During the course of our assessments, we sometimes come across a vulnerability that allows us to carry out XML eXternal Entity (XXE) Injection attacks. XXE Injection is a type of attack against an application that parses XML input. Although this is a relatively esoteric vulnerability compared to other web application attack vectors, like Cross-Site Request...Read More

In June I spent a little time in the web administrative interface of a Polycom VVX600 IP phone running UC Software Version 5.1.3.1675. As I proxied the traffic through BurpSuite, I immediately noticed something interesting in the requests that the interface uses to display phone background images and ring tones to web users. The requests...Read More

It’s not uncommon for us to identify SQL injection (SQLi) vulnerabilities during network penetration tests or targeted web application security assessments although it sure seems to be getting less frequent. I hate using the term “SQLi Vulnerability” because SQLi is an attack, not a vulnerability. Whatevs though, the term is commonly used both ways in...Read More

While performing an internal security assessment for a client, I discovered an OS command injection vulnerability in an Infoblox NetMRI appliance. This was totally by accident, just going about our regular testing of web applications. I stumbled across the following page and used a proxy to submit values to the “Username” and “Password” fields of...Read More

When I had my last house built, I wired it for a CCTV camera system. I ran siamese rg58 coaxial cable (the type with a separate pair for low voltage power) from a central location to all my camera locations since it’s a pain to do once a house is built. I bought a cheap...Read More

So you have a meterpreter session on some Windows machine remotely or internally. One of the first things a lot of folks will do is escalate to SYSTEM (getsystem or post/windows/escalate/getsystem in meterpreter) and dump the server’s password hashes (hashdump or post/windows/gather/hashdump). The logical thing to do next is to begin cracking the hashes for later use. There...Read More

Fierce is a simple but very useful DNS reconnaissance tool written by Robert Hansen (RSnake) that I use on virtually every pentest, vuln assessment, or application security assessment I’m involved in. There’s nothing fancy or super-technical about this tool; it’s just useful and deserves some mention. It combines the functionality of a handful of recon tools into one....Read More

The Daily Mail has a short article about how the recent compromise of 200,000+ Citigroup accounts occurred. Of course there is not much technical detail but the vulnerability and exploit are pretty obvious if what the article says is correct: “They simply logged on to the part of the group’s site reserved for credit card customers – and substituted their...Read More

Expose unnecessary ports via NAT and firewall rules to your DMZ. I’m talking SSH, telnet, HTTP/S, SNMP, MS-SQL, MySQL, YourSQL, NetBIOS…. everything. If you’re really serious about getting compromised, NAT public addresses to your internal Active Directory servers and database.If you don’t have a firewall or a DMZ, all the better. Make sure no effective...Read More

SQL injection used to be a lot easier a few years ago when it was less known, web application security was less mature, and errors were often exposed. It’s very easy to use a variety of methods to cause errors to display database names, table names, column names, and even row values… when errors are...Read More