Using a complex and unique password for each login is obviously important, however this can cause remembering all of your passwords to become very difficult and often leads to a compromise on password quality, as well as repeated uses of the same password. Using passwords that are uncommon but easily memorable also has the potential […]
Category: researchblog
CKEditor Drupal Module Cross Site Scripting
While doing a regular web application penetration test for one of our clients, I found a reflected cross site scripting in a very popular application, CKEditor, and more precisely in the module that this application has for Drupal. It was sort of curious, because the vulnerable page was actually the one in charge of checking […]
Brother MFC-J4410DW Printer Administration XSS
The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the “url” querystring parameter. This allows a user’s session to be hijacked or allows an attacker to take control of the user’s browser. For cross-site scripting to be exploited by an attacker, a victim needs to visit […]
Review of purposefully vulnerable applications to practice hacking
This post will be on the topic of exploitable testing platforms for learning how to conduct a penetration test. I will take you through a few programs I have used and give a bit of information about each and explain how they will help you increase your penetration testing skills. Before you get started There […]
Experience as a Dionach Intern: How I Was Taught
Four months ago I knew very little when it came to hacking – I had tried to look into it a little before, but had fallen into the traps of just reading about topics and not using the knowledge I had gained, or just knowing the basics about certain vulnerabilities and not properly understanding them. […]
Tips on creating and remembering a strong password
There’s one thing that I’ve learned from penetration testing, it’s that passwords need to be secure. According to recent research some of the most common passwords include ‘123456’, ‘qwerty’ and even ‘password’. These are very weak and should be avoided at all costs. However, complicated passwords can be hard to remember. If you continue reading I’ll […]
Disabling McAfee On-Access Scanning
In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run Windows Credentials Editor (WCE) because it was detected as a malicious threat in the McAfee on-access scan, as you can see below: The first thought was to disable […]
Phishing – Defence by Attack
Arguably one of the biggest threats that businesses face today is phishing. With a greater understanding of external security, the criminal element is relying on phishing attacks as a method of compromising organisations and bypassing traditional defences. Additionally, phishing attacks are a common way of distributing malware such as ransomware. With off the shelf phishing […]
ISO 27001:2013 Documentation Requirements
At Dionach we often get asked what documentation is required for ISO 27001. Beyond the obvious information security policy, there are quite a few policies and procedures that are required in various sections of the standard. For the most part we find that some requirements are met as part of existing company policies and procedures, […]
CryptoWall – A Case Study And Some Thoughts
I recently performed some forensics on workstation for a client that had been infected with ransomware, which had resulted in a large number of their files being encrypted. This blog post discusses how the compromise took place, and also some thoughts about methods to prevent future compromises. Infection Vector A user’s workstation was infected with […]