During a customer project we identified an issue with the validation of JWT tokens that allowed us to bypass the authentication by using unsigned tokens with arbitrary payloads. During analysis we found out that this is caused by a vulnerability within the library OpenID Connect Authenticator for Tomcat.
Continue readingTag: web application
Cookie Prefixes – The Lesser Known Cookie Security Feature
When you’re analyzing web applications as a pentester or reading pentest reports about web applications, you will often see findings regarding cookies missing certain security flags. The Set-Cookie HTTP header and the JavaScript document.cookie API allow to use, for example, the flags Secure, Path, and Domain. Common audit and pentest tools will tell you when your web application does not or just insecurely implements these cookie flags.
However, they do not provide optimal security even when using these flags correctly. However, there are mitigations available that partly solve the issues.
Continue reading “Cookie Prefixes – The Lesser Known Cookie Security Feature”
Continue readingSolving client-side controls once and for all
Missing server-side validation consistently scores a place in the OWASP Top 10. Browsers nowadays offer a lot of ways to easily implement client-side controls, increasing the usability by a lot. They automatically detect missing fields or invalid characters in your input fields and may even validate user input against a regular expressions.
However, these controls should only be considered as usability features. When sending data to a back-end system the application must always ensure data integrity by implementing encodings, validations and filters. Even for small applications this is a painful and tedious process. For each possible input, developers together with security experts have to carefully identify the context of each field, how the input is going to be used and what data requirements are present.
Furthermore, the application must always be aware of the current data encoding and apply the correct decoding before validating or filtering anything.
In this post we are going to present a new groundbreaking solution to combat missing server-side validation once and for all.
Continue reading “Solving client-side controls once and for all”
Continue readingYet Another Information Disclosure?
Hey there, for those of you that roll your eyes when writing the nth Information Disclosure Finding in a report, here is a short story of how such information helped compromising a system.
Continue reading “Yet Another Information Disclosure?”
Continue readingNew Methods for Exploiting ORM Injections in Java Applications (HITB16)
The HITBSecConf or “Hack In The Box” in Amsterdam is a well known security conference in Europe. We also attended this year too, and there were quite some interesting talks at the HITBSecConf16 conference. One of the talks was about “New Methods for Exploiting ORM Injections in Java Applications” by the security researchers Mikhail Egorov and Sergey Soldatov.
Continue reading “New Methods for Exploiting ORM Injections in Java Applications (HITB16)”
Continue readingClassic Web Vulns Found in Google Search Appliance 7.4
Hi all,
I’ve recently found some sort of classic web vulnerabilities in the Google Search Appliance (GSA) and as they are now fixed [0][1][2], I’d like to share them with you.
First of all, some infrastructure details about the GSA itself. The GSA is used by companies to apply the Google search algorithms to their internal documents without publishing them to cloud providers. To accomplish this task, the GSA provides multiple interfaces including a search interface, an administrative interface and multiple interfaces to index the organization’s data. Continue reading “Classic Web Vulns Found in Google Search Appliance 7.4”
Continue readingHow to test Kerberos authenticated web applications?
First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application.
Continue reading “How to test Kerberos authenticated web applications?”
Continue readingWeb Hacking Special Ops Workshop @ TR16
Trooper!
You passed Hacking 1on1 with flying colors?
You evade web application firewalls as they would be opened doors?
You have successfully exploitated CVE-2015-8769?
Then it’s time for the next challenge! Follow us down the rabbit hole to the not so well known attacks against modern web applications.
Continue reading “Web Hacking Special Ops Workshop @ TR16”
XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]
During one of our latest web application code review projects I came across a vulnerability for which I think it is worth to speak about. It is an injection based attack against XML parsers which uses a rarely required feature called external entity expansion. The XML specification allows XML documents to define entities which reference resources external to the document and parsers typically support this feature by default. If an application parses XML input from untrusted sources and the parsing routine is not properly configured this can be exploited by an attacker with a so called XML external entity (XXE) injection. A successful XXE injection attack could allow an attacker to access the file system, cause a DoS attack or inject script code (e.g. Javascript to perform an XSS attack).
Continue reading “XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]”
ERNW’s Top 9 Burp Plugins
In the context of an internal evaluation, we recently had a look at most of the burp plugins available from the BApp store. The following overview represents our personal top 9 plugins, categorized in “Scanner Extensions”, “Manual Testing” and “Misc” in alphabetic order:
Continue reading “ERNW’s Top 9 Burp Plugins”