The Differences Between Audits, Security Assessments and Penetration Tests

We live and work in a world where malicious activity and cyber crime run rampant.  While online fraud and data theft have existed since the origin of the internet, never before has it seemed to be as pervasive as it is today.  Every day there seems to be a new headline about ‘XYZ Company’ coming under attack or having a massive data breach occur.  On top of that, in the…

Finding and Exploiting Same Origin Method Execution vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which…

[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client…

[IRCCloud] Inadequate input validation on API endpoint leading to self denial of service and increased system load

So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to: {“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”} I thought,…

Execute Shellcode, Bypassing Anti-Virus…

Hello, I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity. As I’m sure you’re all aware, the standard Metasploit…

Yet Another HeartBleed.

This Heartbleed Information Disclosure Vulnerability has pretty much been covered all over the internet today (8th April 2014).  As a one-page-stop summary, please read below: An online site exists to check vulnerabilities: http://filippo.io/Heartbleed/ Source Code available at: https://github.com/FiloSottile/Heartbleed A python script (thats much better): http://s3.jspenguin.org/ssltest.py A second version of above code with STARTTLS Support: https://gist.github.com/takeshixx/10107280 A good breakout of why the bug exists is here: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html Watching twitter has been entertaining, login.yahoo.com has been leaking user…

Proxmark3 vs Ultralight C

There have been no secrets this week while I’ve been trying to add Mifare Ultralight C support to the Proxmark. Ultralight C cards are HF (13.56MHz) tags that are part of the Mifare family.  This week has been an interesting learning process, and it has corrected some misconceptions I had about the card.  For those interested you can follow my progress at http://www.proxmark.org/forum/viewtopic.php?id=1946.  But I will summarise my findings below: Ultralight C…

Proxmark3 vs Kantech ioProx

Earlier today we released a patch into the Proxmark3 community for initial support of the LF 125kHz ioProx tags from Kantech.  Current operations are FSK-demodulation and card/tag cloning. Not much is revealed about this type of tag, and only limited data can be found on its data sheet.  Kantech state that readers/cards are compatible with standard 26-bit Wiegand and Kantech Extended Secure Format (XSF). But it is difficult to find…

RFID Wallets/Sleeves. How much Security do they provide?

With the increasing amount of RFID technology creeping into everyday life.  Just how much data can be obtained from your wallet?  At Pentura we undertook a small experiment where using standard off-the-shelf products, we would attempt to obtain personal information leaked from RFID enabled devices: UK Passport UK Bank Cards Debit/Credit Access Control Tokens Our experiment used standard unmodified off-the-shelf RFID equipment: 13.56MHz ACR-122U Reader Proxmark3 with LF antenna Proxmark3…

Ubertooth – Bluetooth Sniffing Updated for 2014!

Earlier I noticed this tweet on my twitter feed: Ubertooth release: https://t.co/cCYHNf34Yc I know it’s been a long time coming, I promise not to leave it so long next time. — Dominic Spill (@dominicgs) February 20, 2014 So I thought I would walk you through the update, which has improved Operating System support, improved Bluetooth Low Energy (BTLE) support, and GitHub integration to make community development easier….