osirium
Members-
Posts
27 -
Joined
-
Last visited
Everything posted by osirium
-
This is kinda funny tbh. Currently, eBay is running a very expensive BB program with one of the top BB platforms. The scope is very broad and basically, they are trying to cover all their exposed "stuff". Probably someone was able to toast them through one of their third-party acquisitions because eBay as a mother base platform is quite well scrutinised. I will check my account too just to see if anyone was able to add me more positive feedback :)
-
Thanks. However, the "Web hacking 101" book would be almost everything what you need to start into the BB world.
-
Using open-uri? Check your code - you're playing with fire!
osirium posted a topic in Securitate web
Using open-uri? Check your code - you're playing with fire! " Ruby’s OpenURI is an easy-to-use wrapper for net/http, net/https and net/ftp. As far as I know it’s the most popular way to read URL content, make a GET request or download a file. require "open-uri" internally patches Kernel.open leaving you one step away from remote code execution and reading local files! Here are some examples: open(params[:url]) is remote code execution for url=|ls Didn’t you know if it starts with a pipe Ruby executes it?! Ouch. " Source: https://sakurity.com/blog/2015/02/28/openuri.html -
CVE-2017-14955: Win a Race Against Check_mk to Dump All Your Login Data " The authors of check_mk have fixed a quite interesting vulnerability, which I have recently reported to them, called CVE-2017-14955 (sorry no fancy name here) affecting the old stable version 1.2.8p25 and below of both check_mk and check_mk Enterprise. It’s basically about a Race Condition vulnerability affecting the login functionality, which in the end leads to the disclosure of authentication credentials to an unauthenticated user. " Source: https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
-
parameth - Tool to brute discover GET and POST parameters
osirium replied to Fi8sVrs's topic in Programe hacking
Hi, Just curious if you were able to successfully use this tool. Gave it a couple of tries but from some whatever reasons didn't work as expected. Thanks. -
Aside with this bug, with WP core 4.8.1 was an undisclosed XSS vector into the oembed default module but searching for details I got only silence on the tube.
-
" Extensible Stylesheet Language Transformations (XSLT) vulnerabilities can have serious consequences for the affected applications, often resulting in remote code execution. " Source: https://www.contextis.com/blog/xslt-server-side-injection-attacks
-
PENETRATION TESTING FLASH APPS (AKA “HOW TO CHEAT AT BLACKJACK”) " In this post, we will walk through detailed steps to intercept, review, modify, and replay flash-based web apps. For demonstration purposes, I’ve selected a blackjack-style card game. We will work to control what cards are dealt, as well as how a score is calculated. " Source: https://privsec.blog/penetration-testing-flash-apps-aka-how-to-cheat-at-blackjack/
-
How can I use CSS-in-JS securely? " CSS-in-JS is an exciting new technology that completely eliminates the need for CSS class names. It makes it possible to add styles directly to your components, using the full power of CSS. Unfortunately, it also promotes interpolation of unescaped props into that CSS, opening you up to injection attacks. And CSS injection attacks are a major security hazard. " Source: https://reactarmory.com/answers/how-can-i-use-css-in-js-securely
-
Advanced Flash Vulnerabilities in Youtube " ...Flash has been replaced by new javascript/html5 features. These features introduce complexity and new kind of vulnerabilities like bad CORS implementation, DOM XSSes triggered by postMessage or XHR requests, active mixed content… Learning from Flash mistakes can help design and implement more secure javascript applications. The new Youtube html5 Api is mostly a porting of the Youtube Flash Api to javascript, making it interesting to study. In fact, I was able to find XSSes in the Youtube html5 Api using my knowledge of the Flash Api. " Source: https://opnsec.com/2017/08/advanced-flash-vulnerabilities-in-youtube/
-
DeLux Edition: Getting root privileges on the eLux Thin Client OS Designed as a secure, streamlined environment for users to access applications such as a browser, Citrix and terminal services, the vendor describes eLux as: “… a hardware-independent operating system for cloud computing environments. It is based on a write protected file system and therefore secure against computer viruses and other malware without using special Antivirus Software. eLux® has been continuously developed and enhanced for more than 15 years." Source: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/delux-edition-getting-root-privileges-on-the-elux-thin-client-os/
