Commix: Detecting and exploiting command injection flaws.

Posted on by

687474703a2f2f692e696d6775722e636f6d2f78634e597266762e706e67Command injections are prevalent to any application independently of its operating system that hosts the application or the programming language that the application itself is developed. The impact of command injection attacks ranges from loss of data confidentiality and integrity to unauthorized remote access to the system that hosts the vulnerable application. A prime example of a real, infamous command injection vulnerability that clearly depicts the threats of this type of code injection was the recently discovered Shellshock bug. Despite the prevalence and the high impact of the command injection attacks, little attention has been given by the research community to this type of code injection. In particular, we have observed that although there are many software tools to detect and exploit other types of code injections such as SQL injections or Cross Site Scripting, to the best of our knowledge there is no dedicated and specialized software application that detects and exploits automatically command injection attacks.

This paper attempts to fill this gap by proposing an open source tool that automates the process of detecting and exploiting command injection flaws in web applications, named as commix, (a short for command injection exploiter).

This tool supports a plethora of functionalities, in order to cover several exploitation scenarios. Moreover, Commix is capable of detecting, with high success rate, whether a web application is vulnerable to command injection attacks. Finally, during the evaluation of the tool we have detected several 0-day vulnerabilities in web applications.

Download the presentation which has been presented during Blackhat Europe 2015.

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

Posted on by

XSS attacks have become very common nowadays, due to bad-written PHP web applications. In order to provide users with rudimentary protection against XSS attacks most web browser vendors have developed built-in protection mechanisms, called XSS filters. In this paper, we analyze two attacks that take advantage of poorly written PHP code to bypass the XSS filter of WebKit engine named XSS Auditor and perform XSS attacks. In particular, the first attack is called PHP Array Injection, while the second attack is a variant of the first one and it is named as PHP Array-like Injection. Both attacks take advantage of improper management of variables and arrays in PHP code to bypass the XSS Auditor. We elaborate on these attacks by presenting concrete examples of poorly written PHP code and constructing attack vectors to bypass the XSS Auditor. To defend against the identified attacks, we provide proper code writing rules for developers, in order to build secure web applications. Additionally, we have managed to patch the XSS Auditor, so that it can detect our identified XSS attacks. (Download the paper)

Jaidam: Automating WordPress and Joomla Vulnerability Scanning

Posted on by

Goal of this research, was to create and introduce an open-source security tools called Jaidam that would take as input a list of domain names, scan them, determine if WordPress or Joomla platform was used and finally check them automatically, for web vulnerabilities using two well‐known open source tools WPScan (in case of WordPress) and Joomscan (in case of Joomla).

Continue reading

XSSAuditor bypass via “location.search”

Posted on by

As it has already been mentioned in a previous post, one of the most widely used instances in JavaScript is the Location Object which is used to determine the current URL.

In this example, we will focus on search property of location object which, sets or returns the query string part of a URL.

 

Continue reading