LANMASTER53.COM

Monday, June 18, 2018. While I don't do active defense in any part of my professional life, I enjoy developing active defense techniques for web technologies. Lately I've been dabbling in active defense mechanisms for Cross-Site Scripting (XSS) attacks, and as the developer of the HoneyBadger geolocation framework, incorporating the

research

LANMASTER53.COM

Regex: Regularly Exploitable. Method Interchange: The Forgotten Vulnerability. Session Fixation Demystified. Cross-Site Trust Exploitation (XSTE) DOM-based Cross-Site Scripting, Revisited. Defending Against Harvesting Attacks on Registration Systems. Multi-POST Cross-Site Request Forgery. LANMASTER53.COMSEE MORE ON LANMASTER53.COM LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

The combination of a white list of unique identifiers for devices that belong in the area (MAC addresses) and signal strength (RSSI) can be used to create a protected zone. With tuning, this creates a circular detection barrier that, when crossed, can trigger any number of alert systems. WUDS includes an SMS alert module, but the sky is the LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

Once we added the filter to the john.conf file, we had to chose a decent sized list to run through the filter. Mark recommended the rockyou.txt list. We ran it through the filter: ./john --wordlist = --stdout --external: > This gave us all of the passwords in the list which meet

the

LANMASTER53.COM

In this example, the parameter value of Tim is still sent to the server, but Tim# is parsed from the document.URL DOM attribute and added to the HTML of the page, exposing the target to the payload. This exploit bypasses any server-side mitigation to D-XSS. The second impact that the hash character has on D-XSS is that not all browsers

treat URIs and URI

EXPLORING SSTI IN FLASK/JINJA2

LANMASTER53.COM

Result. In this case, HTML output encoding was used to mitigate XSS. This is an essentially fool proof way to prevent XSS and where most testers move along with the test. But there is still danger lurking here. We may not be able to inject a XSS payload, but what prevents us from using the available character set to create a payload that

LANMASTER53.COM

Monday, June 18, 2018. While I don't do active defense in any part of my professional life, I enjoy developing active defense techniques for web technologies. Lately I've been dabbling in active defense mechanisms for Cross-Site Scripting (XSS) attacks, and as the developer of the HoneyBadger geolocation framework, incorporating the

research

LANMASTER53.COM

Regex: Regularly Exploitable. Method Interchange: The Forgotten Vulnerability. Session Fixation Demystified. Cross-Site Trust Exploitation (XSTE) DOM-based Cross-Site Scripting, Revisited. Defending Against Harvesting Attacks on Registration Systems. Multi-POST Cross-Site Request Forgery. LANMASTER53.COMSEE MORE ON LANMASTER53.COM LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

The combination of a white list of unique identifiers for devices that belong in the area (MAC addresses) and signal strength (RSSI) can be used to create a protected zone. With tuning, this creates a circular detection barrier that, when crossed, can trigger any number of alert systems. WUDS includes an SMS alert module, but the sky is the LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

Once we added the filter to the john.conf file, we had to chose a decent sized list to run through the filter. Mark recommended the rockyou.txt list. We ran it through the filter: ./john --wordlist = --stdout --external: > This gave us all of the passwords in the list which meet

the

LANMASTER53.COM

In this example, the parameter value of Tim is still sent to the server, but Tim# is parsed from the document.URL DOM attribute and added to the HTML of the page, exposing the target to the payload. This exploit bypasses any server-side mitigation to D-XSS. The second impact that the hash character has on D-XSS is that not all browsers

treat URIs and URI

EXPLORING SSTI IN FLASK/JINJA2

LANMASTER53.COM

Result. In this case, HTML output encoding was used to mitigate XSS. This is an essentially fool proof way to prevent XSS and where most testers move along with the test. But there is still danger lurking here. We may not be able to inject a XSS payload, but what prevents us from using the available character set to create a payload that

LANMASTER53.COM

Regex: Regularly Exploitable. Method Interchange: The Forgotten Vulnerability. Session Fixation Demystified. Cross-Site Trust Exploitation (XSTE) DOM-based Cross-Site Scripting, Revisited. Defending Against Harvesting Attacks on Registration Systems. Multi-POST Cross-Site Request Forgery.

LANMASTER53.COM

Articles, information, and projects related to development and web application security.

