Category Archives: Application Security Assessment

BITS Persistence for Script Kiddies

Posted on by

Introduction Using and abusing the BITS service is a lot of fun. I can’t believe Windows just gives away this hacker tool for free. But wait, wait, are you telling me that there’s more? Does it come with a free blender? What else can this service do for me? In the last installment, we covered…

The post BITS Persistence for Script Kiddies appeared first on TrustedSec.

Continue reading BITS Persistence for Script Kiddies

Simple Data Exfiltration Through XSS

Posted on by

During a recent engagement, I found a cross-site scripting (XSS) vulnerability in a legal document management application and created a quick and dirty document exfiltration payload. Unfortunately, this discovery and coding happened on the final day of the engagement (*cough* reporting bonus hacking day), and I didn’t have a chance to actually put the exfiltrated…

The post Simple Data Exfiltration Through XSS appeared first on TrustedSec.

Continue reading Simple Data Exfiltration Through XSS

More Options for Response Modification -With ResponseTinker

Posted on by

As the web application footprint migrates client-side, tools to thoroughly analyze and test client behavior are becoming increasingly important. Burp Suite has made some great strides in this direction with their browser-based enhancements to crawling and scanning, but when it comes time to really dig into the particulars for research, we are still very much…

The post More Options for Response Modification -With ResponseTinker appeared first on TrustedSec.

Continue reading More Options for Response Modification -With ResponseTinker

What Spring Data can teach us about API misconfiguration

Posted on by

A security researcher (Joel Noguera @niemand_sec) discovered a ‘critical’ misconfiguration bug in Spring Data’s Application Level Profile Semantics (ALPS). This bug allows unauthenticated users to perform an Application Programming Interface (API) request, which responds with sensitive user data that can be utilized, manipulated, or even deleted. What is ALPS? “ALPS [is] a data format for defining…

The post What Spring Data can teach us about API misconfiguration appeared first on TrustedSec.

Continue reading What Spring Data can teach us about API misconfiguration

An Update On Non-Aggressive Reporting

Posted on by

Reporting is an essential piece of the penetration testing puzzle. It’s the product your client will be reviewing within their organization, representing you and your company to those you may not have worked with directly. With that in mind, it’s important that your product, the report, strikes a balance between professional tone and cold facts….

The post An Update On Non-Aggressive Reporting appeared first on TrustedSec.

Continue reading An Update On Non-Aggressive Reporting

Intro to Web App Security Testing: Logging

Posted on by

A Brief Look at Approaches to Logging and Pitfalls to Avoid TL;DR The Logger++ extension is a great tool for recording requests and responses across all of Burp Suite. However, it is important to ensure enough log entries are retained from the tools you expect and that logs are exported if you want to keep…

The post Intro to Web App Security Testing: Logging appeared first on TrustedSec.

Continue reading Intro to Web App Security Testing: Logging

Setting the ‘Referer’ Header Using JavaScript

Posted on by

Or, “I’m Sorry, You Said You’re from Where Again?” In a prior webinar on creating weaponized Cross-Site Scripting (XSS) payloads, I mentioned that XSS payloads (written in JavaScript) could not change the HTTP Referer header. Malicious requests made through an XSS payload will often have an unexpected Referer header that does not generally make sense…

The post Setting the ‘Referer’ Header Using JavaScript appeared first on TrustedSec.

Continue reading Setting the ‘Referer’ Header Using JavaScript

Azure Account Hijacking using mimikatz’s lsadump::setntlm

Posted on by

Not long ago, I was on an engagement where the client made use of a hybrid Office 365 environment. In their setup, authentication credentials were managed by the on-premises Active Directory (AD) Domain Controller and then synced to Azure AD via Azure AD Connect. We were tasked with gaining access to sensitive customer information. And…

The post Azure Account Hijacking using mimikatz’s lsadump::setntlm appeared first on TrustedSec.

Continue reading Azure Account Hijacking using mimikatz’s lsadump::setntlm

Fuzzing the Front End!

Posted on by

So, who is testing the client-side components of Single Page Applications (SPAs)? What are you doing exactly, dropping a few cross-site scripting (XSS) polyglots into boxes like you used to do with “<ScRiPt>alert(123)</sCrIpT>” for traditional apps back in 2001?  Are you mostly holding out hope that all big problems will be in the back-end APIs?…

The post Fuzzing the Front End! appeared first on TrustedSec.

Continue reading Fuzzing the Front End!

So, You Got Access to a *nix system… Now What?

Posted on by

Note to Reader: For simplicity, I will be referring to all Unix, Linux, and other Unix-like systems simply as *nix, unless a specific distinction needs to be made. As a pentester, you will likely come across a *nix system at some point. If you are like many of the people I have worked with and…

The post So, You Got Access to a *nix system… Now What? appeared first on TrustedSec.

Continue reading So, You Got Access to a *nix system… Now What?