Collaborate Disseminate
<p>When I first wrote JS-Tap, the goal was to provide red teamers with a generic JavaScript payload that works without prior knowledge of a web application and without an authenticated user running it. Instrument the…</p>
… Continue reading JS-Tap v3: Endpoint Post-Exploitation With JavaScript Implants
<p>Figure 1 – We take our work very seriously. Capturing Hashes with DragonHashChromium-based browsers have an odd feature set that allows extensive drag-and-drop capabilities in the browser. This feature is not only…</p>
… Continue reading Dragging Secrets Out of Chrome: NTLM Hash Leaks via File URLs
<p>OverviewIn web and mobile applications, we’ve been fortunate over the years to have such widespread use of HTTPS by way of TLS. The proliferation of HTTPS is in no small part due to Let’s Encrypt, which provides free…</p>
… Continue reading Application Layer Encryption with Web Crypto API
<p>JS-Tap is a tool intended to help red teams attack web applications. I recently blogged about the data collection capabilities in JS-Tap version 1.0, and data collection is still the primary purpose of JS-Tap. However,…</p>
<p>Defining a Content Security Policy (CSP) for your web application can help harden the application against many common attacks. Mitigating XSS attacks is a significant component of CSP hardening, but CSP can protect…</p>
<p>TL;DR VersionHak5 Pineapples changed their module system in Mark VII’s, breaking module compatibility.ProxyHelper2 is a reimplementation of TrustedSec’s original ProxyHelper module by @_Kc57 that works on modern…</p> Continue reading ProxyHelper2: The Sequel
<p>tl;dr versionYou can trick users into "typing" inputs in a clickjacking attack.YouTube demo: https://www.youtube.com/watch?v=VIEZ1aByFvUPoC GitHub Repo: https://github.com/hoodoer/dragInputClickjackingDetails:I recently…&l… Continue reading Clickjacking: Not Just for the Clicks
<p>How do you use malicious JavaScript to attack an application you know nothing about?Application penetration testers often create custom weaponized JavaScript payloads to demonstrate potential impact to clients.…</p>
Continue reading JS-Tap: Weaponizing JavaScript for Red Teams
In this blog post, I will cover the current state of my research investigating the possibility of using neural networks to hide shellcode. But before we dig in, I will provide a little background information. For those unfamiliar with neural networks, they are a type of computer system design that is inspired by how human…
The post On the possibility of obfuscating code using neural networks appeared first on TrustedSec.
Continue reading On the possibility of obfuscating code using neural networks