When you are doing a penetration test, there are certain tasks that you have to repeat over and over every single test you do. One of these tasks for a web application penetration test is checking the headers that the web server sends back to the user. These headers may contain interesting information that help […]
Category: researchblog
Easily Remove Unwanted HTTP Headers in IIS 7.0 to 8.5
The StripHeaders module is a Native-Code module for IIS 7.0 and above, designed to easily remove unnecessary response headers and prevent information leakage of software and version information, which can be useful to an attacker. See the installation section for information regarding deploying StripHeaders within your organisation. See the configuration section for information regarding removing […]
Reproducing an Umbraco Remote Code Execution Vulnerability
During a recent penetration test I came across a website running Umbraco CMS (https://umbraco.com/). Umbraco is an open source content management system for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based
Verifying PCI DSS Scope: Hunting for Credit Card Numbers
PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if the documented scope means that no cardholder data is stored, there still may be some cardholder details that have been inadvertently left in documents. These credit […]
Physical Intrusion Social Engineering
Social engineering is a service that my team and I get involved in on a fairly frequent basis. While for the most part this involves remotely trying to convince targets to click on links in emails, browse to fake login pages, download carefully constructed files which lead to
PowerShell in Forensic Investigations
This is meant to be a short post about PowerShell as an aid in forensic investigations. We will not dive into what a proper forensic investigation looks like, we will just assume that somehow we have access to the compromised machine (a Windows Server 2012 R2 VM was used for our tests) -or a copy of it
Cross-Site Scripting through Flash Objects
Despite waning support for ActionScript on mobile platforms, the inclusion of ActionScript animations in web applications is common. Typically these animations are in the form of embedded SWF files, either through directly serving this content, or through an intermediate application which loads the SWF files from a protected area of the web server. The following […]
Blind SQL injection through an Excel spread sheet
In a recent penetration test that I carried out, I faced an unusual form of SQL injection that fortunately (for me!) let me gain access to sensitive data in the backend database. I would like to share how I found this and exploited it with you. After doing the typical information gathering phase of the […]
Dealing with “Service Accounts”
Most systems administrators will be familiar with the concept of a “service account” in a Microsoft Windows network infrastructure. What many do not realise is that this concept is a purely human one. Neither Active Directory, nor any individual
Common Internal Vulnerabilities
There is a perception by many organisations that their internal network is a relatively safe haven from attackers. The thought is that well configured firewall rules and regular external penetration testing of internet connections provide adequate