Intellawatch

Django Security Update, Patch for DoS & SQL Injection Vulnerability cyber

from

GBHackers On Security

The issue arises in scenarios where these methods handle inputs containing extensive sequences of nested, incomplete HTML entities. This vulnerability was reported by jiangniao and has been classified as having moderate severity according to Django’s security policy. On Oracle databases, this lookup can be exploited for SQL injection if untrusted data is passed as the left-hand side (lhs) value.....

Fun: The fascinating security model of dark web marketplaces. cyber

from

AppSec Ezine

They brag about hacking another market, ‘Pax Romana’, to demonstrate their security ability, then refunding all the customers as a show of goodwill. The admin seems interested in staying on top of security, making comments about how companies are trying to trace Monero, stating things like “I plan every step so that my anonymity will not only exist today, but also in 10 years”, and then demonstrating it with stuff like a Content Security Policy that prevents JavaScript from executing. Anyway, w....

Fun: QEMU internals. cyber

from

AppSec Ezine

It is able to emulate a full system (cpu, devices, kernel and apps) through the qemu-system- command line tool. This is typically the case in classical virtualization environment (VMware, VirtualBox, …) when a user wants to run Windows on Linux for instance. It shall be noted that Airbus does not commit itself on the exhaustiveness and completeness regarding this blog post series.....

Security: A lightning-fast journey from Guest to Account Takeover (Salesforce Communities). cyber

from

AppSec Ezine

However, there are some important concepts and quirks that I cannot take for granted, so we will look at them here quickly. Once obtained these three information, we can query the/auraCmpDef endpoint and extract every declared apex controller for the specified descriptor: Using these controllers, I started to extract every misconfigured object from the various communities, obtaining different interesting information, including:....

Security: Why Code Security Matters - Even in Hardened Environments. cyber

from

AppSec Ezine

Instead of storing actual files, procfs provides access to real-time information about running processes, system memory, hardware configuration, and more. This library uses anonymous pipes to signal and handle events, which are exposed via procfs as we saw in the output above. This may lead to false positives or environment-specific structures but increases their chance of getting useful findings, which can be verified manually.....

Security: Command Injection in Kemp LoadMaster Load Balancer (CVE-2024-7591). cyber

from

AppSec Ezine

It requires no authentication and can be exploited remotely by having access to the Web User Interface (WUI). If they match, the value is then URL decoded, afterwards Base64 encoded and finally printed to stdout with printf. So even if unfiltered and unsanitized input reaches this point, it is not possible to inject commands here anymore.....

Security: Android's CVE-2020-0238 (AccountTypePreferenceLoader). cyber

from

AppSec Ezine

Also, subscribe to my new@SideQuest_256 channel and I might post videos about the Android journey too :D It all started when I decided to revisit an old testing device - my trusty OnePlus phone that had been sitting in a drawer, untouched and unpatched for years. AbstractAccountAuthenticator: This is a base class that app developers use to create custom authenticators for managing accounts on Android.....

Security: Pishi - Coverage guided macOS KEXT fuzzing. cyber

from

AppSec Ezine

Only certain parts of KEXTs interact with the vtables, at least in our target AppleAVD, it will decode and parse buffers. At the same time I know something is wrong, we can’t just replace any random xpacd in target KEXT with a call to an imported function. especially in the time window of instrumenting ten thousand BBs, This race condition is challenging, it requires suspending all threads and disabling preemption.....

Hack: SecHub provides a central API to test software with different security tools. cyber

from

AppSec Ezine

SecHub orchestrates various security and vulnerability scanners which can find potential vulnerabilities in sourcecode, binaries or web applications. Using the REST API requires several steps, which is fine if SecHub needs to be integrated into another software or platform. The only requirements to scale SecHub are: a PostgreSQL database and an object store or file share.....

Hack: Activation Context hijack PoC to load/run an arbitrary DLL in any process. cyber

from

AppSec Ezine

Eclipse is a PoC that performs Activation Context hijack to load and run an arbitrary DLL in any desired process. Kill the previously spawned rdpclip.exe process (only one rdpclip.exe can be running per user session) and run Eclipse once again. In this case, the FactoryResetUICC of C:\Temp\MyDll.dll is just an infinite loop and its execution can be checked using PH:....

Hack: Assess the security of your Active Directory with few or all privileges. cyber

from

AppSec Ezine

Assess the security of your Active Directory with few or all privileges. This tool offers functionalities similar to PingCastle, ORADAD, or even PurpleKnight(with some bonuses). At present, this tool has 79 checks and more are to come (see the TODO).....

Hack: Bypass Credential Guard by patching WDigest.dll using NTAPI functions. cyber

from

AppSec Ezine

....

Hack: New AMSI Bypss Technique Modifying CLR.DLL in Memory. cyber

from

AppSec Ezine

Additionally, some EDRs such as Elastic Endpoint Security allow threat hunters to scan memory looking for modified sections of code. We essentially push our bypass through a set of SpecterInsight cmdlets that take in any PowerShell script and apply the specified obfuscation technique against it. In this post, I have presented a new, currently undetected, AMSI bypass that enables attackers to reflectively load .NET binaries without AV scanning or interference.....

Hack: Maryam - Open-source Intelligence(OSINT) Framework. cyber

from

AppSec Ezine

....

Hack: Stealthily inject shellcode into an executable. cyber

from

AppSec Ezine

The idea is that injecting shellcode nicely into a non-malicious executable should make it less detected. Encrypt payload Execution guardrails, so payload is only decrypted on target Anti emulation, against AV emulators EDR deconditioner, against EDR memory scan Keep all original properties of the executable (imports etc.) Also make sure radare2 is in path if you wanna use it:....

Hack: DarkFlare Firewall Piercing (TCP over CDN). cyber

from

AppSec Ezine

Services like Cloudflare, Akamai Technologies, Fastly, and Amazon CloudFront are not only widely accessible but also integral to the global internet infrastructure. Internet censorship is a significant issue in many countries, where governments restrict access to information by blocking websites and services. Linux's popular pppd daemon will also not run as non-root in some cases, which would require a more complex configuration with sudo.....

Hack: M365/Azure Adversary Simulation Tool. cyber

from

AppSec Ezine

Its purpose is to generate attack telemetry that aids teams in building, testing, and enhancing detection analytics. To facilitate realistic simulations, msInvader implements multiple authentication mechanisms that mirror different attack scenarios. Additionally, msInvader can replicate conditions involving compromised service principals by supporting the client credentials OAuth flow.....

Hack: BootExecute EDR Bypass. cyber

from

AppSec Ezine

....

Must see: Cross-Site POST Requests Without a Content-Type Header. cyber

from

AppSec Ezine

One interesting attempt at CSRF protection is the rejection of requests with a Content-Type header not equal to application/json. It is possible to send arbitrary values, but only after the receiving website has granted permission via Cross-Origin Resource Sharing (CORS). This is relevant as Blob objects are more complex than strings, containing not just data but also an associated type.....

Hackvertor EAN-13 and TOTP tags for web-application penetration testing with Burp cyber

from

Pentagrid Blog

The execution key is a random 40-hex character string that prevents websites processed by Burp from triggering harmful actions. If such a second factor is required during the penetration test, this Hackvertor tag can be used. The command line tool zbarimg can dump QR code content from an image file:....

TA: 66729 TP: 3337 CP: 5