Some notes on best practise when using JSON Web Tokens (as defined in RFC 7519) Best Practise Allowlist algorithms - a blocklist can be bypassed by malforming unwanted algorithms (eg. ‘NoNe’) Signature. Use asymmetric: ES256 (faster) or RS256 (more widely supported) Why use asymmetric signing? easier to keep the secret secret proves it was signed by the real signer If you really have to use symmetric, use ephemeral secrets Always validate the token JWT can be used for access or ID - check the expected usage Of course, never include confidential information in the JWT itself Common Exploits CVE-2015-2591: alg:none CVE-2016-10555: RSA/HMAC-SHA public key mismatch CVE 2018-0114: key injection CVE-2019-20933: blank password CVE-2020-28042: null signature Sources & More Info This presentation by Philippe De Ryck The OWASP Testing Guide …

A quick summary of the main ideas (in very broad strokes) explored in this awesome paper by Mojtaba Zaheri, Yossi Oren and Reza Curtmola. What’s the attack? A deanonymisation attack is when seemingly incidental data is used to infer someone’s identity online. Attack Scenario Imagine an authoritarian government has a zero day that they want to deploy to a journalist’s computer. They have their state news website all ready to go to deliver this exploit.…

A quick, practical rundown of this research paper by Avinash Sudhodanan and Andrew Paverd on account pre-hijacking attacks, for reference during pentests. What’s the attack? Stealing user accounts before they’ve even been registered by the victim. After the victim registers them, the attacker has access. If, during a web app test, you notice that you can register a new account and are let in without having to click an email confirmation link, these attacks will potentially work.…

Below are some takeaways from @albinowax’s brilliant presentation at Nullcon Berlin. He explores why some vulnerabilities are evasive and gives some ideas and advice on how to dig them out. You can find the keynote here. Takeaways Don’t let the appearance of defences deter you from trying the attack anyway. The defences may be misconfigured in a way that nobody understands yet. Seek out old or unfashionable exploit techniques and learn about them from the original research.…

How To Create a Kali & Parrot Pentesting Lab in AWS Using Docker and Terraform In this post, I’ll quickly run through how to set up an AWS EC2 machine and install pre-configured kali and parrot containers, all provisioned automatically with terraform. Prerequisites Sign up for a free AWS account. You just need a valid credit card. Install AWS CLI tool. Install Terraform CLI tool. Pull the lab repo from my github that contains everything you need to follow this guide, and cd into it:…

I was reading through this week’s Hive Five security newsletter and found the article on Trojan Source Attacks really interesting. Research by Nicholas Boucher and Ross Anderson shows a new way to hide malicious code in plain sight: the source code that’s rendered doesn’t reflect its true functionality when run! How? Languages like English and Italian are written and read from left to right. Others like Hebrew and Arabic are the opposite: right to left.…

Notes on this lecture by Erlend Oftedal. It’s a clear and concise walkthrough of getting started with AFL. AFL - American Fuzzy Lop, developed by Michael Zalewski (@lcamtuf) It’s open source, optimised and smart. Workflow Compile the binary with AFL Find a test corpus Run the fuzzer Triage the findings When compiling, add AFL_HARDEN=1 to add code hardening and find crashes quicker. Find files from unit/integration tests and minimise the list of cases.…

Below are notes from presentations at the OWASP 20th anniversary conference. I tried to get the main points and takeaways, plus any interesting details. However, they are not particularly readable and more of a personal promemoria. There were a few different tracks running simultaneously, so it was tough to choose what to watch, and I will definitely go back to check out some presentations I missed. Keynote Philippe de Ryck kicked things off with a keynote outlining his vision for a future where security responsibility is shifted away from devs and encapsulated in libraries.…

Just a quick update on a personal project. The Problem I enjoy pentesting and searching for web vulnerabilities, but the vast majority of the in scope assets on bug bounty programs have been thoroughly tested long ago. This means there isn’t much chance of finding anything interesting in the little time I have to test for fun. The Solution I wrote a Python script that scans (nearly) all HackerOne bug bounty scope pages and sends a mail alert when something changes.…

So I’ve pretty much wrapped up this personal project. It fuzzes all possible Italian fiscal codes (codici fiscali) based on incomplete information. You can enter the information interactively. In the example below, we don’t know the person’s age, but enter a maximum age of 20 and minimum age of 10: All 3,378 possible birth dates are iterated over and a valid fiscal code is generated for each one.…