Cyberis Blog

Reassuringly clear thinking.

  • Penetration testing
  • Tools and techniques

Testing .NET MVC For JSON Request XSS - POST2JSON Burp Extension

During a recent application penetration test on behalf of a client, one of the security vulnerabilities discovered was a stored cross-site scripting vector, delivered via a JSON request to a MVC3 controller. The malicious data (in this case a simple script tag proof-of-concept) was written to the database and subsequently echoed back to the user when viewing a number of pages within the application. This is how we wrote Burp plugin to bypass the XSS safety nets in the .NET framework...

Read more
  • Research
  • Tools and techniques

Shared Dictionary Compression Over HTTP (SDCH) - Bypassing Your Filtering Devices

Following Cyberis’ recent articles on bypassing perimeter filtering devices (e.g. proxies, IDS and next-generation firewalls) by manipulating HTTP response headers, we’ve taken a closer look at some more obscure Content-Encoding mechanisms. This article discusses Shared Dictionary Compression over HTTP (SDCH), and the implications for perimeter security controls designed to protect your network from unwanted content.

Read more
  • Tools and techniques

Update To ResponseCoder

Our HTTP Response manipulation tool - ResponseCoder - has been updated to allow manipulation of the HTTP version. Grab an updated copy.

Read more
  • Tools and techniques

ResponseCoder - Manipulation Of HTTP Response Headers

ResponseCoder is designed to allow you to easily manipulate HTTP response headers - specifically to identify weaknesses in perimeter filtering appliances such as web proxies and next generation firewalls. It’s an open source PHP script that formulates HTTP response headers on-the-fly, allowing the operator to form specific test cases as necessary.

Read more
  • Penetration testing
  • Tools and techniques

Finding Hidden Vhosts

During a recent test we observed a number of web servers that had a number vhosts configured, only some of which were discoverable from public DNS records. Internal DNS servers were configured to resolve the remaining ‘hidden’ vhosts served by the web server. Here's how we found them...

Read more
  • Tools and techniques

Loading UDF Files On MySQL 5

Command execution via SQL injection is rarely possible on MySQL 5, as specifying the path to a shared library is not permitted due to security concerns - in other words it is not possible to create a UDF allowing you to run shell commands. Normally, if you can write to the default plugins location (/usr/lib/mysql/plugin), you already have root privileges and it's already game over. With MySQL 4 you could specify the full path to a shared library, so the install of a dangerous function was relatively straightforward. Before giving up altogether however, check to see if you can write to the defined plugin_dir directory...

Read more
  • Tools and techniques

'Expect' Scripts To Perform Build Reviews Of Linux/Unix Hosts

A host implementation review, more commonly known as a build review, can provide systems administrators with a comprehensive picture of the security of their build. Typically, a review allows the client to gain assurance of internal build standards and also meet external compliance requirements by assessing the following areas...

Read more
  • Tools and techniques

Adding A Pinch Of Salt

Following the recent LinkedIn breach, the company has stated that their current production database contains salted passwords. Obviously this was not the case at the time of the breach (SHA1, unsalted), so a salt value must have been added to improve security. But how can you add a salt value to a password hash, if you don't know the password?

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.