Mar 03 2024

Tor Tools

Category: Dark Web,Security Tools,Web Securitydisc7 @ 8:37 am

🧅Tor Tools

🔹Nipe – Script to redirect all traffic from the machine to the Tor network.
🔗https://lnkd.in/grhEtqdr

🔹OnionScan – Tool for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators.
🔗https://onionscan.org/

🔹Tails – Live operating system aiming to preserve your privacy and anonymity.
🔗https://tails.boum.org/

🔹Tor – Free software and onion routed overlay network that helps you defend against traffic analysis.
🔗https://lnkd.in/g8Uc8nB2

🔹dos-over-tor – Proof of concept denial of service over Tor stress test tool.
🔗https://lnkd.in/gAEQPvbd

🔹kalitorify – Transparent proxy through Tor for Kali Linux OS.
🔗https://lnkd.in/gruAzkkw

Tor: From the Dark Web to the Future of Privacy

Tor

Tor: From the Dark Web to the Future of Privacy

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Tor Project


Feb 26 2024

Web Check: Open-source intelligence for any website

Category: OSINT,Web Securitydisc7 @ 9:44 pm

Web Check offers thorough open-source intelligence and enables users to understand a website’s infrastructure and security posture, equipping them with the knowledge to understand, optimize, and secure their online presence.

Unlike similar services, Web Check is free. There’s no signup, tracking, logging, or ads. Anyone can deploy their instance easily.

Web Check features

Web Check provides insight into the inner workings of any specified website, enabling users to identify possible security vulnerabilities, scrutinize the underlying server architecture, inspect security settings, and discover the various technologies employed by the site.

Currently, the dashboard will show IP info, SSL chain, DNS records, cookies, headers, domain info, search crawl rules, page map, server location, redirect ledger, open ports, traceroute, DNS security extensions, site performance, trackers, associated hostnames, carbon footprint.

“When you’re looking into any website or server, either as part of an OSINT investigation or just out of curiosity, there’s a couple of checks that you always start with. Think domain registrar records, SSL chain, server info, page list, tech stack, etc. None of these are hard to find individually, usually with a combination of bash commands and online tools. However, fetching, collating, and analyzing all this data is time-consuming. I created Web Check to automate this process. It locates, processes, and visualizes everything you need to provide a good starting point for your investigation. It takes just seconds to generate a full report, with no fluff,” Alicia Sykes, the creator of Web Check, told Help Net Security.

Future plans

“I’m always looking for ways to increase and improve the data returned. The web scene is constantly changing, so there are always new and interesting insights you can glean from sites. I’m working on some new checks to include this data. I’m also working on a public API to be used programmatically or integrated into researchers’ existing workflows. Due to it being free to use, I must also improve performance to keep compute costs down continuously,” Sykes concluded.

Web Check is available for free on GitHub.

Must read: 15 open-source cybersecurity tools you’ll wish you’d known earlier

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Web Check


Jan 04 2024

Google Chrome Use After Free Flaw Let Attacker Hijack Browser

Category: Cyber Attack,Information Security,Web Securitydisc7 @ 10:26 am

The latest stable channel update for Google Chrome, version 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows, is now available and will shortly be rolled out to all users.

Furthermore, the Extended Stable channel has been updated to 120.0.6099.200 for Windows and 120.0.6099.199 for Mac.

There are six security fixes in this release. Three of these flaws allowed an attacker to take control of a browser through use-after-free conditions.

Use-after-free is a condition in which the memory allocation is freed, but the program does not clear the pointer to that memory. This is due to incorrect usage of dynamic memory allocation during an operation. 

CVE-2024-0222: Use After Free In ANGLE

Use after free in ANGLE in Google Chrome presents a high-severity vulnerability that might have led to a remote attacker compromising the renderer process and using a crafted HTML page to exploit heap corruption.

Google awarded $15,000 to Toan (suto) Pham of Qrious Secure for reporting this vulnerability.

CVE-2024-0223: Heap Buffer Overflow In ANGLE

This high-severity flaw was a heap buffer overflow in ANGLE that could have been exploited by a remote attacker using a crafted HTML page to cause heap corruption. 

