Cyberis Blog

Reassuringly clear thinking.

  • Penetration testing
  • Tools and techniques

Creating Macros For Burp Suite

There are many tools available for automated testing of web applications. One of the best known is probably sqlmap. Sqlmap allows you to identify and exploit SQL injection vulnerabilities with ease from the command line. However, controls such as CSRF tokens or simple anti-automation techniques such as including a unique hidden value within the form can prevent automated tools from working correctly. Macros in Burp Suite are a great way to bypass these measures in order to carry out automated testing, although they can be complicated to implement.

Read more
  • Penetration testing
  • Tools and techniques

Obtaining NTDS.Dit Using In-Built Windows Commands

Using the same underlying technique (Volume Shadow Service), there is an in-built command (Windows 2008 and later) that does a backup of the crucial NTDS.dit file, and the SYSTEM file (containing the key required to extract the password hashes), without the need to use VB Script, third-party tools or injecting into running processes.

Read more
  • Tools and techniques

Egresser - Tool To Enumerate Outbound Firewall Rules

Egresser is a tool to enumerate outbound firewall rules, designed for penetration testers to assess whether egress filtering is adequate from within a corporate network. Probing each TCP port in turn, the Egresser server will respond with the client’s source IP address and port, allowing the client to determine whether or not the outbound port is permitted (both on IPv4 and IPv6) and to assess whether NAT traversal is likely to be taking place.

Read more
  • Penetration testing
  • Tools and techniques

Testing .NET MVC For JSON Request XSS - POST2JSON Burp Extension

During a recent application penetration test on behalf of a client, one of the security vulnerabilities discovered was a stored cross-site scripting vector, delivered via a JSON request to a MVC3 controller. The malicious data (in this case a simple script tag proof-of-concept) was written to the database and subsequently echoed back to the user when viewing a number of pages within the application. This is how we wrote Burp plugin to bypass the XSS safety nets in the .NET framework...

Read more
  • Research
  • Tools and techniques

Shared Dictionary Compression Over HTTP (SDCH) - Bypassing Your Filtering Devices

Following Cyberis’ recent articles on bypassing perimeter filtering devices (e.g. proxies, IDS and next-generation firewalls) by manipulating HTTP response headers, we’ve taken a closer look at some more obscure Content-Encoding mechanisms. This article discusses Shared Dictionary Compression over HTTP (SDCH), and the implications for perimeter security controls designed to protect your network from unwanted content.

Read more
  • Tools and techniques

Update To ResponseCoder

Our HTTP Response manipulation tool - ResponseCoder - has been updated to allow manipulation of the HTTP version. Grab an updated copy.

Read more
  • Tools and techniques

ResponseCoder - Manipulation Of HTTP Response Headers

ResponseCoder is designed to allow you to easily manipulate HTTP response headers - specifically to identify weaknesses in perimeter filtering appliances such as web proxies and next generation firewalls. It’s an open source PHP script that formulates HTTP response headers on-the-fly, allowing the operator to form specific test cases as necessary.

Read more
  • Penetration testing
  • Tools and techniques

Finding Hidden Vhosts

During a recent test we observed a number of web servers that had a number vhosts configured, only some of which were discoverable from public DNS records. Internal DNS servers were configured to resolve the remaining ‘hidden’ vhosts served by the web server. Here's how we found them...

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.

Contact us About Cyberis