Ads 468x60px

Featured Posts

4 de diciembre de 2017

OWASP Top 10 - 2017

I wrote about OWASP at University nearly five years ago and, today, I don’t know yet if there is some subject about it to learn main web issues and how to keep them away thus we’ll have many Web Application Vulnerabilities if web engineers don’t study, and they don’t know, how to develop secure Web Services and WebSockets. Once web applications are developed, with vulnerabilities or not, there should be mandatory to install a Web Application Firewall to protect our organization of new vulnerabilities, DoS attacks, Web Scraping, etc.

When I was at University, I learnt to develop with Pascal, C/C++ and Assembly languages, although I learnt a little bit about PHP, HTML, JavaScript and Java as well. I developed applications without thinking about publishing to Internet, just basic web pages, but, today, web applications are behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. In addition, microservices written in node.js and Spring Boot are replacing traditional monolithic applications which have security challenges like establishing trust between microservices, containers, secret management, etc. On the other hand, modern web frameworks have been released such as Bootstrap, Electron, Angular and React which run functionalities on the client-side while traditional frameworks run functionalities on the server-side.

The difference between the monolithic and microservices architecture

Many changes have had over the last years and, therefore, OWASP Top 10 has been updated. For instance, we have a new category called A4 – XML External Entities (XXE) because new issues have been identify in older or poorly configured XML processors when they evaluate external entity references within XML documents.

A4 – XML External Entities (XXE)

Insecure Direct Object References and Missing Function Level Access Control have been merged into A5 – Broken Access Control where restrictions on what authenticated users are allowed to do are often not properly enforced.

A5 – Broken Access Control

A8 – Insecure Deserialization is another new category into OWASP Top 10, which, initially, is difficult to exploit. However, a successful exploitation could lead to remote code execution and it can also be used for replay attacks, injection attacks, and privilege escalation attacks.

A8 – Insecure Deserialization

Last change to the OWASP Top 10 has been to add the category A10 – Insufficient Logging and Monitoring because many organizations don’t have security tools and processes to detect malicious activities and data breaches and, as a result, they become aware of a security breach by external parties with more than an average of 200 days of delay.

A10 – Insufficient Logging and Monitoring

This has been an overview of changes in OWASP Top 10 – 2017 where there is also to highlight other security risks like Injection or Cross-Site Scripting (XSS) which keep the importance into the OWASP Top 10.

What changed from 2013 to 2017?

Regards my friends, protect your web servers and keep studying!!

27 de noviembre de 2017

Social Engineering Toolkit

As a pentester, social engineering help us to get confidential information that, along with HUMINT and OSINT, is a good place to start. However, most of the time, we are going to need social engineering toolkit as well to deceive people. For instance, there are useful tools which allow us to clone a webpage to build our own malicious webpage with a built-in exploit for getting access to the victim computer. These tools are able to get passwords as well as inserting our own payload and they are also able to exploit the major vulnerabilities of Java, Flash, IE, Mozilla, etc.

The most famous Social Engineering Toolkit is SET developed by David Kennedy, which is an open source framework with many attacks features. For example, we can create a spear-phishing attack easily with the aim of getting the victim credentials or we can even send mails massively to a organization. SET is also able to clone webpages easily to launch DNS spoofing or phishing attacks. What’s more, it allows to create malicious files (.exe) quickly or we can import our own malicious file into a payload. Lately, SET has added new attack features like wireless attacks which create rogue Wireless Access Points to perform a Man-in-the-middle (MITM) attack for sniffing traffic packets, as well as Arduino-based attacks, QRCode Generator attack, Powershell attack or SMS Spoofing attack.

When I gave the speech about my own Domain Generation Algorithm (DGA) for the ISACA Challenge to bypass firewall security features like web filtering, I used SET to show realism into the attack because with a social engineering toolkit is easy to demonstrate how we can deceive people to install malicious files into their computers. In fact, I cloned a webpage and I performed a MITM attack to redirect the victim to the malicious webpage which hosts Java exploits to take advantages of Java vulnerabilities and I imported my own payload about DGA into the Java exploits to create random domains and bypass web filtering.

These weeks I’m working with social engineering toolkit to create a lab with powershell attack vectors to get into Windows 10 operating systems. It is too easy, as always, to create a malicious file with a reverse shell for accessing into the victim computer and stealing whatever we want. However, once we have the malicious file, we have to deceive the victim because it has to be executed as administrator privileges to inject shellcode into the operating system. How can we deceive the victim to execute the malicious file? Again, SET helps us to clone webpages and deploy malicious files, it helps us to perform spear-phishing attacks, etc. It just thinking about social engineering.

Therefore, as pentesters, everything is useful, we can use HUMINT and OSINT as well but social engineering toolkit is a powerful tool needed to get confidential and private information of a company. Sadly, this kind of toolkit is used by offenders and this is the main reason why pentesters should used it as well.

Regards my friends, keep warning and alarming to social engineering toolkit.
Related Posts Plugin for WordPress, Blogger...

Entradas populares