A security audit discovered several vulnerabilities in Ubiquiti Unifi Controller version 3.1.4, including:
1) The use of java.util.Random to generate secret tokens could allow an attacker to predict tokens like password reset tokens and compromise admin accounts with a brute force attack.
2) The application is vulnerable to cross-site request forgery attacks which could allow an attacker to modify system settings or force password changes.
3) Changing passwords does not require supplying the old password, allowing passwords to be easily compromised through session hijacking or CSRF attacks.
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
Security testing of any system is about finding all possible ambiguities and flaws of the system which might result in loss of information at the hands of employees or outsiders of the organization. This seminar will give you knowledge of Security Testing and related topics with simple and useful examples to help you approach it easily.
XSS and Sql Injection are Top 2 injection attacks currently causing threat to web application.
Cross-site scripting (XSS) is a code injection attack that allows an malicious user to execute malicious JavaScript in another user's browser. A successful XSS attack compromises the security of both the web application and its users.
SQL injection is a technique where malicious user can inject SQL commands into an SQL statement, via web page input.Injected SQL commands can alter SQL statement and compromise the security of a web application.
В последнее время все чаще происходят сложные целенаправленные атаки (APT) с использованием скрытой загрузки. Существующие системы автоанализа, как правило, не способны анализировать вредоносное ПО, используемое для APT-атак, и исследователи вредоносного ПО вынуждены анализировать его вручную. Докладчик представит новую систему автоанализа памяти в режиме реального времени (Malware Analyst). Данная система не генерирует дамп памяти при помощи LibVMI, а имеет непосредственный доступ в память для ускорения диагностики и четко распознает подозрительное поведение вредоносного ПО.
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
Security testing of any system is about finding all possible ambiguities and flaws of the system which might result in loss of information at the hands of employees or outsiders of the organization. This seminar will give you knowledge of Security Testing and related topics with simple and useful examples to help you approach it easily.
XSS and Sql Injection are Top 2 injection attacks currently causing threat to web application.
Cross-site scripting (XSS) is a code injection attack that allows an malicious user to execute malicious JavaScript in another user's browser. A successful XSS attack compromises the security of both the web application and its users.
SQL injection is a technique where malicious user can inject SQL commands into an SQL statement, via web page input.Injected SQL commands can alter SQL statement and compromise the security of a web application.
В последнее время все чаще происходят сложные целенаправленные атаки (APT) с использованием скрытой загрузки. Существующие системы автоанализа, как правило, не способны анализировать вредоносное ПО, используемое для APT-атак, и исследователи вредоносного ПО вынуждены анализировать его вручную. Докладчик представит новую систему автоанализа памяти в режиме реального времени (Malware Analyst). Данная система не генерирует дамп памяти при помощи LibVMI, а имеет непосредственный доступ в память для ускорения диагностики и четко распознает подозрительное поведение вредоносного ПО.
A description of Cross-site request forgery (CSRF) attacks and defenses, with a focus on the commonly used libraries and functions which are used for CSRF defense. This presentation goes into each of them, and shows it's strengths, weaknesses, and shortcomings.
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
В данной работе рассматриваются результаты исследования по реализации алгоритма исправления ошибок в приложении в среде выполнения. Исследование проводилось на приложении с незащищенным кодом с целью его защиты от внедрения кода и других уязвимостей веб-приложений. Также в работе будет представлена технология защиты веб-приложений нового поколения под названием Runtime Application Self-Protection (RASP) (самозащита приложения в среде выполнения), которая защищает от веб-атак, работая внутри веб-приложения. Технология RASP основана на исправлении ошибок в среде выполнения путем «внедрения» безопасности в веб-приложения в неявном виде, без внесения дополнительных изменений в код. В завершении доклада перечисляются основные проблемы при реализации этой новой технологии и обзор перспектив защиты среды выполнения.
With the right skills, tools and software, you can protect yourself and remain secure. This session will take attendees from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities.
It's the PPT of the presentation at Null Hyd June 2014 meet.
I tried to make it as simple as i can :)
Share if you like and please let me know your suggestions :)
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.
OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.
