Exploiting Same Origin Method Execution Vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which…

[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client…

Whitehatsec’s Aviator

A new web browser is brought to us from Whitehatsec called Aviator, built for speed, security and privacy.  Its based on the Open-Source Chromium browser and can utilise many of Chrome’s browser plugins. The browser boasts that with every website you visit, you are potentially vulnerable to malicious hackers out to steal your surfing history, passwords, email access, bank account numbers, medical info, and more. That the “big browsers” don’t do enough…

How to Create Mark V Pineapple Infusions/Plugins

Introduction The Pineapple (since Mark IV) has introduced the idea of infusions; community written plugins that when approved become available on the Pineapple-Bar for all to use.  Since the introduction of Interface 3.0/Mk4 or 1.0/Mk5 these infusions have changed to a more uniformed modular approach.  This has the following benefits: easier to create modular design similar code-base (easier to review) generally more secure code Now creating new plugins may seem…

WiFi Pineapple; Decrypting SSL Traffic on Mobile Applications

Introduction Most people view the WiFi Pineapple as in intrusive piece of kit. Marketed as a WiFi device that can trick unsuspecting clients to connect to the AccessPoint (AP) because the device is sending out Probe responses that match devices Probe requests.  From there a victim is then susceptible to Man-in-The-Middle (MiTM) attacks, interception and traffic manipulation.  The device has been famously used on Channel 4’s Derren Browns Apocalypse (http://en.wikipedia.org/wiki/Derren_Brown:_Apocalypse),…

Naked WiFi Pineapple Mark V!

Introduction We will take a look at the new Mark V insides, the board, the kernel and its interfaces: Specification CPU: 400 MHz MIPS Atheros AR9331 version 1 SoC http://www.eeboard.com/wp-content/uploads/downloads/2013/08/AR9331.pdf Memory: 16 MB ROM (w25q128 (16384 Kbytes)), 64 MB DDR2 RAM (Hynix H5PS5162GFR-Y5C) Disk: Micro SD support up to 32 GB, FAT or EXT, 2 GB Included Mode Select: 5 DIP Switches – 2 System, 3 User configurable Wireless: Atheros AR9331 IEEE 802.11 b/g/n +…

New WiFi Pineapple; From Britain with Love!

Introduction Since approximately around the time of our posting Blue for the Pineapple (6 months ago). Hak5 Pineapple Team have disappeared underground to produce the new Mark 5 Pineapple. A customised board that is cheaper to produce and more easily affordable. The Mark 5 has 2x WiFi cards (Atheros 9331 & RTL8187 (famously known as an Alfa)), with SMA connectors. Twice the RAM & ROM (16MB & 64MB), with the…

Can QR Codes Really Be Hacked? | InteliSecure

What is a QR Code? QR code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional barcode). A barcode is an optically machine-readable label that is attached to an item and that records information related to that item. The information encoded by a QR code may be made up of four standardized types (“modes”) of data (numeric, alphanumeric, byte / binary, Kanji) or, through supported extensions, virtually any type of…

How To Decode BIG IP F5 Persistence Cookie Values

Hey Guys, I came across a BIG IP F5 Load balancer when doing a recent web application penetration test. The interesting thing about this load balancer was the cookie value: Name BIGipServerLive_pool Value 110536896.20480.0000 Path / Secure No Expires At End Of Session As you can see the cookie value looks rather suspicious, lets see if we can reverse it! I came across the following page with a plethora of…

Firefox 4 Web Console | InteliSecure

The final version of Firefox 4 is almost here and since it’s my main tool during pentesting I has been checking frequently to be sure I’m not going to be missing anything when the change comes. As the change is big, some of the extensions are slowly updating their versions to ensure compatibility with the new release (I just did today a quick update of the Hackbar extension to ensure…