https://soffensive.github.io/categories/web-application-security/Recent content in Web Application Security on soffensive blogHugoenSat, 18 May 2019 05:35:00 -0700https://soffensive.github.io/posts/web-app-sec/2019-05-18-xxe-with-net-in-2019/Sat, 18 May 2019 05:35:00 -0700https://soffensive.github.io/posts/web-app-sec/2019-05-18-xxe-with-net-in-2019/<p>After the seminal blog post by <a href="https://www.jardinesoftware.net/2016/05/26/xxe-and-net/" target="_blank" rel="noopener noreffer ">James Jardine</a> in 2016 on XXE exploitation in .NET applications back in 2016, Microsoft seems to have implemented some additional changes regarding the default behavior of XML parsers.</p> <p>We work through the different XML methods provided and their corresponding vulnerable configurations. For all experiments, .NET framework 4.6 was chosen.</p> <div class="details admonition tip open"> <div class="details-summary admonition-title"> <i class="icon fas fa-lightbulb fa-fw" aria-hidden="true"></i>TL;DR<i class="details-icon fas fa-angle-right fa-fw" aria-hidden="true"></i> </div> <div class="details-content"> <div class="admonition-content"><p>In order to create an XXE vulnerability for applications using .NET framework 4.6+, you have to instantiate a vulnerable <code>XmlResolver</code> beforehand.</p>https://soffensive.github.io/posts/web-app-sec/2018-06-19-exploiting-blind-file-reads-path-traversal-vulnerabilities-on-microsoft-windows-operating-systems/Tue, 19 Jun 2018 01:31:00 -0700https://soffensive.github.io/posts/web-app-sec/2018-06-19-exploiting-blind-file-reads-path-traversal-vulnerabilities-on-microsoft-windows-operating-systems/<p>In a recent engagement I was confronted with a blind path traversal vulnerability on a server running with the Microsoft Windows operating system. That is, it was not possible to display folder contents but the complete file name and path had to be guessed. Due to the lack of a comprehensive website I was forced to gather information from various different sources.</p> <p>In this blog post, I want to summarize my findings and focus on the exploitation of  this kind of vulnerability.</p>https://soffensive.github.io/posts/web-app-sec/2018-04-23-exploiting-misconfigured-cors-null-origin/Mon, 23 Apr 2018 08:04:00 -0700https://soffensive.github.io/posts/web-app-sec/2018-04-23-exploiting-misconfigured-cors-null-origin/<p>Almost two years ago, in October 2016, James Kettle published an excellent <a href="http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html" target="_blank" rel="noopener noreffer ">blog post</a> about the various types of Cross-Origin Resource Sharing (CORS) misconfigurations and how they can be exploited.</p> <p>Recently, I encountered a web application that allowed for two-way interaction with the so-called null origin. More precisely, when sending an HTTP request specifying the header:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="err">Origin: null </span></span></span></code></pre></td></tr></table> </div> </div><p>the server would respond with the following two HTTP headers:</p>https://soffensive.github.io/posts/web-app-sec/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss/Wed, 05 Apr 2017 04:03:00 -0700https://soffensive.github.io/posts/web-app-sec/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss/<p>Several times I have encountered web applications that convert user-provided input to capital letters. For example, the application may behave as follows:</p> <p><a href="../images/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png" rel=""><img class="lazyload" src="https://soffensive.github.io/svg/loading.min.svg" data-src="../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png" data-srcset="../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png, ../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png 1.5x, ../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png 2x" data-sizes="auto" alt="../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png" title="../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png" /></a></p> <p>The injected JavaScript code (after escaping from the quotes, of course) will not be executed in the browser. Why is this the case? Remember that the HTML tag names themselves, including <code>&lt;SCRIPT&gt;</code> are not case-sensitive, whereas the contents inside them are in fact case-sensitive.</p>