Cyberis Blog

User Enumeration - Timing Discrepancies

I find myself writing this blog today as there are only a few references on the internet to user enumeration attacks via timing discrepancies, despite almost every site I've tested in my career being vulnerable to the weakness.

The issue is fairly obvious from the title; an application log-in response takes differing amount of times depending on whether or not the user is valid. But why?

Attacking Big Business

This is a technical blog post on using trusted online services as a delivery and command and control (C2) channels in simulated attack scenarios. Written by Geoff Jones - Director and Simulated Attack Specialist at Cyberis.

Who Needs Rep?

Larger organisations often employ reputational filtering of web traffic to defend against delivery of malicious code and the exfiltration of data if a compromise were ever to occur. It's an effective control provided by many next-generation firewalls and web proxies, including newer cloud-based solutions such as Zscaler.

NotPeyta: Why so dangerous?

Another week, another ransomware outbreak. On Tuesday, we saw another variant of ransomware spreading, worm-style, across unsecured networks within large organisations. As with the WannaCry outbreak in May, large global corporations have been affected, and infections have spread from their initially-compromised hosts across internal networks. NotPetya hasn't received as much press as WannaCry did, but from a security perspective it does, at the moment, look far more interesting.

PHP Serialization and SQL Injection

Sanitisation of user input is essential for preventing SQL injection, regardless of the format of the supplied data. Today I'm going to look at SQL injection through a more obscure injection point: serialized PHP arrays. Taking inspiration from a finding in a recent test, I've created a small app which allows the user to upload a CSV file. This file is then converted to a PHP array, serialized and returned to the user as a hidden form field. Finally, this is posted back to the application where the supplied data is inserted into the MySQL database.

Serverless Architectures, Penetration Testing and Authority

Outsourcing infrastructure to cloud service providers has fundamentally changed the face of information technology and corporate architectures in the last decade or so.  

Flexible, fast-paced development.  Rapid deployment.  Scalability.  Resilience. Minimisation of in-house hosted infrastructure. The growth of microservices and mobile technologies.

Tags

Creating Macros for Burp Suite

There are many tools available for automated testing of web applications. One of the best known is probably sqlmap. Sqlmap allows you to identify and exploit SQL injection vulnerabilities with ease from the command line. However, controls such as CSRF tokens or simple anti-automation techniques such as including a unique hidden value within the form can prevent automated tools from working correctly. Macros in Burp Suite are a great way to bypass these measures in order to carry out automated testing, although they can be complicated to implement.

Tags

After The Storm

You’ve had an incident.  You’ve managed the fall-out, contained the outbreak and restored normal service.  Now is the time to sit down with your incident response teams, your operational teams and other stakeholders and work out how to prevent a recurrence.

During an incident wash-up meeting, you should go over all evidence gathered during the incident, details of actions taken and the reasons why decisions were made given the information available at the time. 

Enacting Your Response

Situational awareness throughout incident response activities is of paramount importance.  As activities are conducted, new information is likely to emerge.  New information may completely change the objectives of your exercise, and teams need to be in constant communication in order to coordinate activities.

Actions assigned to responders during an incident will be informed by the systems and data at risk, business continuity plans for these systems, and the objectives of the incident response exercise.