In this blog post, Sanjay talks of various test cases to exploit ASP.NET ViewState deserialization using Blacklist3r and YSoSerial.Net.
Blacklist3r is used to identify the use of pre-shared (pre-published) keys in the application for encryption and decryption of forms authentication cookie, ViewState, etc.
We discussed an interesting case of pre-published Machine keys, leading to an authentication bypass. Read moreHow to obtain MachineKey?
There are multiple ways but not limited to the following to obtain the Machine Key used by a .NET application:
Blacklist3r: If the application uses pre-shared machine key Directory Traversal attack to get access to web.... Read more
Today, DevOps is enabling organisations to deploy changes to production environments at blazing speeds. A typical DevOps process flow through the following stages.
A developer writes code using any development environment of their choice and pushes it to a central source code repository. The code is merged into a central repository management tool for the purpose of versioning. The CI/CD server then pulls the code from the source code repository and packages the build artifacts/binaries. These artifacts/binaries are then pushed onto a binary repository manager against the commit ID. These artifacts/binaries are then pulled out to be deployed back into staging and production... Read more
In this blog, Sunil Yadav, our lead trainer for “Advanced Web Hacking” training class, will discuss a case study where a Server-Side Request Forgery (SSRF) vulnerability was identified and exploited to gain access to sensitive data such as the source code. Further, the blog discusses the potential areas which could lead to Remote Code Execution (RCE) on the application deployed on AWS Elastic Beanstalk with Continuous Deployment (CD) pipeline.AWS Elastic Beanstalk
AWS Elastic Beanstalk, is a Platform as a Service (PaaS) offering from AWS for deploying and scaling web applications developed for various environments such as Java, .NET, PHP, Node.js, Python, Ruby and Go. It... Read more
Active Directory (AD) delegation is a fascinating subject, and we have previously discussed it in a blog post and later in a webinar. To summarize, Active Directory has a capability to delegate certain rights to non (domain/forest/enterprise) admin users to perform administrative tasks over a specific section of AD. This capability, if miss-configured, can become a major reason for AD compromise.
Earlier we only talked about manual analysis for finding such delegations. Another article which can be found here covered multiple other tools which can help in such manual analysis. Today, we are going to look at other possible options to hunt for these delegations across a network in... Read more
The goal of this project is to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published keys.
We are releasing this project with.Net machine key tool to identify usage of pre-shared Machine Keys in the application for encryption and decryption of forms authentication cookie.Auth Bypass using pre-published Machine Key
In this blog post, Sunil talks of an interesting test case with blacklisted/pre-published Machine keys in use, leading to an... Read more
Out-Of-Band (OOB) technique provides an attacker with an alternative way to confirm and exploit a vulnerability which is otherwise “blind”. In a blind vulnerability, as an attacker you do not get the output of the vulnerability in the direct response to the vulnerable request. The OOB techniques often require a vulnerable entity to generate an outbound TCP/UDP/ICMP request and that will then allow an attacker to exfiltrate data. The success of an OOB attack is based on the egress firewall rules i.e. which outbound request is permitted from the vulnerable system and the perimeter firewall.
In this article Ajay(@9r4shar4j4y) and Ashwin(@AshwinPathak26) have kept a rule of thumb to... Read more
The acquisition puts the NotSoSecure business in a position of significantly greater strength, with a broader portfolio of services now available to our customers.
NotSoSecure has been acquired by Claranet, one of Europe’s leading managed IT services providers, to add our ethical hacking training and penetration testing services to its portfolio. Joining the group also means our customers can access a broader range of services for migrating and running their critical applications and infrastructure 24/7, with Claranet’s Networks, Hosting, Communications, and Security teams now working in close partnership with us.
The current NotSoSecure leadership team will be maintaining... Read more