-
Leveraging Duo Security’s Default Configuration to Bypass Two-Factor Authentication " Few things are more frustrating as an attacker than running up against widely implemented two-factor authentication (2FA). Even with valid credentials, without a valid two-factor authentication code or push acknowledgement, logging in to a protected service and abusing its capabilities or harvesting information isn’t possible. But what if instead of attacking the application, we first attacked how the two-factor authentication was implemented? In this blog post, we’ll discuss how one particular 2FA solution – by Duo Security – can have its default configuration leveraged to allow a log in without 2FA and how to mitigate against this tactic. " Source: https://appsecconsulting.com/blog/leveraging-duo-securitys-default-configuration-to-bypass-two-factor-authent
-
Symantec Messaging Gateway <= 10.6.3-2 unauthenticated root RCE
osirium posted a topic in Exploituri
CVE-2017-6327: Symantec Messaging Gateway <= 10.6.3-2 unauthenticated root RCE " This is an advisory for CVE-2017-6327 which is an unauthenticated remote code execution flaw in the web interface of Symantec Messaging Gateway prior to and including version 10.6.3-2, which can be used to execute commands as root. Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based anti-spam/security product for e-mail servers. It is deployed as a physical device or with ESX in close proximity to the servers it is designed to protect. " PS. The advisory says something regards a fully automated python file which can be used to p0wn vulnerable targets but probably won't be released for well-understood reasons. Source: http://seclists.org/fulldisclosure/2017/Aug/28 -
Summary: " SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to quickly create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events. " Source: https://github.com/cliffe/SecGen
-
G-Scout: OSS tool to assess the security of Google Cloud Platform (GCP) environment configurations " G-Scout is a tool to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results. The audited data relates to: IAM roles Compute engine instances Storage buckets Firewall rules SQL and noSQL databases Service account keys G-Scout also allows users to create and customize rulesets simply by creating Python functions. " Source: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/august/introducing-g-scout/
-
Arbitrary code execution via crafted ssh:// in Git """ A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. """ Source: http://blog.recurity-labs.com/2017-08-10/scm-vulns https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html
-
Writing my first shellcode - iptables -P INPUT ACCEPT
osirium posted a topic in Tutoriale in engleza
Writing my first shellcode - iptables -P INPUT ACCEPT " I've recently started to look into basic application security concepts using the imho excellent material from OpenSecurityTraining.info. In this blogpost I'd like to share my first piece of shellcode executing iptables -P INPUT ACCEPT. **Background** After practically learning how to exploit a simple stackoverflow I wanted to see if I could write my own shellcode. I somehow came across the shellcode repository at shell-storm.org and wanted to develop something that wasn't already in there and is somehow useful. There are multiple entries which execute iptables -F. However, as far as I know, this only flushes all rules from all tables, but doesn't change the default policies. So it may drop all rules, but if a server's default policy is DROP you'll cut the machine off the internet. Mission failed. My idea was to write a piece of shellcode that would change the default policy of the INPUT chain to ACCEPT, i.e. run iptables -P INPUT ACCEPT. Writing shellcode First of all, I'd like to say that I'm not an 1337 sh3llc0d3 3Xp3rt. I read about some basics and tried to understand other people's shellcode and their tricks. So feedback is very welcome! Simply leave a comment or send me an e-mail. The goal is to run /sbin/iptables -P INPUT ACCEPT. At this point we assume that the exploited application has enough privileges to execute this command. Otherwise you might want to add some setuid(0) code or so. " Source: https://0day.work/writing-my-first-shellcode-iptables-p-input-accept/ -
Smuggling HTA files in Internet Explorer/Edge "In this blog post, we will demonstrate how attackers can serve malicious HTML Application (HTA) [1] files in a way that may bypass traditional proxy filtering. We will also cover some defensive mechanisms that can be used to prevent such attacks. " Source: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/
