Plesk panel decryption
After I read the description of the Plesk vulnerability CVE-2012-1557 I decided to investigate the application a bit deeper. You can download a fully installed VMware image from the internet so you can...
View ArticleWAF bypass made easy
In this post I will share my testing experiences about a web application protected by a web application firewall (WAF). The investigation of the parameters of web interfaces revealed that I can perform...
View ArticleCompressed file upload and command execution
In this post I would like to share some experiences of a web application hacking project. After I got access to the admin section of the web application I realized that there is a file upload function...
View ArticleTesting websites using ASP.NET Forms Authentication with Burp Suite
Testing a website is usually considered just another day at work, Burp Suite is usually the tool of our choice for automating some of the scans that apply in this field. Assessing the authenticated...
View ArticleSanitizing input with regex considered harmful
Sanitizing input (as in trying to remove a subset of user input so that the remaining parts become “safe”) is hard to get right in itself. However, many developers doom their protection in the first...
View ArticleTesting Oracle Forms
SANS Institute accepted my GWAPT Gold Paper about testing Oracle Forms applications, the paper is now published in the Reading Room. Forms is a typical example of proprietary technology that back in...
View ArticleFinding the salt with SQL inception
Introduction Web application penetration testing is a well researched area with proven tools and methodologies. Still, new techniques and interesting scenarios come up all the time that create new...
View ArticleYou’re not looking at the big picture
When serving image assets, many web developers find it useful to have a feature that scales the image to a size specified in a URL parameter. After all, bandwidth is expensive, latency is killing the...
View ArticleDetecting ImageTragick with Burp Suite Pro
After ImageTragick (CVE-2016–3714) was published, we immediately started thinking about detecting it with Burp, which we usually use for web application testing. Although collaborator would be a...
View ArticleBeyond detection: exploiting blind SQL injections with Burp Collaborator
It’s been a steady trend that most of our pentest projects revolve around web applications and/or involve database backends. The former part is usually made much easier by Burp Suite, which has a...
View ArticleSnow cannon vs. unique snowflakes — testing registration forms
Many of the web application tests we conducted had a registration form in the scope. In such cases, there’s usually a field that needs to be unique for each invocation, sometimes called username, in...
View ArticleThe curious case of encrypted URL parameters
As intra-app URLs used in web applications are generated and parsed by the same code base, there’s no external force pushing developers towards using a human-readable form of serialization. Sure, it’s...
View ArticleUnix-style approach to web application testing
SANS Institute accepted my GWAPT Gold Paper about Unix-style approach to web application testing, the paper is now published in the Reading Room. The paper introduces several problems I’ve been facing...
View ArticleUninitialized Memory Disclosures in Web Applications
While we at Silent Signal are strong believers in human creativity when it comes to finding new, or unusual vulnerabilities, we’re also constantly looking for ways to transform our experience into...
View ArticleTips and scripts for reconnaissance and scanning
Renewal paper of my GIAC Web Application Penetration Tester certification: Tips and scripts for reconnaissance and scanning
View ArticleOur new tool for enumerating hidden Log4Shell-affected hosts
Log4Shell, formally known as CVE-2021-44228 seems to be the next big vulnerability that affects a huge number of systems, and the affected component, Log4j gets involved in logging untrusted data by...
View ArticleOur new scanner for Text4Shell
Some say, CVE-2022-42889 is the new Log4Shell, for which we developed our own tool to enumerate affected hosts back in 2021. Others like Rapid7 argue that it may not be as easy to exploit like...
View Article
