UPDATE 02/2015 : see there for the procedure on Fedora 21 As I started to use Fedora 20 at work – by the way, a solid distro with all security features enabled, I had the bad surprise to get similar issues to those on OS X. Again, we will have to face the joy of dependencies! Fedora…
Continue Reading
JSONP vs JSON I had an opportunity to experiment exploiting JSONP in real life. Honestly, I had never heard of it before. JSON is a well known method to serialize data, but what is JSONP? Actually, it is nothing new, but rather a specific use of JSON. In AJAX websites, XMLHttpRequest is used in client-side Javascript…
Continue Reading
I had a chance to audit this device during a Wi-Fi pentest. Cisco Prime Network Control System is a Wi-Fi controller that allows to manage multiple access points and centralize their configuration: Wi-Fi settings, access control, security, etc. I was surprised how easy it was to compromise this equipment, thanks to default credentials. Of course,…
Continue Reading
Nice stuff from @mubix: the technic consists in injecting a DLL to lsass.exe, using the password filter feature of Windows. The password filter architecture is useful to check that a password is compliant with the system security policy. It will typically check that when a user changes his password, it follows the required complexity. Microsoft…
Continue Reading
Several ways may be used to protect a file upload functionality on a website. A first method is content-type checking, which can be easily bypassed with a intercepting proxy (tampering the MIME type). The screenshot below shows an intercepted request where the attacker modifies the content-type (beforehand text/php) and then forwards the content to the…
Continue Reading
Mainframes are not dead, why not pentesting it? I just watched the presentation of Phil Young at Shmoocon 2013: “Mainframed: the secrets inside that black box“. I truly loved it. I thought mainframes where disappearing, but I was surprised to see that it still alive. I was even more surprised to find out that they…
Continue Reading