I recently came across a pentest that taught me to love thy scripture; stringent conditions force you to get a different perspective. The client network was abstractly setup as below : The network was fairly good because of the firewall on one end but a few problems became evident leading to the attack surface[…]
XXE (Extensible Markup Language External Entity) is a common type of injection which occurs in applications that fail to sanitize XML input; This is particularly common with web services. The XML input in a webservice can be considered as a description of data so that two systems can have a common language to communicate with[…]
Many a times we get caught in the trap of a server is shelled but there is nothing to go on with ; Today we will look at one such possibility that is faced. You have a webshell on a server however you want to use old fashioned netcat or socat to connect to it[…]
Hackbattle Scenario 2 is way easier than HackBattle 2015 Scenario 1 Part 1 because once you figured out the con (Hacking Team Saga) it was pretty straight forward and googling all the way. In short you needed to Pozzi this battle. Watch it below to see how it was to be done.
Following the Africahackon Conference 2015 the OWASP Mth3l3m3nt Framework was used in the CTF solution to make it easier, faster and more efficient to manage the attack. The main modules used in this are: Generic Request Maker Shell Generator Web Herd (HTTP Bot)
This is a simple discussion based on the demo done at Barcamp 2014.This writeup is based on the problems faced in the implementation of a majority of the cloud based systems especially those offered as SaaS. Some of the issues highlighted here are: Session Management Failures Poor Coding Practices (Non Secure SDLC) Failed Business Continuity[…]
Due to the increase in Web Application Thefts I thought I should share one that I had to prove recently. (names and addresses have been changed where necessary to keep client details confidential) For all XAMPP before 1.7.4 there’s a webdav service that comes with it. In order to test availability of the service just[…]