LANMASTER53.COM

Nothing too complex. Level 2 was also verbal, but I ramped up the complexity and coaching. The command "10 steps forward" signifies a looping construct, so I began coaching them to say stuff like, "count from 1 to 10 and take a step on each count". I also introduced them to conditions. I coached them into commands like "until the floor is hard

LANMASTER53.COM

In this example, the parameter value of Tim is still sent to the server, but Tim# is parsed from the document.URL DOM attribute and added to the HTML of the page, exposing the target to the payload. This exploit bypasses any server-side mitigation to D-XSS. The second impact that the hash character has on D-XSS is that not all browsers

treat URIs and URI

LANMASTER53.COM

This code saves the original alert function as _alert.The code then creates a new alert function. The new alert function does anything we want whenever the browser calls it, and then initiates the original behavior by calling _alert.Since the alert function usually indicates malicious behavior, this gives us an opportunity to detect an attack, and in the case of active defense, respond with

LANMASTER53.COM

In the template code scenario we need to submit two forms to carry out the attack, so we place 2 forms on the page: "csrfForm1" and "csrfForm2". The inputs in the template are blank, but this is where you would put each of the parameters required for

LANMASTER53.COM

Session Fixation Defined. Session Fixation is a vulnerability that allows an attacker to predetermine the session token value of a victim. Like Session Hijacking, Session Fixation allows the attacker to assume the identity of the victim user in the context of the application. The root cause of Session Fixation is when an application

does not

LANMASTER53.COM

Result. In this case, HTML output encoding was used to mitigate XSS. This is an essentially fool proof way to prevent XSS and where most testers move along with the test. But there is still danger lurking here. We may not be able to inject a XSS payload, but what prevents us from using the available character set to create a payload that

LANMASTER53.COM

The typical user account registration system will ask for the applicant to provide all of the information required to create an account on a registration page. When the registration page is submitted, the application validates the uniqueness of the username. The application then responds with one of the following messages:

LANMASTER53.COM

Local File Inclusion to Remote Command Execution using SSH. Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this.

LANMASTER53.COM

Monday, June 18, 2018. While I don't do active defense in any part of my professional life, I enjoy developing active defense techniques for web technologies. Lately I've been dabbling in active defense mechanisms for Cross-Site Scripting (XSS) attacks, and as the developer of the HoneyBadger geolocation framework, incorporating the

research

LANMASTER53.COM

Regex: Regularly Exploitable. Method Interchange: The Forgotten Vulnerability. Session Fixation Demystified. Cross-Site Trust Exploitation (XSTE) DOM-based Cross-Site Scripting, Revisited. Defending Against Harvesting Attacks on Registration Systems. Multi-POST Cross-Site Request Forgery.

LANMASTER53.COM

Articles, information, and projects related to development and web application security. LANMASTER53.COMSEE MORE ON LANMASTER53.COM LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

The combination of a white list of unique identifiers for devices that belong in the area (MAC addresses) and signal strength (RSSI) can be used to create a protected zone. With tuning, this creates a circular detection barrier that, when crossed, can trigger any number of alert systems. WUDS includes an SMS alert module, but the sky is the LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

Once we added the filter to the john.conf file, we had to chose a decent sized list to run through the filter. Mark recommended the rockyou.txt list. We ran it through the filter: ./john --wordlist = --stdout --external: > This gave us all of the passwords in the list which meet

the

LANMASTER53.COM

Result. In this case, HTML output encoding was used to mitigate XSS. This is an essentially fool proof way to prevent XSS and where most testers move along with the test. But there is still danger lurking here. We may not be able to inject a XSS payload, but what prevents us from using the available character set to create a payload that

LANMASTER53.COM

The typical user account registration system will ask for the applicant to provide all of the information required to create an account on a registration page. When the registration page is submitted, the application validates the uniqueness of the username. The application then responds with one of the following messages:

LANMASTER53.COM

Monday, June 18, 2018. While I don't do active defense in any part of my professional life, I enjoy developing active defense techniques for web technologies. Lately I've been dabbling in active defense mechanisms for Cross-Site Scripting (XSS) attacks, and as the developer of the HoneyBadger geolocation framework, incorporating the

research

LANMASTER53.COM

Regex: Regularly Exploitable. Method Interchange: The Forgotten Vulnerability. Session Fixation Demystified. Cross-Site Trust Exploitation (XSTE) DOM-based Cross-Site Scripting, Revisited. Defending Against Harvesting Attacks on Registration Systems. Multi-POST Cross-Site Request Forgery.