Toan (suto) Pham and Tri Dang of Qrious Secure received a $15,000 reward from Google for discovering this vulnerability.

CVE-2024-0224: Use After Free In WebAudio

A high-severity use after free in WebAudio in Google Chrome might potentially allow a remote attacker to exploit heap corruption through a manipulated HTML page.

Google awarded Huang Xilin of Ant Group Light-Year Security Lab a $10,000 reward for finding this issue.

CVE-2024-0225: Use After Free In WebGPU

A remote attacker may have been able to exploit heap corruption through a specifically designed HTML page due to high severity vulnerability in Google’s use after free in WebGPU.

The details about the reporter of this vulnerability were mentioned as anonymous. 

The use after free conditions existed in Google Chrome before version 120.0.6099.199. To avoid exploiting these vulnerabilities, Google advises users to update to the most recent version of Google Chrome.

How To Update Google Chrome

  • Open Chrome.
  • At the top right, click More.
  • Click Help About Google Chrome.
  • Click Update Google Chrome. Important: If you can’t find this button, you’re on the latest version.
  • Click Relaunch.

Browser Security Platform Checklist

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome


Nov 29 2023

Chrome Zero-Day Vulnerability That Exploited In The Wild

Category: Information Security,Web Search Engine,Web Securitydisc7 @ 8:13 am

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this year. The flaw, identified as CVE-2023-6345, is classified as an integer overflow in Skia, an open-source 2D graphics library written in C++.

“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” Google said.

There are several potential risks associated with this high-severity zero-day vulnerability, including the execution of arbitrary code and crashes.

On November 24, 2023, Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group reported the issue.

Google has upgraded the Stable channel version 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, addressing the year’s sixth actively exploited zero-day vulnerability. This upgrade will be rolled out over the next few days/weeks.

Additionally, Google has fixed six high-severity security vulnerabilities with this update.

Details Of The Vulnerabilities Addressed

Type Confusion in Spellcheck is a high-severity bug that is being tracked as CVE-2023-6348. Mark Brand from Google Project Zero reported the issue.

Use after free in Mojo is the next high-severity bug, tagged as CVE-2023-6347. 360 Vulnerability Research Institute’s Leecraso and Guang Gong reported the issue, and they were rewarded with a bounty of $31,000.

Use after free in WebAudio is a high-severity issue identified as CVE-2023-6346. Following Huang Xilin of Ant Group Light-Year Security Lab’s disclosure, a $10,000 prize was given out.

A High severity bug in libavif, Out-of-bounds memory access, is tagged as CVE-2023-6350. Fudan University reported it, and $7000 was given out.

Use after free in libavif is a high-severity bug identified as CVE-2023-6351. Fudan University reported it, and $7000 was given out.

Update Now

To stop exploitation, Google highly advises users to update their Chrome web browser right away. The following are the easy procedures that you must follow to update the Chrome web browser:-  

  • Go to the Settings option.
  • Then select About Chrome.
  • Wait, as Chrome will automatically fetch and download the latest update.
  • Once the installation process completes, you have to restart Chrome.
  • That’s it. Now you are done.

Attacking and Exploiting Modern Web Applications: Discover the mindset, techniques, and tools to perform modern web attacks and exploitation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Chrome zero-day


Oct 13 2023

HOW GOOGLE CHROME VULNERABILITY CAN PUT MILLIONS OF USERS IN DANGER – SAFEGUARD YOUR DATA NOW!

IN-DEPTH ANALYSIS: NAVIGATING THE PERILS OF CVE-2023-5218 IN GOOGLE CHROME

The digital realm, while offering boundless possibilities, is also a fertile ground for myriad cybersecurity threats. One such peril that has recently come to light is the User-After-Free vulnerability in Google Chrome, specifically identified as CVE-2023-5218. This vulnerability not only poses a significant threat to user data and system integrity but also opens a Pandora’s box of potential cyber-attacks and exploitations.

