Web Application Hacking – WindowsTechs.com

“I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies

Posted on May 16, 2018 by mandatory

Remediation TL;DR If you’re a concerned Signal user please update to the latest version of Signal Desktop (fixed in version v1.11.0) which addresses all of these issues. Note that the mobile apps for Signal were not affected by this issue. Backgr… Continue reading “I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies→

The Journey to Hijacking a Country’s TLD – The Hidden Risks of Domain Extensions

Posted on June 4, 2017 by mandatory

I will liken him to a wise man, who built his house on a rock. The rain came down, the floods came, and the winds blew, and beat on that house; and it didn’t fall, for it was founded on the rock. Everyone who hears these words of mine, and doesn’t do them will be… Read More Continue reading The Journey to Hijacking a Country’s TLD – The Hidden Risks of Domain Extensions→

The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean

Posted on December 5, 2016 by mandatory

Recently, I found that Digital Ocean suffered from a security vulnerability in their domain import system which allowed for the takeover of 20K domain names. If you haven’t given that post a read I recommend doing so before going through this write up. Originally I had assumed that this issue was specific to Digital Ocean… Read More Continue reading The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean→

Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter

Posted on August 31, 2016 by mandatory

This is a continuation of a series of blog posts which will cover blind cross-site scripting (XSS) and its impact on the internal systems which suffer from it. Previously, we’ve shown that data entered into one part of a website, such as the account information panel, can lead to XSS on internal account-management panels. This… Read More Continue reading Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter→

Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection

Posted on July 25, 2016 by mandatory

I recently decided to investigate the security of various certificate authority’s online certificate issuing systems. These online issuers allow certificate authorities to verify that someone owns a specific domain, such as thehackerblog.com and get a signed certificate so they can enable SSL/TLS on their domain. Each online certificate issuing system has their own process for… Read More Continue reading Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection→

The International Incident – Gaining Control of a .int Domain Name With DNS Trickery

Posted on July 10, 2016 by mandatory

The .int or international TLD is perhaps one of the most exclusive extensions available on the Internet. The number of domains on the extension is so small it has it’s own Wikipedia page. Introduced around 27 years ago its primary purpose has been for international treaty organizations. The requirements for a .int domain are listed… Read More Continue reading The International Incident – Gaining Control of a .int Domain Name With DNS Trickery→

XSS Hunter is Now Open Source – Here’s How to Set It Up!

Posted on May 30, 2016 by mandatory

Recently I opened up XSS Hunter for public registration, this was after publishing a post on how I used XSS Hunter to hack GoDaddy via blind XSS and pointed out that many penetration testers use a very limited alert box-based pentesting methodology which will not detect these types of issues. After cleaning up the source… Read More Continue reading XSS Hunter is Now Open Source – Here’s How to Set It Up!→

Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS

Posted on May 8, 2016 by mandatory

This is the first part of a series of stories of compromising companies via blind cross-site scripting. As companies fix the issues and allow me to disclose them, I will post them here. Blind cross-site scripting (XSS) is an often-missed class of XSS which occurs when an XSS payload fires in a browser other than… Read More Continue reading Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS→

XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS)

Posted on March 22, 2016 by mandatory

Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. With the first disclosure of the issue titled “Malicious HTML Tags Embedded in Client Web Requests“, this research sparked an entire generation of an attack that somehow still seems to persist in modern web applications today. Despite this vulnerability being well-known… Read More Continue reading XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS)→

[Cross-Post] Fishing the AWS IP Pool for Dangling Domains

Posted on October 8, 2015 by mandatory

Hey guys, If you’ve ever pointed your DNS to an EC2 instance or other Amazon service, you might wanna read this piece of research I did while work at Bishop Fox that shows how attackers can take over your domains by drawing from Amazon’s IP pool: http://www.bishopfox.com/blog/2015/10/fishing-the-aws-ip-pool-for-dangling-domains/… Read More Continue reading [Cross-Post] Fishing the AWS IP Pool for Dangling Domains→