A description of Cross-site request forgery (CSRF) attacks and defenses, with a focus on the commonly used libraries and functions which are used for CSRF defense. This presentation goes into each of them, and shows it's strengths, weaknesses, and shortcomings.
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
В данной работе рассматриваются результаты исследования по реализации алгоритма исправления ошибок в приложении в среде выполнения. Исследование проводилось на приложении с незащищенным кодом с целью его защиты от внедрения кода и других уязвимостей веб-приложений. Также в работе будет представлена технология защиты веб-приложений нового поколения под названием Runtime Application Self-Protection (RASP) (самозащита приложения в среде выполнения), которая защищает от веб-атак, работая внутри веб-приложения. Технология RASP основана на исправлении ошибок в среде выполнения путем «внедрения» безопасности в веб-приложения в неявном виде, без внесения дополнительных изменений в код. В завершении доклада перечисляются основные проблемы при реализации этой новой технологии и обзор перспектив защиты среды выполнения.
With the right skills, tools and software, you can protect yourself and remain secure. This session will take attendees from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities.
It's the PPT of the presentation at Null Hyd June 2014 meet.
I tried to make it as simple as i can :)
Share if you like and please let me know your suggestions :)
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.
OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.
Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015Victoria Livschitz
Introduction to Tonomi, an autonomic application management platform for cloud applications, delivered as a keynote at Gluecon 2015, Broomfield, Colorado on May 20, 2015.
Capistrano is an open source tool for running scripts on multiple servers. Capifony - set of instructions called “recipes” for Symfony applications deployment.
Built to make your job a lot easier.
This presentation is linked to a workshop presented at the HEA Enhancement event ‘Successful students: enhancing employability through enterprise education’. The blog post that accompanies this presentation can be accessed via http://bit.ly/1JIE3wh
Enhancing employability through enterprise education: BSc Business Enterprise...HEA_AH
This presentation is linked to a workshop presented at the HEA Enhancement event ‘Successful students: enhancing employability through enterprise education’. The blog post that accompanies this presentation can be accessed via http://bit.ly/1JIE3wh
A penetration testing report submitted during internship at ICT Academy, IIT Kanpur. This report contains a basic flow how to perform penetration testing, from reconnaissance to finding vulnerability. This should be helpful for security researchers who are looking to write a penetration testing for their project.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
Research involving commonly exploited web application functionality, with analysis of the threats at the application, network, and protocol levels. Provided demonstrations of the exploits, as well as proposed detection techniques using open source tools
logout.php Session Data after Logout Username Email . $_.docxsmile790243
logout.php
Session Data after Logout
Username Email " . $_SESSION['appusername'] . "
" .
"" . $_SESSION['appemail'] . "
";
?>
ZAP Scanning Report for loginAuthReport.odt
ZAP Scanning Report
Summary of Alerts
Risk Level
Number of Alerts
High
2
Medium
1
Low
5
Informational
3
Alert Detail
High (Warning)
Cross Site Scripting (Reflected)
Description
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
URL
http://localhost/week4/authcheck.php
Parameter
username
Attack
</td><script>alert(1);</script><td>
Solution
Phase ...
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
1. Security bugs discovered in Ubiquiti Unifi Controller
Affected Component: Testing was performed on v3.1.4 (Linux). Stable versions and other
platforms may be affected as well.
Credits: Luca Carettoni
#1 Insecure Java Random() to generate secret tokens - HIGH RISK
java.util.Random is used across the entire codebase to generate secret tokens, such as
session cookies, AP auth keys and reset tokens. This class is not suitable for strong random
strings generation. Under some circumstances, it seems practical to predict the reset
password token and compromise the admin account, which would lead to full compromise of
the entire platform.
In the Java version shipped with the Unifi controller, Random() depends on the time in
nanosecond and a static seed.
77 public Random() { this(++seedUniquifier + System.nanoTime()); }
78 private static volatile long seedUniquifier = 8682522807148012L;
Considering that a single instance of Random() is used across the Unifi Controller and
multiple method invokes nextInt() (thus modifying the seed state), the exploitability of this
issue is not trivial.