LANMASTER53.COM

Articles, information, and projects related to development and web application security. LANMASTER53.COMSEE MORE ON LANMASTER53.COM LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

The combination of a white list of unique identifiers for devices that belong in the area (MAC addresses) and signal strength (RSSI) can be used to create a protected zone. With tuning, this creates a circular detection barrier that, when crossed, can trigger any number of alert systems. WUDS includes an SMS alert module, but the sky is the LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

Once we added the filter to the john.conf file, we had to chose a decent sized list to run through the filter. Mark recommended the rockyou.txt list. We ran it through the filter: ./john --wordlist = --stdout --external: > This gave us all of the passwords in the list which meet

the

LANMASTER53.COM

Result. In this case, HTML output encoding was used to mitigate XSS. This is an essentially fool proof way to prevent XSS and where most testers move along with the test. But there is still danger lurking here. We may not be able to inject a XSS payload, but what prevents us from using the available character set to create a payload that

LANMASTER53.COM

The typical user account registration system will ask for the applicant to provide all of the information required to create an account on a registration page. When the registration page is submitted, the application validates the uniqueness of the username. The application then responds with one of the following messages:

LANMASTER53.COM

Articles, information, and projects related to development and web application security.

LANMASTER53.COM

Articles, information, and projects related to development and web application security.

LANMASTER53.COM

Training has been a significant part of my professional life since 2009. I've never written about my training pursuits, so as I march into my tenth year of training, fifth year of Practical Web Application Penetration Testing (PWAPT), and the first year of Practical Burp Suite Pro: Advanced Tactics (PBAT), I'd like to share a little about where I've been, where I'm at, and where I'm going

LANMASTER53.COM

In this example, the parameter value of Tim is still sent to the server, but Tim# is parsed from the document.URL DOM attribute and added to the HTML of the page, exposing the target to the payload. This exploit bypasses any server-side mitigation to D-XSS. The second impact that the hash character has on D-XSS is that not all browsers

treat URIs and URI

LANMASTER53.COM

In the template code scenario we need to submit two forms to carry out the attack, so we place 2 forms on the page: "csrfForm1" and "csrfForm2". The inputs in the template are blank, but this is where you would put each of the parameters required for

LANMASTER53.COM

Session Fixation Defined. Session Fixation is a vulnerability that allows an attacker to predetermine the session token value of a victim. Like Session Hijacking, Session Fixation allows the attacker to assume the identity of the victim user in the context of the application. The root cause of Session Fixation is when an application

does not

LANMASTER53.COM

Result. In this case, HTML output encoding was used to mitigate XSS. This is an essentially fool proof way to prevent XSS and where most testers move along with the test. But there is still danger lurking here. We may not be able to inject a XSS payload, but what prevents us from using the available character set to create a payload that

LANMASTER53.COM

Local File Inclusion to Remote Command Execution using SSH. Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this.

LANMASTER53.COM

Anyone that has been doing penetration tests for a reasonable amount of time has at some point encountered a restricted user environment. A restricted user environment is a locked down, and usually shared, environment which restricts users to very limited functionality.

LANMASTER53.COM

Articles, information, and projects related to development and web application security.

LANMASTER53.COM

Monday, June 18, 2018. While I don't do active defense in any part of my professional life, I enjoy developing active defense techniques for web technologies. Lately I've been dabbling in active defense mechanisms for Cross-Site Scripting (XSS) attacks, and as the developer of the HoneyBadger geolocation framework, incorporating the

research

LANMASTER53.COM

Regex: Regularly Exploitable. Method Interchange: The Forgotten Vulnerability. Session Fixation Demystified. Cross-Site Trust Exploitation (XSTE) DOM-based Cross-Site Scripting, Revisited. Defending Against Harvesting Attacks on Registration Systems. Multi-POST Cross-Site Request Forgery.

LANMASTER53.COM

Articles, information, and projects related to development and web application security. LANMASTER53.COMSEE MORE ON LANMASTER53.COM LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

Once we added the filter to the john.conf file, we had to chose a decent sized list to run through the filter. Mark recommended the rockyou.txt list. We ran it through the filter: ./john --wordlist = --stdout --external: > This gave us all of the passwords in the list which meet

the

LANMASTER53.COMSEE MORE ON LANMASTER53.COM EXPLORING SSTI IN FLASK/JINJA2

LANMASTER53.COM

The combination of a white list of unique identifiers for devices that belong in the area (MAC addresses) and signal strength (RSSI) can be used to create a protected zone. With tuning, this creates a circular detection barrier that, when crossed, can trigger any number of alert systems. WUDS includes an SMS alert module, but the sky is the

