Cyberis Blog
Reassuringly clear thinking.
- Penetration testing
- Research
Bluetooth: The Spy In The Meeting Room
Bluetooth technology permeates the modern world. From smart phones to wireless speakers, fitness trackers to WiFi mesh hardware, Bluetooth has become the de facto standard for short-range wireless communications. The chances are that you have Bluetooth enabled devices near you as you read this, and, if you're regularly involved in conference calls, you've probably often used a Bluetooth enabled speaker or VoIP phone.
- Penetration testing
When Low Risk Vulnerabilities Attack
When undertaking penetration testing against Internet facing systems, we often see information exposure vulnerabilities. These expose information regarding the systems under test that can, in isolation, be considered low risk as they are not directly exploitable to obtain access to systems or sensitive data.
- Penetration testing
- Tools and techniques
User Enumeration - Timing Discrepancies
I find myself writing this blog today as there are only a few references on the internet to user enumeration attacks via timing discrepancies, despite almost every site I've tested in my career being vulnerable to the weakness. The issue is fairly obvious from the title; an application log-in response takes differing amount of times depending on whether or not the user is valid. But why?
- Penetration testing
PHP Serialization And SQL Injection
Sanitisation of user input is essential for preventing SQL injection, regardless of the format of the supplied data. Today I'm going to look at SQL injection through a more obscure injection point: serialized PHP arrays. Taking inspiration from a finding in a recent test, I've created a small app which allows the user to upload a CSV file. This file is then converted to a PHP array, serialized and returned to the user as a hidden form field. Finally, this is posted back to the application where the supplied data is inserted into the MySQL database.
- Penetration testing
- Tools and techniques
Creating Macros For Burp Suite
There are many tools available for automated testing of web applications. One of the best known is probably sqlmap. Sqlmap allows you to identify and exploit SQL injection vulnerabilities with ease from the command line. However, controls such as CSRF tokens or simple anti-automation techniques such as including a unique hidden value within the form can prevent automated tools from working correctly. Macros in Burp Suite are a great way to bypass these measures in order to carry out automated testing, although they can be complicated to implement.
- Penetration testing
- Tools and techniques
Obtaining NTDS.Dit Using In-Built Windows Commands
Using the same underlying technique (Volume Shadow Service), there is an in-built command (Windows 2008 and later) that does a backup of the crucial NTDS.dit file, and the SYSTEM file (containing the key required to extract the password hashes), without the need to use VB Script, third-party tools or injecting into running processes.
- Penetration testing
- Tools and techniques
Testing .NET MVC For JSON Request XSS - POST2JSON Burp Extension
During a recent application penetration test on behalf of a client, one of the security vulnerabilities discovered was a stored cross-site scripting vector, delivered via a JSON request to a MVC3 controller. The malicious data (in this case a simple script tag proof-of-concept) was written to the database and subsequently echoed back to the user when viewing a number of pages within the application. This is how we wrote Burp plugin to bypass the XSS safety nets in the .NET framework...
- Penetration testing
- Tools and techniques
Finding Hidden Vhosts
During a recent test we observed a number of web servers that had a number vhosts configured, only some of which were discoverable from public DNS records. Internal DNS servers were configured to resolve the remaining ‘hidden’ vhosts served by the web server. Here's how we found them...
Improve your security
Our experienced team will identify and address your most critical information security concerns.