top of page
Search
Writer's pictureOrel Gispan

Small Winds - No. 02

Updated: Aug 20

A personal mini blog about infosec and life

The past week and a half was not very productive since I was unwell most of the time.

It was probably a mistake, but last weekend my partner and I decided to buy an XL pizza from the best pizzeria in town according to us.

We realized that by ordering directly from the pizzeria's website, we pay the same for an XL pizza as we would for a family-size pizza using Wolt food delivery app.

Anyway, this size was probably too much for me.

 

Weekly Activities and Notes

  • I submitted my first CVE request. Let's wait and see if it is approved.

  • I sent my first VDP to the Israel National Cyber Directorate. It detailed a local file inclusion vulnerability in a very large Israeli company. By reading the environment variables (/proc/self/environ), it was possible to retrieve sensitive information such as a secret used for authentication for one of their services.

  • Although I don't use them much, I was thinking about comparing the results of BuiltWith and Wappalyzer. I added this to my To-Do list.

  • About two weeks ago, Trail of Bits hosted a webinar with James Kettle (Director of Research at PortSwigger). They discussed several tips regarding Burp Suite, introduced the new Intercept tool, and talked about a few other topics. Some of James' and Trail of Bits' suggestions were:

  • PortSwigger has created a new Discord server. It might be a good place to have discussions with other researchers. Invitation link: https://discord.com/invite/portswigger

  • James Kettle has published new research about timing attacks and their major impact on web applications. He published an article a year ago, but it was more theoretical. This time, it's not theoretical anymore. He has found a way to perform this attack on many web applications and shows how to do it. I haven't finished reading the article yet, but I surely plan to do it. Link: https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work


CTF

Last weekend I participated in LIT CTF. I did not plan to publish an independent post with writeups because it wasn't very challenging, so I will write the solutions of two of the challenges here:

  1. web/jwt-2: The Express web application uses JWT for authorization to access the flag. There are 4 conditions:

    • 1. Verifies the token existence.

    • 2. Verifies for the existence of all the JWT sections.

    • 3. Generates 'expectedSignature' and checks if it's the same as the JWT signature.

    • 4. Essentially checks if the JWT 'admin' property has the value 'true'.

This means that all we need is for our signature to match the expected signature. What do we need to generate the expected token?

According to section #3 in the image, we need:

  • To create an HMAC object using the jwtSecret, which we have:





  • The header and payload JWT sections. So nothing prevents us from generating this signature and using it in our modified JWT where the 'admin' property is set to 'true':

2. web/kirbytime - In this challenge we should essentially guess the password using a timing attack. For each correct character, the system waits 1 second. This way, we can try all of the characters and determine the correct next character. We can do this using a script or manually.


84 views0 comments

Recent Posts

See All

Comments


bottom of page