A personal mini blog about infosec and life
The past week and a half was not very productive since I was unwell most of the time.
It was probably a mistake, but last weekend my partner and I decided to buy an XL pizza from the best pizzeria in town according to us.
We realized that by ordering directly from the pizzeria's website, we pay the same for an XL pizza as we would for a family-size pizza using Wolt food delivery app.
Anyway, this size was probably too much for me.
Weekly Activities and Notes
I submitted my first CVE request. Let's wait and see if it is approved.
I sent my first VDP to the Israel National Cyber Directorate. It detailed a local file inclusion vulnerability in a very large Israeli company. By reading the environment variables (/proc/self/environ), it was possible to retrieve sensitive information such as a secret used for authentication for one of their services.
Although I don't use them much, I was thinking about comparing the results of BuiltWith and Wappalyzer. I added this to my To-Do list.
About two weeks ago, Trail of Bits hosted a webinar with James Kettle (Director of Research at PortSwigger). They discussed several tips regarding Burp Suite, introduced the new Intercept tool, and talked about a few other topics. Some of James' and Trail of Bits' suggestions were:
Burp Suite's Match and Replace option can be very useful.
Hackvertor extension: https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100
Software Vulnerability Scanner extension: https://portswigger.net/bappstore/c9fb79369b56407792a7104e3c4352fb
When I asked him which extension or functionality he thinks is the most underrated, he mentioned Backslash Powered Scanner, as it might find leads for some server-side attacks: https://portswigger.net/bappstore/9cff8c55432a45808432e26dbb2b41d8
PortSwigger has created a new Discord server. It might be a good place to have discussions with other researchers. Invitation link: https://discord.com/invite/portswigger
James Kettle has published new research about timing attacks and their major impact on web applications. He published an article a year ago, but it was more theoretical. This time, it's not theoretical anymore. He has found a way to perform this attack on many web applications and shows how to do it. I haven't finished reading the article yet, but I surely plan to do it. Link: https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work
CTF
Last weekend I participated in LIT CTF. I did not plan to publish an independent post with writeups because it wasn't very challenging, so I will write the solutions of two of the challenges here:
web/jwt-2: The Express web application uses JWT for authorization to access the flag. There are 4 conditions:
1. Verifies the token existence.
2. Verifies for the existence of all the JWT sections.
3. Generates 'expectedSignature' and checks if it's the same as the JWT signature.
4. Essentially checks if the JWT 'admin' property has the value 'true'.
This means that all we need is for our signature to match the expected signature. What do we need to generate the expected token?
According to section #3 in the image, we need:
To create an HMAC object using the jwtSecret, which we have:
The header and payload JWT sections. So nothing prevents us from generating this signature and using it in our modified JWT where the 'admin' property is set to 'true':
2. web/kirbytime - In this challenge we should essentially guess the password using a timing attack. For each correct character, the system waits 1 second. This way, we can try all of the characters and determine the correct next character. We can do this using a script or manually.
Comments