Cyberis Blog

Reassuringly clear thinking.

  • Detect and respond
  • Research

Microsoft Exchange Client Access Server Information Disclosure

If you manage Microsoft Exchange and OWA in your environment and you are undergoing an external penetration test or Cyber Essentials assessment, you will often be faced with the Client Access Server Information Disclosure vulnerability identified by Nessus (https://www.tenable.com/plugins/nessus/77026) or other vulnerability scanners. Until recently, this vulnerability went unaddressed by Microsoft for versions of IIS after 6.0 and before 10.0. The majority of advice provided by online resources suggests applying the latest patches, but as patches don't exist for version 7.0 to 8.5, this isn't an option.

Read more
  • Research

The True Impact Of A Cyber Breach On Share Price

With media coverage of security breaches becoming more commonplace, the business world is beginning to realise that it is less a matter of ‘if’ there is a breach and more a matter of ‘when’. Whilst there is often extensive coverage of the cost to the affected company of a data breach, rarely is the impact on the company’s value examined. We  looked at four recent data breaches and examined the impact on share prices for the companies involved, both short and medium term, to  see if the value of the company is indeed affected.

Read more
  • Research

Vulnerabilities That Just Won't Die - Compression Bombs

Recently Cyberis has reviewed a number of next-generation firewalls and content inspection devices - a subset of the test cases we formed related to compression bombs - specifically delivered over HTTP. The research prompted us to take another look at how modern browsers handle such content given that the vulnerability (or perhaps more accurately, ‘common weakness’ - http://cwe.mitre.org/data/definitions/409.html) has been reported and well known for over ten years. The results surprised us - in short, the majority of web browsers are still vulnerable to compression bombs leading to various denial-of-service conditions, including in some cases, full exhaustion of all available disk space with no user input.

Read more
  • Research
  • Tools and techniques

Shared Dictionary Compression Over HTTP (SDCH) - Bypassing Your Filtering Devices

Following Cyberis’ recent articles on bypassing perimeter filtering devices (e.g. proxies, IDS and next-generation firewalls) by manipulating HTTP response headers, we’ve taken a closer look at some more obscure Content-Encoding mechanisms. This article discusses Shared Dictionary Compression over HTTP (SDCH), and the implications for perimeter security controls designed to protect your network from unwanted content.

Read more
  • Research
  • Tools and techniques

Testing Access Controls On Large Web Applications

Testing access controls on web applications can be a difficult task if presented with multiple user roles and a large number of pages. Depending on the application, unauthorised access to a page may result in a client error code (40X), a redirect (30X), a straight 200 with an error message within the page, or possibly even a server-side error (50X). This is how we approach the problem...

Read more
  • Research
  • Tools and techniques

Evading .NET And Browser XSS Protection With Attribute Based XSS

.NET applications offer good protection against basic reflected XSS vectors. Since .NET 1.1, ValidateRequest has been examining client supplied input for "supicious" characters, and throwing a helpful error message if such characters are found within a GET or POST request. These days, an attempt to perform the classic  alert(1)  will likely fail against the majority of .NET applications with the well known "A potentially dangerous Request.Form value was detected from the client..". Does that mean XSS in .NET is dead?

Read more
  • Research
  • Tools and techniques

Harvesting Cross Site Scripting (XSS) Victims - Clicks, Keystrokes And Cookies

A couple of years ago I was inspired by @fmavituna's work on XSS Shell and decided to write a new extended version (XSS-Shell-NG) using a PHP and a MySQL backend rather than the ASP/Access combination of the original. I never released the tool publicly, as my main aim of making XSS Shell easier to use was never really accomplished; it still required a significant amount of set up to get it working. However, one thing that both tools did well once working was to demonstrate the real business impact of cross-site scripting.

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.

Contact us About Cyberis