In order to predict a token and compromise the application, an attacker would require:
• Admin email
• Time nanosecond of com.ubnt.ace.E class loading
• Exact sequence of previous usage (e.g. how many reset tokens have been generated)
A realistic attack can occur just after a reboot of the controller, as the application would be in a
"clean" state. By invoking the recover password request and inspecting the HTTP response
Date header, an attacker could predict with good approximation the time of the server
Having that information, it is feasible to bruteforce the actual Random seed used by the
remote server, using the following pseudocode:
2. As the controller code does not limit the number of verify token requests, it is possible to
validate the generated tokens. According to my preliminary testing, the attack is possible
although it would require several hours to succeed.
Random() must be replaced with SecureRandom().
#2 System-wise Cross Site Request Forgery - HIGH RISK
Unifi Controller does not protect the application against Cross-Site-Request-Forgery (CSRF)
attacks. Please refer to http://en.wikipedia.org/wiki/Cross-site_request_forgery.
For instance, it would be possible to override arbitrary options within system.properties that
could eventually lead to full-compromise (e.g. by appending malicious MongoDB parameters).
The following is an example of a malicious HTML page that would create the key "CSRF =
CSRF".
Another malicious abuse consists into forcing a change password using an attacker-controlled
value. See bug #3.
The application must use anti-CSRF arbitrary tokens to prevent those attacks. This is a
standard practice in modern web applications.
#3 Change password does not require old password - MEDIUM RISK
As mentioned in #2, Unifi Controller does not require the old admin password while changing
credentials. This is an insecure design that can be easily abused by malicious users. Any
session hijacking vulnerability or CSRF could result in full compromise.
3. #4 Frameable response (ClickJacking) - MEDIUM RISK
It might be possible for a web page controlled by an attacker to load the content Unifi web
controller within an iframe on the attacker's page. This may enable a "clickjacking" attack
(https://www.owasp.org/index.php/Clickjacking), in which the attacker's page overlays the
target application's interface with a different interface provided by the attacker. By inducing
victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause
them to unwittingly carry out actions within the application that is being targeted. This
technique allows the attacker to circumvent defenses against cross-site request forgery, and
may result in unauthorized actions.
To effectively prevent framing attacks, the application should return a response header with
the name X-Frame-Options and the value DENY to prevent framing altogether, or the value
SAMEORIGIN to allow framing only by pages on the same origin as the response itself.
#5 Credentials are saved in plain-text within MongoDB - MEDIUM RISK
Administration credentials are stored in plain-text (within ace, db.admin.find()) and displayed
in clear-text within the Unifi Controller web interface. From the security standpoint, this is a
bad practice; many types of vulnerability, such as weaknesses in session handling, broken
access controls, and cross-site scripting, would enable an attacker to leverage this behavior
to retrieve the passwords of other application users.
Considering that the same credential is used by all APs SSH, this departure from best
practice allows to compromise the entire platform.
#6 Multiple Cross-Site Scripting vulnerabilities (Stored and Reflected) in /api/, abusing
Internet Explorer content sniffing - LOW RISK
Multiple /api/ endpoints allow to inject arbitrary HTML tags, as illustrated in the example below
• /api/s/default/get/setting
• /api/s/default/set/setting/connectivity
• /api/s/default/set/setting/country
• /api/s/default/set/setting/guest_access
• /api/s/default/set/setting/mgmt
• /api/s/default/set/setting/rsyslogd
• /api/s/default/set/setting/snmp
4. • /api/s/test/set/setting/guest_access
The user-supplied <a> tag is included within the response body; This behavior demonstrates
that it is possible to inject new HTML tags into the returned document.
This behavior can be abused by an attacker to perform Cross-Site Scripting against Internet
Explorer users. JSON responses use the content-type application/json; the problem is that the
default mime type list of Internet Explorer does not include that mime-type, thus it is possible
to force the browser to sniff the content and display the page as HTML.
For all technical details, please refer to http://blog.watchfire.com/wfblog/2011/10/json-based-xss-
exploitation.html The author covers in great detail a possible technique.
To prevent Content-Type sniffing in Internet Explorer and mitigate this attack, the application
must include the following HTTP header in all HTTP responses:
X-Content-Type-Options: nosniff
Please refer to http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx