web app testing

User Enumeration - Timing Discrepancies

I find myself writing this blog today as there are only a few references on the internet to user enumeration attacks via timing discrepancies, despite almost every site I've tested in my career being vulnerable to the weakness.

The issue is fairly obvious from the title; an application log-in response takes differing amount of times depending on whether or not the user is valid. But why?

Testing .NET MVC for JSON Request XSS - POST2JSON Burp Extension

During a recent application penetration test on behalf of a client, one of the security vulnerabilities discovered was a stored cross-site scripting vector, delivered via a JSON request to a MVC3 controller. The malicious data (in this case a simple script tag proof-of-concept) was written to the database and subsequently echoed back to the user when viewing a number of pages within the application.

Loading UDF Files on MySQL 5

Command execution via SQL injection is rarely possible on MySQL 5, as specifying the path to a shared library is not permitted due to security concerns - in other words it is not possible to create a UDF allowing you to run shell commands. Normally, if you can write to the default plugins location (/usr/lib/mysql/plugin), you already have root privileges and it's already game over. With MySQL 4 you could specify the full path to a shared library, so the install of a dangerous function was relatively straightforward.

Update to Webscour.pl

We've made a few improvements to webscour.pl - a web site thumbnailer that works from IP/port pairs piped from STDIN (previous post here). The script is a little more resilient to failures and time-outs now, both in LWP and in the only shell dependency - gnome-web-photo. Unlike a few of the other similar scripts and tools out there,webscour.pl attempts to determine whether a service is HTTP or HTTPS, and works on any TCP port - not just 80 and 443.

Testing Access Controls on Large Web Applications

Testing access controls on web applications can be a difficult task if presented with multiple user roles and a large number of pages. Depending on the application, unauthorised access to a page may result in a client error code (40X), a redirect (30X), a straight 200 with an error message within the page, or possibly even a server-side error (50X).

Evading .NET and Browser XSS Protection with Attribute Based XSS

.NET applications offer good protection against basic reflected XSS vectors. Since .NET 1.1, ValidateRequest has been examining client supplied input for "supicious" characters, and throwing a helpful error message if such characters are found within a GET or POST request.

Update to XSS-Harvest

Minor update, with improved redress functionality (thanks to @Openwatch), and a check to see whether the script has already been loaded (prevents duplicate keystrokes if the infection string is echoed more than once by the vulnerable application).

Download the new version from Cyberis' github repository here.

Read about XSS-Harvest here... http://blog.cyberis.co.uk/2011/07/harvesting-cross-site-scripting-xss.html

Harvesting Cross Site Scripting (XSS) Victims - Clicks, Keystrokes and Cookies

A couple of years ago I was inspired by @fmavituna's work on XSS Shell and decided to write a new extended version (XSS-Shell-NG) using a PHP and a MySQL backend rather than the ASP/Access combination of the original. I never released the tool publicly, as my main aim of making XSS Shell easier to use was never really accomplished; it still required a significant amount of set up to get it working. However, one thing that both tools did well once working was to demonstrate the real business impact of cross-site scripting.

SQL Injection and WAFs

Had a friend today test a site with multiple SQL injection points across the application. It was blind injection - no errors were being returned to the browser, but on a valid (true) statement you'd get content back, on a false statement and error you'd get nothing. One particular vulnerable page was quite basic (only one parameter, the result of which would display just one small text article), so we had a go at guessing the number of columns and the type of columns for a 'union select' injection.