Security

User input must be sanitized!

Weird machines

• LANGSEC Language-theoretic Security
• Page about weird machines by halvar flake
• Weird machines, exploitability, and provable unexploitability also slide
• Limiting weird machines Putting boundaries around emergent insecurity
• Exploitation and state machines Programming the “weird machine”, revisited)
• Hacking & Computer Science
• The science of insecurity
• Accidentally Turing-Complete
• Video 2010-07-28 Meredith L. Patterson and Len Sassaman - Black Hat USA 2010 - Exploiting the Forest with Trees
• From Buffer Overflows to “Weird Machines” and Theory of Computation
• On Validating Inputs
• Security, Moore’s law, and the anomaly of cheap complexity
• Proving un-exploitability of parsers
• Maths for Hackers - The Hacker Theorem
• The Good, the Bad, and the Weird
• Data oriented programming
• Secure Code Partitioning With ELF binaries, aka. SCOP
• A Guide to Undefined Behavior in C and C++, Part 1
• Now you C me
• part 1
• part 2
• How to exploit a double free when a system (like ARM) have a "weak" memory model

Unrelated for now but there is an Android's vulnerabilities CVE-2017-13156 where the system parses an APK or a DEX allowing to bypass signature.

Pentesting

There are several phases

1. recon
2. scan
3. gain access
4. maintain access

5. cover tracks

6. https://github.com/coreb1t/awesome-pentest-cheat-sheets

7. https://github.com/nixawk/pentest-wiki
8. Kali Linux Revelead PDF
9. OWASP-Testing-Checklist

Bruteforce

In some cases it's important to make the space containing certain variables big enough to not be guessed in human time.

The most used tool is john the ripper: on a Linux system is possible to edit the src/Makefile and compile it with

$ make -C src  -f Makefile linux-x86-64-native

One usage is toto generate a mangled list of word starting from a pristine one with the following command:

$ ./run/john --wordlist=wordlist.txt --stdout --rules > expanded-word-list.txt

With no options, john will start in "single" mode first, then move on to "wordlist" mode, and finally to "incremental" mode.

$ john --incremental=Digits --stdout
1952
12345
123456
0065663

• http://www.lanmaster53.com/2011/02/creating-complex-password-lists-with-john-the-ripper/
• http://backreference.org/2009/10/26/password-recovery-with-john-the-ripper/

Obviously you need a good wordlist!

• Munging password
• wordsmith
• tasooshi/brutas

Privilege escalation

• Privilege Escalation Cheatsheet
• WINDOWS PRIVILEGE ESCALATION – AN APPROACH FOR PENETRATION TESTERS

Custom code execution

See also shellcode.

• Understanding the fundamentals of attacks What is happening when someone writes an exploit? awesome slides by Halvar Flake & Thomas Dullien trying to formalize exploits
• https://gbmaster.wordpress.com/2015/06/28/x86-exploitation-101-house-of-force-jedi-overflow/
• http://0x90909090.blogspot.it/2015/07/no-one-expect-command-execution.html
• GHOST vulnerability report
• commix: Automated All-in-One OS Command Injection and Exploitation Tool
• How To Heap: A repository for learning various heap exploitation techniques.
• Pure In-Memory (Shell)Code Injection In Linux Userland
• How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit
• Ret2dl_resolve x64: Exploiting Dynamic Linking Procedure In x64 ELF Binaries

Format String

Remember that using a too big string to exploit this vulnerability can overwrite sensible stuff, use a string as little as possible.

• Exploiting Format String Vulnerabilities
• Advances in format string exploitation 0x0b, Issue 0x3b, Phile #0x07 of 0x12
• Howto remotely and automatically exploit a format bug
• libformatstr Simplify format string exploitation.
• 0CTF 2017 Quals: EasiestPrintf exploiting __free_hook using printf

XPath injection

• Slides
• Slides

Serialization

• DISGUISE PHAR PACKAGES AS IMAGES also slide from US BlackHat 2018

Side channel

• Spectre Side Channels: Linux kernel cpu side channels guide.
• http://johoe.mooo.com/trezor-power-analysis/
• Side-channel attacks on high-security electronic safe locks
• Exploiting Timed Based RCE
• commix Automated All-in-One OS command injection and exploitation tool.
• BranchScope: A New Side-Channel Attack on Directional Branch Predictor
• Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
• Ghostbuster: Spectre exploitation in real life
• transient.fail
• cpu.fail
• Two methods for exploiting speculative control flow hijacks slide by Andrea Mambretti
• Presentation about retpoline
• The BTB in contemporary Intel chips

You can check the vulnerability of your processor from /sys/devices/system/cpu/vulnerabilities/.

Type juggling

This is possible in language that casts automatically different types when operators are used, particularly when are present more than one equal operator (== and ===).

In PHP this is more dangerous when a conversion from JSON is done.

• Php type juggling slides

Advanced protection mechanism bypass

• ASLR Smack & Laugh Reference
• Bypassing non-executable-stack during exploitation using return-to-libc
• The advanced return-into-lib(c) exploits: PaX case study
• PAYLOAD ALREADY INSIDE: DATA REUSE FOR ROP EXPLOITS
• Linux ASLR and GNU Libc: Address space layout computing and defence, and “stack canary” protection bypass
• New bypass and protection techniques for ASLR on Linux
• Exploiting the notoriously unsafe gets() on a PAC-protected ARM64 binary

Cloud

• https://nvisium.com/documents/aws.pdf
• Hardening AWS Environments and Automating Incident Response

Hardware

• Secure Systems and Pwning Popular Platforms
• Documentation about ARM Morello

Tools

• https://code.google.com/p/skipfish/
• Damn Vulnerable Web App site
• security headers: check headers of your site
• DNSteal: stealthily extract files from a victim machine through DNS requests
• pwntools CTF framework and exploit development library

Fuzzing

• Hunting For Bugs With AFL 101 - A PRIMER

Phishing

• Spam and phishing in 2016

DNS Rebinding

• https://lock.cmpxchg8b.com/rebinder.html
• https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=2

Links

• online courses
• Exploit Development
• ssh security
• preg_replace()
• Modern Binary Exploitation
• CSAW Quals 2016 Pwn 500 - Mom's Spaghetti
• CFT Time
• Rise of the machine PDF
• Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads
• Don't use VPN services
• Facebook’s ImageTragick story
• Escaping a Python sandbox with a memory corruption bug
• Jinja2 template injection filter bypasses
• Spring Boot RCE via a template code injection
• CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation
• HTTP Desync Attacks: Request Smuggling Reborn
• JWT (JSON Web Token) (in)security
• Unlocking Heaven's Gate on Linux
• Linux Hardening Guide
• Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
• A Threat Modeling Field Guide