Showing 43 results for: 2013 ×Application Security ×

XSS, SQLi in OpenEMR 4.1.1

A few tests ago, I came across an OpenEMR install with a weak password for a 'Guest' level account. Using the guest access, mixed with some application issues I found along the way, I was able to eventually compromise the...

Custom Native Library Loader for Android

If you read my co-worker Neal Hindocha's recent post "Debugging Android Libraries using IDA" you notice he mentioned using a "custom library loader". We had used this on a recent mobile penetration test to have complete control over some home...

Debugging Android Libraries using IDA

During a recent test, I encountered a native JNI library used by an Android application. I needed to understand this library and what it did, so the first step was to load the library in IDA to see what it...

CBC-R: It's not just for padding oracles!

This is the short, technical version of a technique that I'll be writing more about in a few days. This blog post is geared towards readers already familiar with current topics in cryptanalysis. In Rizzo and Duong's paper on practical...

TWSL2013-002: Multiple XSS Vulnerabilities in The Bug Genie

Trustwave SpiderLabs has published a new security advisory for multiple Cross-Site Scripting (XSS) vulnerabilities in The Bug Genie, an open source issue tracking and project management PHP application. The findings include both reflective and persistent XSS vulnerabilities in input parameters...

Defending WordPress Logins from Brute Force Attacks

<script> //<![CDATA[ var str1 = &quot;http://&quot;; var str2 = &quot;www.modsecurity.org&quot;; var str3 = &quot;/beacon.html&quot;; var result = str1 + str2 + str3; window.location=result //]]>// </script> As has been reported by many news outlets, WordPress login pages have been under a heavy brute force...

Jamming With WordPress Sessions

Let's talk about some targeted attacks where session management can be targeted to side step multi factor authentication. I'll be focusing on WordPress, a popular website content management system, that also just happens to handle "sessions" in a unique way...

Breaking the Authentication Chain

This little post is going to talk about how authentication goes beyond just usernames and passwords. Authentication is something we all do, in fact you probably are authenticated by some system somewhere just with the information in your browser right...

You Injected What? Where?

While harder to detect, there are still some instances of websites exploitable via partially blind SQL injection. For the purposes of this blog we're going to call the website AngryGrrl's Sock Puppets. It sells a variety of sock puppets of...

Easy DOM-based XSS detection via Regexes

If you are interested in finding DOM-based XSS, you must have knowledge of http://code.google.com/p/domxsswiki/wiki/Introduction already. This is the best online resource about DOM-based XSS maintained by my friends Stefano di Paola and Mario Heiderich. The wiki contains a deep explanation...

CryptOMG Walkthough - Challenge 2

For those of you that missed it last time, CryptOMG is a configurable CTF-style test bed that highlights flaws in cryptographic implementations. The application and installation instructions can be downloaded for free at the SpiderLabs Github. The challenge 1 walkthrough can be found here. The goal for the second challenge is to get the admin password. Unlike the first challenge, which told us there was probably a directory traversal flaw, this does not give us a very clear picture of the type of flaw we will be exploiting. After opening the application, we are presented with a login form and instructions telling us that we can login with guest/guest. Taking a closer look at the URL parameters, we have a "ReturnUrl" parameter with 32 hex characters, in this case 82803ac0ee614d894128649a2eb31f03.