Java giving more shells on everything

Back in 2018 I blogged about how java gives a shell for everything, and also how to compile in memory as an AV Evasion technique. Some of these techniques have now been added into gtfo bins, and heroes even integrated them into metasploit. In this post I go through the most recent JDK/JRE and look… Continue reading Java giving more shells on everything

Grabbing NTLM hashes with Responder then what?

Local networks have lots of things on them that we as penetration testers can exploit. In a Windows environment there are often protocols (LLMNR and NBT-NS) which can be easily exploitable. Effectively you are running a man in the middle attack and using that to intercept traffic being sent by users in order to capture… Continue reading Grabbing NTLM hashes with Responder then what?

XSS via HTML5 Events All over again

XSS via HTML5 Events All over again

Back in 2018 I wrote a post about finding and exploiting XSS using the new(ish) event handlers in HTML 5. Those techniques paid out recently and I thought I'd write up the situation. Using the lists provided in the earlier post I discovered the application allowed an "SVG" tag. Within that tag it allowed the… Continue reading XSS via HTML5 Events All over again

Solving a pentester’s pesky proxy problem

I usually test web applications using Firefox because it uses it's own proxy settings and is easy to configure with burp. Chrome is then something that is used for googling answers, shitposting on Twitter etc to ensure that such traffic is not logged by Burp. This should sound familiar to most pentesters. This process falls… Continue reading Solving a pentester’s pesky proxy problem

Letsencrypt certificates for your python HTTP servers

Back in 2016 I blogged about how to do simple HTTP or HTTPS servers with python. You need to use these if you want to temporarily host files, and to investigate SSRF issues properly. There my skills sat until recently the user-agent that was making the SSRF request was actually verifying the certificate. How rude!… Continue reading Letsencrypt certificates for your python HTTP servers

Pentesting Electron Applications

I recently came across my first Electron application as a target. As is the case I try and take notes as I go and here they are so that I am ready for the next time. When you are targeting an "app" (various thick client or mobile application targets) I always want to: Decompile it… Continue reading Pentesting Electron Applications

Verifying Insecure SSL/TLS protocols are enabled

Verifying Insecure SSL/TLS protocols are enabled

If a vulnerability scanner tells you that a website supports an insecure SSL/TLS protocol it is still on you to verify that this is true. While it is becoming rarer, there are HTTPS services which allow a connection over an insecure protocol. However, if you issue an HTTP request it will respond to the user… Continue reading Verifying Insecure SSL/TLS protocols are enabled

Firefox Add-Ons that you actually need

In this blog post I will introduce you to a few Firefox Add-Ons which are useful when assessing the security of web applications. There are many, many more Add-ons that people swear by but these ones help me out a lot. To test a web application you are going to need a web browser to… Continue reading Firefox Add-Ons that you actually need

API testing with Swurg for Burp Suite

Swurg is a Burp Extender designed to make it easy to parse swagger documentation and create baseline requests. This is a function that penetration testers need if they are being asked to test an API. Our ideal pre-requisites would be: A Postman collection with environments configured and ready to go valid baseline requests. Ideally setup… Continue reading API testing with Swurg for Burp Suite