Security

User input must be sanitized!

Weird machines

Unrelated for now but there is an Android's vulnerabilities CVE-2017-13156 where the system parses an APK or a DEX allowing to bypass signature.

Pentesting

There are several phases

  1. recon
  2. scan
  3. gain access
  4. maintain access
  5. cover tracks

  6. https://github.com/coreb1t/awesome-pentest-cheat-sheets

  7. https://github.com/nixawk/pentest-wiki
  8. Kali Linux Revelead PDF
  9. OWASP-Testing-Checklist

Bruteforce

In some cases it's important to make the space containing certain variables big enough to not be guessed in human time.

The most used tool is john the ripper: on a Linux system is possible to edit the src/Makefile and compile it with

$ make -C src  -f Makefile linux-x86-64-native

One usage is toto generate a mangled list of word starting from a pristine one with the following command:

$ ./run/john --wordlist=wordlist.txt --stdout --rules > expanded-word-list.txt

With no options, john will start in "single" mode first, then move on to "wordlist" mode, and finally to "incremental" mode.

$ john --incremental=Digits --stdout
1952
12345
123456
0065663
  • http://www.lanmaster53.com/2011/02/creating-complex-password-lists-with-john-the-ripper/
  • http://backreference.org/2009/10/26/password-recovery-with-john-the-ripper/

Obviously you need a good wordlist!

Privilege escalation

Custom code execution

See also shellcode.

  • Understanding the fundamentals of attacks What is happening when someone writes an exploit? awesome slides by Halvar Flake & Thomas Dullien trying to formalize exploits
  • https://gbmaster.wordpress.com/2015/06/28/x86-exploitation-101-house-of-force-jedi-overflow/
  • http://0x90909090.blogspot.it/2015/07/no-one-expect-command-execution.html
  • GHOST vulnerability report
  • commix: Automated All-in-One OS Command Injection and Exploitation Tool
  • How To Heap: A repository for learning various heap exploitation techniques.
  • Pure In-Memory (Shell)Code Injection In Linux Userland

Format String

Remember that using a too big string to exploit this vulnerability can overwrite sensible stuff, use a string as little as possible.

LFI/RFI

HTTP parameters pollution

HPP attacks can be defined as the feasibilty to override or add HTTP GET/POST parameters by injecting query string delimiters. HtmlEntities are out of context here.

Session Fixation

  • http://shiflett.org/articles/session-fixation

SSRF

CSRF

SQLI

XPath injection

Serialization

Side channel

Type juggling

This is possible in language that casts automatically different types when operators are used, particularly when are present more than one equal operator (== and ===).

In PHP this is more dangerous when a conversion from JSON is done.

Advanced protection mechanism bypass

Cloud

Hardware

Tools

  • https://code.google.com/p/skipfish/
  • Damn Vulnerable Web App site
  • security headers: check headers of your site
  • DNSteal: stealthily extract files from a victim machine through DNS requests
  • pwntools CTF framework and exploit development library

Fuzzing

Phishing

DNS Rebinding

  • https://lock.cmpxchg8b.com/rebinder.html
  • https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=2