newsletter has pointed us towards an interesting technology called Chrome Logger. Chrome Logger can be used to display server side debugging information into the web console (e.g. in Firefox) at runtime.
How it works
First, download and import the server side library which is available for different languages like Continue reading “Using Chrome Logger in BurpSuite”
Using Whitelisting to control file access in Apache Webserver
The aim
You want to control which files on your webserver can be accessed by whom, but you don’t want to use blacklisting. You want to say, i.e., external users can access files whose names end with .php, .jpg and .png. All other files must not be accessible, no matter which name they have.
You can use LocationMatch and FilesMatch to control access to files. In this example, we will use FilesMatch, because we care about files which are stored on the filesystem. But the same approach also applies to files, which are generated when requested.
The problem
When apache finds a FilesMatch entry in its configuration which matches the requested filename, the corresponding rules are applied. There is no problem with that as long as you do not try to create a catch-all rule Continue reading “Using Whitelisting to control file access in Apache Webserver”
PHP: Exploitation with $_REQUEST while validating $_GET
While penetration testing and code reviewing a customer’s web-application I came across an interesting bug I’m going to describe in this article.
The application in question supports third party plugins which often follow their own coding-conventions.
During code review, a Cross-Site scripting vulnerability was detected in one of those plugins:
<?php echo "<a href='index.php?plugin=".$_REQUEST['plugin']."'>Link text</a>"; ?>
Continue reading “PHP: Exploitation with $_REQUEST while validating $_GET”
HTTP Side-Channel Attacks with Burp Suite
Ever wanted a simple tool capable of performing a side-channel attack of HTTP requests? A common use case would be to test of the login action takes more time of the provided username is known by the system compared to an unknown username. The theory behind such an attack is that the code performing the login stops more early in the flow if the used username is not present in the system.
Well, to test such a weakness it is necessary to perform certain HTTP requests, e.g. logins, and to capture the need time to receive a response. But what tools are fulfilling these requirements? The search can’t be this hard. In fact the most common Continue reading “HTTP Side-Channel Attacks with Burp Suite”