Over on the NCC Group website I published a solution to an open demonstration of the well-known JSON Web Token (JWT) algorithm confusion vulnerability (the one where you swap the token algorithm from ‘RS’ to ‘HS’ and sign your payload with the public key). I use OpenSSL to gain full visibility of what’s happening and, by walking through the method, if you ever need to test this vulnerability yourself, it will hopefully help to avoid false negatives.
I thought a couple of gotchas when testing for XSS could be a useful post. Not new, especially, but I haven’t posted for a while. It shows how you might think you’ve covered an area of a web application and declared it free from XSS but in fact there might be a bug left behind. Continue reading
Recently I was pentesting a web app that had an unauthenticated XSS vulnerability but there was some heavy filtering in place. Nonetheless I was able to achieve session fixation using a combination of a technique I previously explained and some fun filter workarounds – including using the application’s own defensive HTML encoding to create a working XSS payload! Continue reading
A quick posting about a fun SQL injection I cracked last week (of course, it’s only when you’ve cracked them that they’re fun!). A colleague had found the classic sign of a problem – add a single quote and you get an error – but was having no luck doing anything more. I was getting nowhere with my test so I thought I’d take a look for a change of scene. The input field was in a search box so, for example, search=keyword' returned an error but search=keyword'' was fine. Anything more exciting than that, however, such as search=keyword' and '1'='1, didn’t seem to work as expected: in this case, an error was returned instead of the same set of results that the normal search=keyword produced. Continue reading
Often a combination of security flaws come together to produce a unique attack vector. Individually the flaws may not amount to much but together they make an interesting combo. This is invariably more interesting from a pentesting point of view because you know that a tool couldn’t positively find it. Session fixation is one such scenario because usually a few requirements must be met for the attack to work. I thought I’d write up a recent session fixation flaw because the act of forcing the cookie onto the victim involved a little twist on overwriting session cookies that made a reflective XSS attack last a lot longer while also laughing in the face of httponly. Continue reading
Not exactly wizard stuff today, more like back to basics perhaps – but sometimes they’re worth revisiting. I’ve had some good DirBuster finds three tests in a row so I thought I’d write them up as a case study. It’s a reminder that there’s some very low-hanging fruit out there that may not always get picked. I’ve also put together a walk-through for many of DirBuster’s features and I aim to show that, as with many tools, a few minutes of manual work can produce a faster set of more meaningful results. Continue reading