Category: Web Application Security

HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities

Same-Origin Policy is a protection mechanism built in to web browsers to prevent malicious web sites from interacting with web sites we visit. I’ve already written a full explanation of the mechanism here, but the TL;DR is that it allows web origins to make requests to other origins but prevents them from reading the response.

Sometimes, however, we may have a business need to allow two origins that we control to interact with each other. One method to allow communication is HTML5 postMessage which I’ve talked about already, another is Cross Origin Resource Sharing (CORS) and I’ll talk about the security implications of CORS here!

Continue reading: HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities

HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities

HTML5 PostMessages (also known as: Web Messaging, or Cross Domain Messaging) is a method of passing arbitrary data between domains. However if not implemented correctly it can lead to sensitive information disclosure or cross-site scripting vulnerabilities as it leaves origin validation up to the developer!

Continue reading: HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities

Command Injection: The Good, the Bad and the Blind

Command Injection vulnerabilities are a class of application security issue where an attacker can cause the application to execute an underlying operating system command. For that reason it’s generally a high impact issue. It can be exploited simply by chaining commands along with the expected input by using shell control characters such as:

 ` & or |

Continue reading: Command Injection: The Good, the Bad and the Blind

Burp Suite vs CSRF Tokens: Round Two

So recently I wrote about writing burp extensions and I taught this through writing an extension to deal with CSRF tokens that are in each page, so as you navigate the site or fuzz a function you have to extract a token from each page to include it in the next request.

That’s not the only way to implement tokens though, and today I came across “the other way” during a Penetration Test so modified my original code and figured I’d share this version too!

Continue reading: Burp Suite vs CSRF Tokens: Round Two

Burp Suite vs CSRF Tokens Part 2: CSRFTEI for Remote Tokens

The following is a version of my CSRF Extractor Burp Extension that works for remote tokens, the original sequential tokens version is available here. The following code is explained here.

Continue reading: Burp Suite vs CSRF Tokens Part 2: CSRFTEI for Remote Tokens