Posts tagged with "Security"
Ways to download a file from a remote Windows machine

During network exploitation/pentesting/system administration, sometimes you’ll get on a Windows target and need to download a file – i.e. move it from your client to the target. This is a common problem with a lot of good, quick solutions. Other times, you’ll get on a Windows target and need to upload a file – i.e. move it from the target back to your client. This tends to be a little trickier, but there are nonetheless a few reasonably quick and easy ways to do it. I’ve documented five of them...

Notes on contentEditable and HTML injection

In the bad old days, all user-supplied text in a web page was entered using one or other form element, input for short texts such as names, and textarea for texts that may span multiple lines, such as comments or user feedback. These elements, while extremely useful and serviceable, didn’t always fit in with the webpages they occupied, and had no capacity for WYSIWYG editing of formatted text. But now, using the contentEditable attribute (one of HTML5’s many innovations) almost any element on the page can be used for user-supplied...

Password strength

So here’s something most people in the know will tell you about setting a strong password: length beats complexity. A 30 character password made up entirely of lowercase letters is going to be more difficult for an attacker to break (whether by brute force guessing passwords on an online login page or cracking password hashes compromised in a data breach) than an 8 character password with the requisite mix of upper case and lowercase letters, numbers and special characters. What’s really convenient and almost mind-blowing about this is the...

Notes on CSRF and the ASP.NET ViewState

In principle, Cross-Site Request Forgery is a pretty straightforward kind of website vulnerability. Easy to test, common, and not trivial, but also not very severe. I send a request to a website to perform some action on my behalf.The website understands the action I want to perform by the data contained in my request: which URL it’s going to and what GET or POST parameters it’s carrying. It understands who I am by looking at my session cookie, a separate piece of data which I get when I log on and...

Directory persistence hack for webshells

The scenario: you’re busy pen testing a webapp and you get code execution somehow. Probably with a dinky little webshell like <?php echo shell_exec($_GET['e']); ?>. For whatever reason, you can’t get or don’t feel like getting something more sophisticated. But the one thing that really irritates you is having to cd through to the directory you want with every new command. Well, here’s a little Ruby script that will do that for you, literally by remembering every single one of your cds and prepending them, in order, to all...