tl;dr: Deanonymisation Attacks via Leaky Resources and JavaScript Cache Probing


A quick summary of the main ideas (in very broad strokes) explored in this awesome paper by Mojtaba Zaheri, Yossi Oren and Reza Curtmola. What’s the attack? A deanonymisation attack is when seemingly incidental data is used to infer someone’s identity online. Attack Scenario Imagine an authoritarian government has a zero day that they want to deploy to a journalist’s computer. They have their state news website all ready to go to deliver this exploit.…
Read more ⟶

tl;dr: Account Pre-Hijacking


A quick, practical rundown of this research paper by Avinash Sudhodanan and Andrew Paverd on account pre-hijacking attacks, for reference during pentests. What’s the attack? Stealing user accounts before they’ve even been registered by the victim. After the victim registers them, the attacker has access. If, during a web app test, you notice that you can register a new account and are let in without having to click an email confirmation link, these attacks will potentially work.…
Read more ⟶

tl;dr: Hunting Evasive Vulnerabilities


Below are some takeaways from @albinowax’s brilliant presentation at Nullcon Berlin. He explores why some vulnerabilities are evasive and gives some ideas and advice on how to dig them out. You can find the keynote here. Takeaways Don’t let the appearance of defences deter you from trying the attack anyway. The defences may be misconfigured in a way that nobody understands yet. Seek out old or unfashionable exploit techniques and learn about them from the original research.…
Read more ⟶

Cloud Pentesting Lab


How To Create a Kali & Parrot Pentesting Lab in AWS Using Docker and Terraform In this post, I’ll quickly run through how to set up an AWS EC2 machine and install pre-configured kali and parrot containers, all provisioned automatically with terraform. Prerequisites Sign up for a free AWS account. You just need a valid credit card. Install AWS CLI tool. Install Terraform CLI tool. Pull the lab repo from my github that contains everything you need to follow this guide, and cd into it:…
Read more ⟶

Trojan Source Attacks


I was reading through this week’s Hive Five security newsletter and found the article on Trojan Source Attacks really interesting. Research by Nicholas Boucher and Ross Anderson shows a new way to hide malicious code in plain sight: the source code that’s rendered doesn’t reflect its true functionality when run! How? Languages like English and Italian are written and read from left to right. Others like Hebrew and Arabic are the opposite: right to left.…
Read more ⟶

Fuzzing with AFL


Notes on this lecture by Erlend Oftedal. It’s a clear and concise walkthrough of getting started with AFL. AFL - American Fuzzy Lop, developed by Michael Zalewski (@lcamtuf) It’s open source, optimised and smart. Workflow Compile the binary with AFL Find a test corpus Run the fuzzer Triage the findings When compiling, add AFL_HARDEN=1 to add code hardening and find crashes quicker. Find files from unit/integration tests and minimise the list of cases.…
Read more ⟶

OWASP 20th Anniversary Celebration


Below are notes from presentations at the OWASP 20th anniversary conference. I tried to get the main points and takeaways, plus any interesting details. However, they are not particularly readable and more of a personal promemoria. There were a few different tracks running simultaneously, so it was tough to choose what to watch, and I will definitely go back to check out some presentations I missed. Keynote Philippe de Ryck kicked things off with a keynote outlining his vision for a future where security responsibility is shifted away from devs and encapsulated in libraries.…
Read more ⟶

Bug Bounty Alerts


Just a quick update on a personal project. The Problem I enjoy pentesting and searching for web vulnerabilities, but the vast majority of the in scope assets on bug bounty programs have been thoroughly tested long ago. This means there isn’t much chance of finding anything interesting in the little time I have to test for fun. The Solution I wrote a Python script that scans (nearly) all HackerOne bug bounty scope pages and sends a mail alert when something changes.…
Read more ⟶

codice-fuzzcale demo 2


So I’ve pretty much wrapped up this personal project. It fuzzes all possible Italian fiscal codes (codici fiscali) based on incomplete information. You can enter the information interactively. In the example below, we don’t know the person’s age, but enter a maximum age of 20 and minimum age of 10: All 3,378 possible birth dates are iterated over and a valid fiscal code is generated for each one.…
Read more ⟶

tl;dr: HTTP Request Smuggling


What is it? When a web application uses a chain of servers (e.g. a load balancer or reverse proxy that forwards a user’s request to one or more backend servers over the same connection), an attacker can hide multiple HTTP requests in one single request. The frontend server forwards the request, and the backend server(s) interpret it as multiple requests. Chaos ensues. How, though? This attack is possible if the front and backend servers use different headers to ascertain the length of a request.…
Read more ⟶