Sessionless

Sessionless is a Burp Suite extension for editing, signing, verifying and attacking signed tokens: Django TimestampSigner, ItsDangerous Signer, Express cookie-session middleware, OAuth2 Proxy and Tornado’s signed cookies. It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages, signing of tokens and automation of brute force attacks against signed tokens implementations. It was inspired by Fraser Winterborn and Dolph Flynn JWT Token extension. The original source code can be found here and here. If you would like to test it, source code can be found at the Github repository

Jooq Code Injection

Imagine you have found test database with weak credentials at internal network. Unfortunately, you don’t have superuser permission to access the file system or execute commands. There is no way to get to the OS level, however CI/CD tool somehow uses the database. Let’s check the way how remote code execution can be achieved with the technique known as code generation.

Apollo REST Data Source SSRF

Apollo REST Data Source is used for fetching data from a REST API and exposing it via GraphQL within Apollo Server. This feature can be used to get access to the internal services. This issue is very easy to miss during code review as it is required deep knowledge of browser behaviour.

They Are Dangerous

Stateless authentication and authorization with “signed web tokens” is a real gold mine to security researcher. They are hard to implement securely, and have several very easy to find and critical impact vulnerabilities (hardcoded secrets, weak signing keys, several types of algorithm confusion, etc). Today I will talk about the number of public CVEs I started with, how you can find same critical issues in a bunch of other products.

Memcached Command Injections at Pylibmc

The recent rise of Apache Airflow CVE-2020-17526 vulnerabilities bring my attention to the flask session signing algorythm. My search of common flask’s default secrets at GitHub broght me to one interesting library Flask_Session. Flask-Session is an extension for Flask that adds support for Server-side Session to the application. It allows you to use Redis, Memcached key-value store as a session backend. By default python pickle library used for data serialization. Which reminded me of an interesting research.

Exploitation of the Psychic Signatures

Psychic Signatures Vulnerability “Psychic Signatures” CVE-2022-21449 affects Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2 and allows to bypass ECDSA-signature verification. Detailed description of issue available at the great blog post of Neil Madden. Unfortunately initial prof of concept do not cover all potentially vulnerable libraries. At this article I will demonstrate the sample vulnerable application that use JWT tokens signed with ES256 algorithm and the way how it can be exploited.

Spring Boot Actuators

Spring boot actuators overview Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints. Enabling Endpoints can be done with application.properties file: management.endpoints.web.exposure.include=* management.endpoint.env.enabled=true OR management.endpoints.web.exposure.include=env,beans management.endpoint.env.enabled=true management.endpoint.beans.enabled=true XML external entity (XXE) injection on env endpoint By default spring boot actuator env is vulnerable to the XML external entity (XXE) injection. Modification of application property spring.main.sources can be done by request: Spring boot

Flask Security

Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the software administrator. Unfortunately this vulnerability might be difficult for the developers to detect. I’ll talk about the common misconfigurations at Flask powered applications and how malicious user can exploit vulnerability and how this risk can be mitigated.

Multiple vulnerabilities at Craft CMS SEOmatic plugin

A couple of months ago I was performing retest of an interesting Server Side Request Forgery (SSRF) vulnerability at debug GET parameter. Developers disabled it on load balancer and I decided to perform some fuzzing with awesome Burp Suite plugin param-miner. There was no way to exploit SSRF but interesting parameter action was discovered. Future investigation show that it is default behavior of Craft CMS. Fast search by public CVE retured promising vulnerability CVE-2018-14716. You can find information about issue and way to exploit it at blog post 0xB455. When you will finish reading article return and we find way to bypass fix and execute code at vulnerable system.

Security of Images Part 2

Common feature for modern web applications to save and process user files. It can be a avatar generation, file thumbnails, reports or screenshot generation. Open source data processing libraries are usually used for such purposes. There are number of known vulnerabilities at those libraries that can be used to get access to the sensitive informtation. At this article I’ll show you how to get access to arbitrary file on vulnerable system and lure process memory into your open arms.

Security of Images Part 1

Common feature for modern web applications to save and process user files. It can be a avatar generation, file thumbnails, reports or screenshot generation. Open source data processing libraries are usually used for such purposes. There are number of known vulnerabilities at those libraries that can be used to get access to the sensitive informtation. This article is mainly about a brief security review on Data processing libraries in last years.