Protection

Embedded Ajax Brute-Force Tool

There are a few cases when preparing a PoC for brute-force attack on the login page can be complicated. It is no longer uncommon to find a login form based on web sockets, or which implements some sort of client-side encryption with JavaScript. In these cases, configuring a brute-attack quickly with a middle proxy (e.g. Burp’s Intruder) is not possible. It also happens that clients request for the penetration testings to be conducted on a specific machine, without access to common attacking tools.

For these reasons, I wrote a very minimalistic brute-force tool that runs inside the browser (the source code, following this post, has to be copy-pasted into browser’s JavaScript console).

Read more

MainMenu

Advanced Packet Editor – TCP/HTTP Client-Server Proxy

The Advanced Packet Editor (APE) is an open-source project for a TCP and HTTP-based proxy that allows you to intercept and manipulate communication between clients and servers.

We at AppSec Labs have taken the project, modified and improved it into a useful tool for application penetration testing.

This tool is under the GPL license (for more information: http://www.gnu.org/licenses/gpl-3.0.en.html)
Read more

Screenshot_4

Case study – Open Redirect

Most of us are familiar with the ‘Open Redirect’ vulnerability; an OWASP top 10 vulnerability that takes advantage of a situation in which the application receives a parameter from the client and uses it to build the URL location to which the user is redirected, without performing sufficient validation on the received input.

Typically, attackers can exploit vulnerable applications in order to perform phishing attacks, redirecting the victims to phishing sites that look exactly (or partially) like the vulnerable application. The victims tend to believe they are still in the original website, and provide their credentials in order to perform the required login. Unfortunately, these credentials are sent directly to the attacker.

A Classic Open Redirect Scenario

The following image demonstrates a vulnerable website (victim-site.com), which is vulnerable to the common open redirect scenario; a login page that will redirect the user to the page specified in the ‘returnURL’ parameter after successful login (the rectangle outlines the URL of the index page):

Read more

adb_shell

Android Emulator Tricks

When performing security (or regular) tests on Android applications, we sometimes need to emulate or fake mobile data or actions; making/receiving calls, sending SMS or setting the exact geo-location are some commands that can be done, using the Emulator Console.  Here are a few tricks that will help you through Android application testing using the emulator:

· First, connect to the emu, using telnet:

telnet localhost 5554

· To change geo-locations:

geo fix <longtitude value> <latitude value>

· To make a phone call to the emulator:

gsm call <callerPhoneNumber>

· To send an sms to the emulator:

sms send <senderePhoneNumber> <textMessage>

· To scale the emulator window:

window scale <value from 0 to 1>

· To take a screenshot:

screencap -p  </path/to/filename.png>

· To create input events (event codes list):

input keyevent  <event_code>

Monkey

The Monkey is a command-line tool that runs on the emulator instance or on a device. When the Monkey runs, it generates pseudo-random events and sends them to the system.

Read more

headers-security-headers

Improve your Web App’s security with HTTP Headers

Over recent years, new security standards have been set by the W3C, and implemented by browser vendors. The idea was to create a set of HTTP headers that developers could use in order to add a browser-based layer of security for their web applications.

Indeed, many security problems can (or should) be remediated on the client side (e.g. Same Origin Policy), and by improving the security of the platforms it was clear that the overall security level of web applications would increase, with little regard to the actual server-side implementation.

Let’s present a quick overview of these HTTP headers:

X-XSS-Protection

Description: Enables a Cross-Site Scripting (XSS) filter in the browser that blocks the malicious reflected XSS code.

Setting: X-XSS-Protection: 1; mode=block

Supported Browsers: IE 8+, Chrome, Safari (WebKit).

Additional Information: https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/

X-Content-Type-Options

Read more

keep-calm-and-start-debugging-8[1]

How to edit Char Sequence objects in net beans

In Net beans 8, during debugging (in my case, smali debugging), you cannot change char sequence variables, they are shown as read-only strings. An example of usage is Android text-elements (EditText) whose value is stored in Obj.mText.mText in a char sequence. The following screenshot, shows a Tree view, but you cannot change the field in table view either.

netbeans1
So, I tried do the same with Net beans 6.8 and I found that it let me edit char-sequence variables. After some research I figured out that in order to enable editing of those variables I need to disable the auto formatting. You do this in tools menu -> options and remove the V of Default Char sequence formatter:
 
Read more

abs-hack me

Negative Subtracting – Bypass the Protection

Introduction to negative subtracting
We all know about the negative subtracting issue. For example, if I transfer money to you, it is reduced from my account and added to your account. The code looks something like:

Myaccount.value = myaccount.value – transfer.amount
Youraccount.value = youraccount.value + transfer.amount

Now, what happens if I transfer a negative value to your account? We know that subtracting two negatives give a positive, so if I transfer minus one hundred to you, my account will increase by one hundred and your account will be reduced by one hundred.

Another example is an online roulette game. The house always wins eventually, because the chances are against the player. But we can turn it simply by betting a negative value. Now, each time we lose, we lose a negative value which means that we actually win…

Up until here it is clear and simple and I hope that everyone knows it.

 

Example of (in)secure code
I recently came across a code that looked secure at first impression, but only upon second glance I understood that it is not secure at all. Let me start by showing you the code (C language), I modified it to become like a hacme game…:
 
Read more

injection

Formula injection

About Formula Injection

Almost every website today provides social, financial or informative detail to the internet users. Websites that contain sensitive data about users, such as banks, social networks and online stores, restrict the access to private data by using access-control measures such as authentication, authorization encryption mechanisms and more.
However, hackers are still able to find their way to the “prize” with very clever attacking techniques, as their primary target is usually the sensitive data behind the application.

 
In the following post we will review an unusual injection type, with a great potential to cause some SERIOUS DAMAGE if initiated. Well… how can it be initiated? It depends, primarily on the web application programmers, BUT also on the user himself.

 
Let’s start by saying that every application uses untrusted data.

Since the application is intended to be used by the public – we don’t know whether the user is a legitimate one, or a hacker trying numerous types of attacks in order to hijack user sessions, credentials and/or sensitive data such as credit card numbers.
 
Read more

google-io-weave-700x500

IOT – Compiling Brillo Easily

Google published the first version of Brillo, and as IoT researchers, the first thing that we want to do is to quickly compile and run it in order to get a feel for it, investigate it and learn as much as possible about the system…
 

At the beginning of our work we made some assumptions, which we found to have been correct:

  1. Instead of installing a new environment, it will be easier to install it on our AppUse VM which already has a lot of stuff on it.
  2. Google probably built it similarly to Android (both are Unix-based), so we took the Android compilation guide (links below).

 
Despite these shortcuts, we still came across a lot of trouble… I know for sure that you don’t want to waste your time to find and fix some stupid errors, so let me give you the shortest way to install it in a few steps and one script 🙂
 
Read more

PT Manager – Penetration Test Vulnerabilities Manager, an extension for Burp Suite

Penetration Test Vulnerabilities Manager is an extension for Burp Suite, written in Jython. It was developed by Barak Tawily in order to help application security professionals manage vulnerabilities

Download from Github: https://github.com/Quitten/PT-Manager

alt tag
 
Read more