Skipped-a-week-because-it-was-the-beginning-of-vacation-screw-it Edition

XSS via XML

Link: XSS Via XML Value Processing. XXE is not the only vulnerability that… | by Numb Shiva | Jan, 2021 | Medium

You might keep XML in a dark place in your mind, next to witchcraft and circus peanuts. It is certainly a technology with a long history, and some of it not good. It is still in reasonably common use though, and you should be aware of way in which it might interact with web applications you’re testing, in ways you might not have thought of before.

This article is a good demonstration of places where you might not think to use XML as a vector to get your malicious payload into the app. Maybe even in a way that bypasses the safeguards for XSS!

Hooking binaries to bypass restrictions

Link: Snooping on proprietary protocols with Frida - Red Timmy Security

It was hard to come up with a summary for this, so I’ll elaborate a bit. The author was attempting to assess the security of a remote network appliance, but didn’t have access to it, or any of its code. What they did have access to was a Windows client that communicated with the appliance.

What they quickly discovered using wireshark is that, while comms were going over TCP port 443, it wasn’t standard HTTPS, and in fact seemed to be something rather custom. The rest of the article explains how they used the Frida tool to find and hook the encryption and decryption functions so that they could access the data on transmit and receive with the appliance. Reverse engineering is above my paygrade, but I was able to follow the reasoning and discussion just fine. Good article.

Supply chain attacks. No, not the one you’re thinking of.

Link: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | by Alex Birsan | Feb, 2021 | Medium

While SolarWinds is, understandably, getting a lot of press and is a textbook Maximum Impact!! supplychain attack, this article demonstrates another kind that is just as sneaky.

Essentially, software devs place a lot of trust on remote software repositories, and it’s important to know and track who is actually in control of the code in these repos. But have you considered what might happen, not if a dev lost control of their account, but if an internal package name was leaked? What would happen if the internal packagename was claimed on one of the big repo sites? Would the software being built inside the target pull your code instead of the internal library? The author answers that and more. Very interesting read.

A list of low-hanging blue team fruit

Link: 7 Common Microsoft AD Misconfigurations that Adversaries Abuse | CrowdStrike

This is a great resource. It simply lists 7 easy things that IT admins do that create opportunities for attackers, why they’re bad, and a Course of Action for each. Easy peazy.