The popular course on Injection Flaws will return to Las Vegas at Black hat 2013. The 2 days hands on course covers Injection flaws and ONLY injection flaws. We dont talk about XSS, CSRF, CRLF etc etc. I think, 2 days is not enough time to learn the entire web application security and thus I only focus on Injection Flaws.
I will be appearing on the famous podcast pauldotcom and giving a little insight on the course on April 25th 7PM ET.
A little write-up about this can be found here:
In short, the USP of course are:
Examples where SQLI gets un-detected by commercial tools
Advanced XPATH Injection (including 2.0)
Advanced LDAP Injection
Advanced HQLI/ORM Injection
Advanced XXE Injection, including blind XXE
The course page can be found here
See you in Vegas!
Update: here is the video from my podcast at pauldotcom:
Video streaming by Ustream
Update: My interview at Dark reading which also gives an insight into the course can be found here
Recently, i was going through the following truecrypt page:
What is interesting to note is the recommendation to add ‘truecrypt group’ in the sudo commands. As truecrypt needs to be run as root, I assume that people will be making this binary a suid as root too.
To me this does not look very secure. Unlike a nfs share, which is by default mounted with root squashing enabled, truecrypt volumes do not have any such thing. Thus if a box has set truecrypt binary as suid. one just needs to transfer an encrypted volume(containing a suid bash file) on this box, mount this volumne and just execute this suid binary. This should give him a root shell.
Thus it is important that truecrypt should not be run as suid. This may be already known to some, but hey, i found it interesting.
NotSoSecure became slighlty more secure with the new WordPress update.
This update is highly recommended if your wordpress allows user registration.
Its amazing how many vulnerabilities have been identified in wordpress over the years and i wonder how many are yet to come.
Original Advisory: http://www.portcullis-security.com/179.php
The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points.
The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database.
The hashes can then be cracked using john-the-ripper.
POST request to:/www/people/editprofile.php
works against postgres database .
Refer to the paper for exploiting sql injections against postgres database.
I have put together some thoughts on conducting a penetration test on a windows active directory.
Currently this article focus on these 2 scenarios:-
1. A pentester is allowed to plug his laptop into the target network.
2. A pentester is not allowed to plug his laptop and only has access to a standard workstation.
You can read it as a ".doc" file here and as a pdf here.
PS: I will do a better job with editing a word document in the next version of this document.