LANMASTER53.COM

The typical user account registration system will ask for the applicant to provide all of the information required to create an account on a registration page. When the registration page is submitted, the application validates the uniqueness of the username. The application then responds with one of the following messages:

LANMASTER53.COM

Monday, June 18, 2018. While I don't do active defense in any part of my professional life, I enjoy developing active defense techniques for web technologies. Lately I've been dabbling in active defense mechanisms for Cross-Site Scripting (XSS) attacks, and as the developer of the HoneyBadger geolocation framework, incorporating the

research

LANMASTER53.COM

Regex: Regularly Exploitable. Method Interchange: The Forgotten Vulnerability. Session Fixation Demystified. Cross-Site Trust Exploitation (XSTE) DOM-based Cross-Site Scripting, Revisited. Defending Against Harvesting Attacks on Registration Systems. Multi-POST Cross-Site Request Forgery.

LANMASTER53.COM

Articles, information, and projects related to development and web application security. LANMASTER53.COMSEE MORE ON LANMASTER53.COM LANMASTER53.COMSEE MORE ON LANMASTER53.COM

LANMASTER53.COM

Once we added the filter to the john.conf file, we had to chose a decent sized list to run through the filter. Mark recommended the rockyou.txt list. We ran it through the filter: ./john --wordlist = --stdout --external: > This gave us all of the passwords in the list which meet

the

LANMASTER53.COMSEE MORE ON LANMASTER53.COM EXPLORING SSTI IN FLASK/JINJA2

LANMASTER53.COM

The combination of a white list of unique identifiers for devices that belong in the area (MAC addresses) and signal strength (RSSI) can be used to create a protected zone. With tuning, this creates a circular detection barrier that, when crossed, can trigger any number of alert systems. WUDS includes an SMS alert module, but the sky is the

LANMASTER53.COM

The typical user account registration system will ask for the applicant to provide all of the information required to create an account on a registration page. When the registration page is submitted, the application validates the uniqueness of the username. The application then responds with one of the following messages:

LANMASTER53.COM

Articles, information, and projects related to development and web application security.

LANMASTER53.COM

Nothing too complex. Level 2 was also verbal, but I ramped up the complexity and coaching. The command "10 steps forward" signifies a looping construct, so I began coaching them to say stuff like, "count from 1 to 10 and take a step on each count". I also introduced them to conditions. I coached them into commands like "until the floor is hard

LANMASTER53.COM

Training has been a significant part of my professional life since 2009. I've never written about my training pursuits, so as I march into my tenth year of training, fifth year of Practical Web Application Penetration Testing (PWAPT), and the first year of Practical Burp Suite Pro: Advanced Tactics (PBAT), I'd like to share a little about where I've been, where I'm at, and where I'm going

LANMASTER53.COM

This code saves the original alert function as _alert.The code then creates a new alert function. The new alert function does anything we want whenever the browser calls it, and then initiates the original behavior by calling _alert.Since the alert function usually indicates malicious behavior, this gives us an opportunity to detect an attack, and in the case of active defense, respond with

LANMASTER53.COM

The combination of a white list of unique identifiers for devices that belong in the area (MAC addresses) and signal strength (RSSI) can be used to create a protected zone. With tuning, this creates a circular detection barrier that, when crossed, can trigger any number of alert systems. WUDS includes an SMS alert module, but the sky is the

LANMASTER53.COM

In this example, the parameter value of Tim is still sent to the server, but Tim# is parsed from the document.URL DOM attribute and added to the HTML of the page, exposing the target to the payload. This exploit bypasses any server-side mitigation to D-XSS. The second impact that the hash character has on D-XSS is that not all browsers

treat URIs and URI

LANMASTER53.COM

Result. In this case, HTML output encoding was used to mitigate XSS. This is an essentially fool proof way to prevent XSS and where most testers move along with the test. But there is still danger lurking here. We may not be able to inject a XSS payload, but what prevents us from using the available character set to create a payload that

LANMASTER53.COM

In the template code scenario we need to submit two forms to carry out the attack, so we place 2 forms on the page: "csrfForm1" and "csrfForm2". The inputs in the template are blank, but this is where you would put each of the parameters required for

LANMASTER53.COM

Session Fixation Defined. Session Fixation is a vulnerability that allows an attacker to predetermine the session token value of a victim. Like Session Hijacking, Session Fixation allows the attacker to assume the identity of the victim user in the context of the application. The root cause of Session Fixation is when an application

does not

7 LINUX SHELLS USING BUILT-IN TOOLS Commands are entered into one the of the attackers listeners and feedback is received on the other. #6. RCE shell: On this one I'm cheating a little bit. This applies to Remote Command Execution vulnerabilities only. Rather than manually enter commands into a proxy or browser url, I wrote small python script which gives you the feel

of a shell

*

*

*

*

*

*

*

*

* Projects |

* Archive |

* Categories |

* Company |

* Training |

* Testimonials |

* About

LANMASTER53.COM

------------------------- DYNAMIC DISCOVERY OF MASS ASSIGNMENT VULNERABILITIES FRIDAY, JUNE 14, 2019 I love teaching for a lot of reasons. One of the reasons is because I learn so much when I teach. Sounds weird doesn't it? Why would the person teaching be learning? Well, It's probably not what you think. Some of what I learn comes directly from the students, but a lot comes from debugging issues on the fly and some dumb-luck discovery when someone in the class accidentally clicks somewhere or mistypes something. Recently I was teaching a class, and a combination of these led to a pretty neat discovery that I want to share with the

community. ... more

------------------------- A DECADE OF TRAINING FRIDAY, FEBRUARY 22, 2019 Training has been a significant part of my professional life since 2009. I've never written about my training pursuits, so as I march into my tenth year of training, fifth year of Practical Web Application Penetration Testing (PWAPT), and the first year of Practical Burp Suite Pro: Advanced Tactics (PBAT), I'd like to share a little about where I've been, where I'm at, and where I'm going, while specifically addressing my various courses. ... more ------------------------- GET OFF YOUR BUTT AND TEACH YOUR KIDS TO CODE SATURDAY, DECEMBER 8, 2018 If you're my age (born in the early 1980s) and know how to code, then it has likely been a differentiator for you in your career. I can't think of a single thing I've done professionally where my ability to understand programming concepts and write code has not benefited me in some way. However, coding is fast becoming a more common skill set amongst the younger generations. Teaching our kids to code is now more of a necessity and less of a luxury. ... more -------------------------

XSS ACTIVE DEFENSE

MONDAY, JUNE 18, 2018 While I don't do active defense in any part of my professional life, I enjoy developing active defense techniques for web technologies. Lately I've been dabbling in active defense mechanisms for Cross-Site Scripting (XSS) attacks, and as the developer of the HoneyBadger geolocation framework, incorporating the research into new reporting techniques and agents. ... more ------------------------- SQLI EXPLOITER: EXPLOITING COMPLEX SQL INJECTIONS THURSDAY, MAY 24, 2018 Raise your hand if you've ever had sqlmap fail to find or exploit a vulnerability you knew to exist? I imagine there's a lot of folks with their hands up right now. Okay, put your hands down. ... more ------------------------- REPORT SPAM. GET OWNED. THURSDAY, MARCH 15, 2018 So, a couple weeks ago Matt Svensson (@TechNerdings ) dropped me a DM in Twitter: > Random other thing that I am curious if you guys have seen anything > on... I just got an email from the local eye clinic. I hit the > "spam" button on Gmail to report spam and unsubscribe. What I didn't > realize is that it actually opens the unsubscribe link in the > browser. Good news, easy unsubscribe. Maybe.....if you properly > craft the spam...you could use the unsubscribe button to open a > malicious web page? Um... yeah! I immediately thought of how great a CSRF-via-email attack vector this was. Think about it. Users are trained not to click links, but in the case of Gmail, they're taught to click the handy-dandy "Report Spam" button to report it to the spam filter. But wait a second. The handy-dandy "Report Spam" button will go the extra step and unsubscribe the user from future attacks as well if the user so desires... and they do. ... more ------------------------- COOLING DOWN THE HOTTEST TICKET IN TOWN SATURDAY, AUGUST 26, 2017 We had an interesting conversation on the Proverbs Hackers mailing list today about getting tickets for popular conferences that have limited ticket sales. Security conferences most often thought of in this category are DerbyCon and ShmooCon. For anyone that has tried to get tickets to one of these conferences in the traditional fashion, you know the struggle is real. The conversation got me thinking about ways you can acquire a ticket that you may not realize are available. Below is the result of that thought exercise. ... more -------------------------

© 2020 Tim Tomes