Cyberis Blog

Reassuringly clear thinking.

  • Penetration testing
  • Tools and techniques

Finding Hidden Vhosts

During a recent test we observed a number of web servers that had a number vhosts configured, only some of which were discoverable from public DNS records. Internal DNS servers were configured to resolve the remaining ‘hidden’ vhosts served by the web server. Here's how we found them...

Read more
  • Tools and techniques

Loading UDF Files On MySQL 5

Command execution via SQL injection is rarely possible on MySQL 5, as specifying the path to a shared library is not permitted due to security concerns - in other words it is not possible to create a UDF allowing you to run shell commands. Normally, if you can write to the default plugins location (/usr/lib/mysql/plugin), you already have root privileges and it's already game over. With MySQL 4 you could specify the full path to a shared library, so the install of a dangerous function was relatively straightforward. Before giving up altogether however, check to see if you can write to the defined plugin_dir directory...

Read more
  • Tools and techniques

'Expect' Scripts To Perform Build Reviews Of Linux/Unix Hosts

A host implementation review, more commonly known as a build review, can provide systems administrators with a comprehensive picture of the security of their build. Typically, a review allows the client to gain assurance of internal build standards and also meet external compliance requirements by assessing the following areas...

Read more
  • Tools and techniques

Adding A Pinch Of Salt

Following the recent LinkedIn breach, the company has stated that their current production database contains salted passwords. Obviously this was not the case at the time of the breach (SHA1, unsalted), so a salt value must have been added to improve security. But how can you add a salt value to a password hash, if you don't know the password?

Read more
  • Research
  • Tools and techniques

Testing Access Controls On Large Web Applications

Testing access controls on web applications can be a difficult task if presented with multiple user roles and a large number of pages. Depending on the application, unauthorised access to a page may result in a client error code (40X), a redirect (30X), a straight 200 with an error message within the page, or possibly even a server-side error (50X). This is how we approach the problem...

Read more
  • Research
  • Tools and techniques

Evading .NET And Browser XSS Protection With Attribute Based XSS

.NET applications offer good protection against basic reflected XSS vectors. Since .NET 1.1, ValidateRequest has been examining client supplied input for "supicious" characters, and throwing a helpful error message if such characters are found within a GET or POST request. These days, an attempt to perform the classic    will likely fail against the majority of .NET applications with the well known "A potentially dangerous Request.Form value was detected from the client..". Does that mean XSS in .NET is dead?

Read more
  • Penetration testing
  • Tools and techniques

Hacking An E-Commerce Site - For Fun Or Profit?

Having testing a number of e-commerce sites in recent times, I wanted to share some of the vulnerabilities encountered, and the reasons why someone would seek to exploit them. Recent high profile hacks in the media have rightly made retailers sit up and take notice of security - whilst PCI DSS attempts to mandate a certain level of assurance, the risk of losing substantial amounts of money and seriously damaging reputation focuses the attention on security more than any overarching standard.

Read more
  • Research
  • Tools and techniques

Harvesting Cross Site Scripting (XSS) Victims - Clicks, Keystrokes And Cookies

A couple of years ago I was inspired by @fmavituna's work on XSS Shell and decided to write a new extended version (XSS-Shell-NG) using a PHP and a MySQL backend rather than the ASP/Access combination of the original. I never released the tool publicly, as my main aim of making XSS Shell easier to use was never really accomplished; it still required a significant amount of set up to get it working. However, one thing that both tools did well once working was to demonstrate the real business impact of cross-site scripting.

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.

Contact us About Cyberis