Java Bytecode Injection
When assessing the security posture of a Java thick application we can usually process the code through a decompiler (such as Jad) and have a proper look at the code. It may be the case that we need to bypass the SSL checks but that is usually it.
However, every now and then, we stumble upon more complex scenarios, for instance, an application whose code has been obfuscated causing decompilation errors. In that case it will no longer be enough to decompile, modify the code and compile again, we would need some other technique. Patching the .class file at the bytecode level sounds like a reasonable approach.
Popularity: 2% [?]
Bypassing Java thick client SSL checks
x509 certificate generation
Generate the certificate using OpenSSL:-
$ openssl genrsa 1024 > foo.key $ openssl req -new -x509 -nodes -sha1 -days 7300 -key foo.key > foo.crt $ openssl pkcs12 -export -out foo.p12 -in foo.crt -inkey foo.key -name "your name"
You will need the .p12 file (contains key and certificate) to configure Burp. And the .crt file to add it to the Java keystore used by the client. Checkout Burp's help page for instructions on how to get the first done.
Create a Java keystore, import the certificate
Straightforward enough (just remember the password you entered):
keytool.exe -import -file foo.crt -keystore usefulfor.jks -alias burpcert
Run the application and point it to your keystore
java \ -Djavax.net.ssl.trustStore=usefulfor.jks \ -Djavax.net.ssl.trustStorePassword=password \ -Djavax.net.debug=all \ com.usefulfor.Demo
Other interesting properties that you may need in order to further tweak the SSL configuration are javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword.
Popularity: 3% [?]
SSID Script Injection
The administrative web interfaces for many wireless access points (APs) provide users with ‘Neighbourhood Wireless Scan’ functionality. This functionality scans for all accessible APs and displays the details of any APs which are identified. However, examination of these administrative interfaces revealed that a large number of them do not properly sanitise the parameters that are passed to them from any accessible APs.
An attacker could set up a fake AP with a malicious payload in the Service Set Identifier (SSID). The malicious SSID would be displayed in the ‘Neighbour’s Access Points Table’ page of the administrative interface and would be executed when an administrator scanned for APs.
Popularity: 22% [?]
DHCP Script Injection
A number of administrative applications are available which allow users to manage a network DHCP server via a web interface. This allows administrators to set up configuration options and view active DHCP leases.
it was found that a large number of these administrative web applications did not properly sanitise parameters that were passed to them from the DHCP server and therefore an attacker. In particular, a specially crafted DHCPREQUEST message containing malicious JavaScript or HTML code in the DHCP Options Hostname field could be sent to the DHCP server; the malicious code would then be displayed in the DHCP active leases page of the vulnerable administrative application and would be executed when an administrator visited the page.
Popularity: 17% [?]
middleware and me (part 2)
hack-fu by: rux0r
In the last article (middleware and me (part-1)) we looked at the concept of Middleware security and why it is often a neglected area. In this article we are moving on to look in detail at the security features that can be employed to protect this type of software. For the purposes of these discussions we are going to be focussing on the IBM Websphere MQ product, hopefully in the future I will be able to contrast these discussions against the security controls employed by a number of other messaging technologies.
Popularity: 13% [?]
Grabbing LM challenges with an ettercap filter
hack-fu by: bob So... this is an amalgamtion of several ideas and bits of work I've found floating around that I put together. The result is a handy pentesting/pwnage technique. The following blog that kicked this idea off discusses a modified Metasploit exploit module called smb_server.pm by Kurt Grutzmacher: NTLMv1, Metasploit and You. Around the same time I'd been playing with some ettercap filters, based on the below work at Irongeek: Fun with Ettercap Filters. These two sparked something and gave me a use of those huge LMHALFCHALLENGE rainbow tables I'd downloaded.
Popularity: 16% [?]
middleware and me (part 1)
hack-fu by: rux0r
This post is the first in a series on the subject of enterprise messaging and in particular on IBM's flavour of it. The objective of these posts will be to remove some of the confusion about its purpose, the technologies and the methods of securing it. Hopefully this will help both security testers and other interested parties to feel confident about this important area of IT security.
Popularity: 13% [?]
security quiz: input validation bypass
From The Web Application Hackers Handbook
An input validation mechanism designed to block cross-site scripting attacks performs the following sequence of steps on an item of input:
1.- strip any <script> expressions that appear
2.- truncate the input to 50 characters
3.- remove any quotation marks within the input
4.- url-decode the input
5.- if any items were deleted, return to step 1
how would you bypass it?
Popularity: 8% [?]
Sidebar Gadgets Attacks
Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript. They can be very flexible in design and function.
Gadgets are easy to install, to use and can be easily developed by any Vista user. They can enhance efficiency; they can be fun and can look good on a desktop. Windows Vista includes various gadgets by default, such as a calendar, calculator and currency converter. In addition, a large number of organisations have gadgets for download and use, such as London Underground, Amazon, ebay, etc.
Gadgets can be perceived by users as fun and harmless; but their characteristics can make of Gadgets a potential risk for Vista users. They run with the permissions of the logged on user and operate outside of IE’s Protected Mode. Additionally, gadgets will usually communicate with a remote server to obtain information and a rich gadget API which contains some potentially dangerous methods is available.
At the present time there are two main classes of gadget attacks: -
Popularity: 4% [?]