-
Recent Posts
- Raspberry PI and Tor for slightly easier OPSEC
- Data exfiltration through the VMware hypervisor
- Encoding Web Shells in PNG IDAT chunks
- Taking screenshots using XSS and the HTML5 Canvas
- Exploit: Symfony2 – local file disclosure vulnerability
- Extending Burp Suite to solve reCAPTCHA
- Decrypting suhosin sessions and cookies.
- JavaScript and Daylight Savings for tracking users.
- Google TOTP Two-factor Authentication for PHP
- Exploit: PHPCaptcha / Securimage is not secure.
- Javascript keylogger in JQuery.
- Clickjacking and Phishing with help from the HTML5 JavaScript Sandbox
- PHP Remote File Inclusion command shell using data://
- Hardening and securing PHP on Linux
- Using php://filter for local file inclusion
Recent Comments
Archives
Categories
Tag Archives: Security
Data exfiltration through the VMware hypervisor
Its possible for two Virtual Machines with no network access or shared file system to communicate as long as they run under the same Hypervisor. This post will show you how this can be achieved by sending a square wave across the … Continue reading
Posted in Exploits
Tagged Covert channel, Exploit, Security, Side Channel Attack, Timing Channel Attack, Virtualization, VMware
3 Comments
Encoding Web Shells in PNG IDAT chunks
If you carefully encode a web shell in an image you can bypass server-side filters and seemingly make shells materialize out of nowhere (and I’m not talking about encoding data in comments or metadata) – this post will show you how … Continue reading
Exploit: Symfony2 – local file disclosure vulnerability
I recently discovered a vulnerability affecting the Symfony2 Framework versions 2.0.0-2.0.10. In short, by by parsing user supplied XML in any way (e.g. SOAP API, RSS feed, unserializing an object) it is possible to disclose the contents of arbitrary files from the … Continue reading
Decrypting suhosin sessions and cookies.
The suhosin module provides transparent cookie and session encryption out of the box to PHP applications. Once enabled any session values stored on disk are encrypted with rijndael and a slight variation on base64 encoding, the same applies to any … Continue reading
Google TOTP Two-factor Authentication for PHP
At the beginning of the year Google released 2 Factor Authentication (2FA) for G-Mail providing an application for Android, IPhone and Blackberry called Google Authenticator to generate one time login tokens. This post will show how to implement Google 2FA … Continue reading
Exploit: PHPCaptcha / Securimage is not secure.
Recently I discovered an easy way to bypass PHPCaptcha also known as SecurImage. The method described below will break the CAPTCHA every time, without fail and affects versions 1.0.4 and above. Previous versions are also probably vulnerable tho only exploit … Continue reading
Javascript keylogger in JQuery.
I needed to capture someone’s login credentials using cross site scripting. However I had 3 problems. Firstly there was no XSS on the login page, secondly the only XSS was reflected, meaning it only affected the current page and thirdly … Continue reading
PHP Remote File Inclusion command shell using data://
PHP 5.2 and above provides stream wrappers. The general idea behind the stream wrapper is that you write one that interfaces with other protocols or services and you can still reference the data using your favourite functions. Here we open … Continue reading
Hardening and securing PHP on Linux
Hardening PHP on linux to increase security is a complex process involving a plethora of settings. A while back I developed a script in order to check for any security settings that were out of place. The idea is that … Continue reading
Scanning the internal network using SimpleXML
XML is widely used throughout PHP applications in the representation arbitrary data structures such as with SOAP and REST web services. It supports the use of external entities allowing you to bring in information from external sources. This is useful … Continue reading