After catching Microsoft's talk at DockerCon discussing the recent addition of Docker container support in Windows Server 2016, I wanted to play around with the technology with the aim of understanding how this could be leveraged during a security assessment. Before starting, I first had to configure Windows Server to support Docker containers. This was pretty painless using the following steps... Read More »
Kentico CMS is a web content management system for building websites, e-commerce stores and numerous other web applications in ASP.NET. During a review of the CMS in a lab environment, I came across a SQL injection vulnerability which was interesting due to the complicated regex check which is used to try and prevent this kind of exploit. Kentico CMS supports the ability for users to query a website via a REST based API. Whilst varying levels of authorisation are used to restrict access, a num... Read More »
At the moment, I've been looking at post exploitation methods, weather that is gaining persistance, extracting hashes, or finding additional pivot points. One area that I'm quickly becoming interested in is applying basic forensics techniques to help recover data during an assessment. One framework that can help with this, is PowerForensics. This framework comes with a number of interesting options, but the one which is useful for recovered deleted... Read More »
I’ve always enjoyed “unusual” vulnerabilities, either bugs that you never knew were exploitable, or just funny quirks which lead to a vulnerability. My recent finding within the Github Desktop for OSX ticked a few of those boxes, allowing me to trigger cross-site scripting in a desktop application. The vulnerability is present due to the use of the Chromium Embedded Framework, which is used by the comparison graph you see at the top of the windo... Read More »
During a number of engagements, I have found myself in a position in which I have held administrative access to a server running a local instance of Microsoft SQL Server, but had not held credentials to access the service. For seasoned penetration testers out there, you will know that there are multiple ways to gain access to a SQL Server once you have access to the local server, for example running SQLQuery as the SYSTEM user which often runs under the SysAdmin permission, or injecting into th... Read More »