-
Learn C# by Building a Simple RPG " If you want to write a Role Playing Game, but don’t know how to program, or just want to learn how to program in C#, then you’re at right the place. These lessons will take you from a complete beginner to being an author of a Role Playing Game, for free. Now, this isn’t the world’s greatest game. In fact, it’s very short and kind of ugly. However, as you create it, you’ll learn the most common C# programming practices and techniques. Then, if you want, you can improve the game, adding more features and your own special touch to it... " Sources: [-] https://scottlilly.com/learn-c-by-building-a-simple-rpg-index/ [-] https://roguesharp.wordpress.com/
- 1 reply
-
- 3
-
Awesome Hacking A collection of awesome lists for security researchers. Source: https://github.com/Hack-with-Github/Awesome-Hacking/blob/master/README.md
-
A couple of weeks ago I did a test installing a bare Debian 9 VM. Then I started to add top 50 tools from Kali Linux. To be honest, this VM is working like a charm atm without all the other unnecessary bull shit which is coming by default with Kali Linux. Overall, you have to understand this distro was built mainly by an Israeli dude and that should raise some concerns. Don't get me wrong, it is an amazing distro but once its popularity grew among security professionals, some interests into have it "backdoored" probably elevated as well. There is also the BlackArch alternative which overall is way more time consuming from tweaking perspective. Also, personally, I found Arch being slightly unfriendly with VMWARE workstation and very sensitive to different kernel changes. But this is just a personal opinion.
-
" Your Node.js authentication tutorial is wrong ... digging through various Node.js tutorials, as it seems that every Node.js developer with a blog has released their own tutorial on how to do things the right way, or, more accurately, the way they do them. Thousands of front-end developers being thrown into the server-side JS maelstrom are trying to piece together actionable knowledge from these tutorials, either by cargo-cult-copypasta or gratuitous use of npm install as they scramble frantically to meet the deadlines set for them by outsourcing managers or ad agency creative directors. One of the more questionable things in Node.js development is that authentication is largely left as an exercise to the individual developer. The de facto authentication solution in the Express.js world is Passport, which offers a host of strategies for authentication. If you want a robust solution similar to Plataformatec’s Devise for Ruby on Rails, you’ll likely be pointed to Auth0, a startup who has made authentication as a service. Compared to Devise, Passport is simply authentication middleware, and does not handle any of the other parts of authentication for you: that means the Node.js developer is likely to roll their own API token mechanisms, password reset token mechanisms, user authentication routes and endpoints, and views in whatever templating language is the rage today. Because of this, there are a lot of tutorials that specialize in setting up Passport for your Express.js application, and nearly all of them are wrong in some way or another, and none properly implement the full stack necessary for a working web application..... " Source: https://medium.com/@micaksica/your-node-js-authentication-tutorial-is-wrong-f1a3bf831a46
-
Hackers Hijacked Chrome Extension for Web Developers With Over 1 Million Users " ..., another popular Chrome extension 'Web Developer' was hijacked by some unknown attackers, who updated the software to directly inject advertisements into the web browser of over its 1 million users. Chris Pederick, the creator of Web Developer Chrome extension that offers various web development tools to its users, alerted late Wednesday that some unknown hackers apparently phished his Google account, updated the extension to version 0.4.9, and pushed it out to its 1,044,000 users. In both the cases, cyber criminals used phishing first to gain access to the developers' Google accounts, hijacked their respective extensions and then updated the extension to perform malicious tasks. " Source: https://thehackernews.com/2017/08/chrome-extension-for-web-developers.html
-
Framing. Sounds like a 1984 Romanian Secret Police operation. The difference is they were much better at doing this than nowadays FBI. https://theoutline.com/post/2054/the-wannacry-hacker-hero-was-spending-big-in-vegas-before-his-arrest LOL
-
CSS mix-blend-mode is bad for your browsing history
osirium replied to Nytro's topic in Securitate web
Tare asta. Mai ales sa iti trimita inapoi pe un server ce a vizitat "nenea". Merci!