UNRAVELING THE USER-AFTER-FREE VULNERABILITY

The User-After-Free vulnerability is a type of cybersecurity flaw that surfaces when a program continues to utilize memory space after it has been freed or deleted. This flaw allows attackers to execute arbitrary code or potentially gain unauthorized access to a system. CVE-2023-5218, identified within Google Chrome, was noted to be potentially exploitable to perform such malicious actions, thereby putting users’ data and privacy at substantial risk.

TIMELINE AND DISCOVERY

CVE-2023-5218 was unveiled to the public through various cybersecurity platforms and researchers who detected unusual activities and potential exploitation trails leading back to this particular flaw. This vulnerability was identified to be present in a specific Chrome component, prompting Google to release a flurry of updates and patches to mitigate the associated risks.

THE EXPLOIT MECHANICS

Exploiting CVE-2023-5218 allows attackers to manipulate the aforementioned ‘freed’ memory space, enabling them to execute arbitrary code within the context of the affected application. In the context of Chrome, this could potentially allow attackers unauthorized access to sensitive user data, such as saved passwords or personal information, or even navigate the browser to malware-laden websites without user consent.

THE POTENTIAL IMPACT

The exploitation of CVE-2023-5218 could have a multifold impact:

  • Data Theft: Sensitive user data, including login credentials, personal information, and financial details, could be compromised.
  • System Control: Attackers could gain control over the affected system, using it to launch further attacks or for other malicious purposes.
  • Malware Spread: By redirecting browsers to malicious websites, malware could be injected into users’ systems, further expanding the impact of the attack.

TECHNICAL INSIGHTS INTO CVE-2023-5218

  • Vulnerability Class: Use After Free
  • Impact: Confidentiality, Integrity, and Availability
  • Disclosure Date: 10/11/2023
  • AdvisoryChrome Releases Blog
TECHNICAL SYNOPSIS

The vulnerability is rooted in the improper handling of memory in the Site Isolation component of Google Chrome. The flaw arises from referencing memory after it has been freed, which can lead to program crashes, unexpected value utilization, or arbitrary code execution. The vulnerability is classified under CWE-416 and CWE-119, indicating its potential to improperly restrict operations within the bounds of a memory buffer and its susceptibility to use after free exploits.

MITIGATION AND COUNTERMEASURES

The primary mitigation strategy recommended is upgrading to Google Chrome version 118.0.5993.70, which eliminates this vulnerability. However, considering the potential risks associated with such vulnerabilities, organizations and individual users are advised to:

  • Regularly update and patch software to safeguard against known vulnerabilities.
  • Employ robust cybersecurity practices, including using security software and adhering to safe browsing practices.
  • Educate users on recognizing and avoiding potential phishing attempts or malicious sites that might exploit such vulnerabilities.

CONCLUSION

The identification and subsequent mitigation of CVE-2023-5218 underscore the perpetual battle between cybersecurity professionals and cyber adversaries. While this vulnerability has been addressed in the latest Chrome update, it serves as a potent reminder of the criticality of maintaining up-to-date systems and employing prudent cybersecurity practices. As we navigate through the digital era, the complexity and sophistication of cyber threats continue to evolve, making vigilance and preparedness crucial in ensuring secure digital interactions.

The Google Workspace Bible: [14 in 1] The Ultimate All-in-One Guide from Beginner to Advanced | Including Gmail, Drive, Docs, Sheets, and Every Other App from the Suite

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome


Jul 29 2023

NEW ATTACK TECHNIQUE TO HACK APACHE TOMCAT SERVERS

Category: Cyber Attack,Hacking,Web Securitydisc7 @ 11:56 am

The article discusses a new cyberattack targeting Apache Tomcat servers, a popular open-source web server environment written in Java. Apache Tomcat supports various technologies and is widely used by developers.

The attack is orchestrated by the Mirai botnet and bitcoin miners, specifically targeting improperly configured Apache Tomcat servers lacking sufficient security measures. The research, conducted by Aqua, involved setting up Tomcat server honeypots to monitor the attacks over a two-year period.

During the research, more than 800 attacks were recorded, with an overwhelming 96% of them linked to the Mirai botnet. Out of these attempts, 20% (152 attacks) utilized a web shell script named “neww,” originating from 24 different IP addresses. Interestingly, 68% of these attacks were attributed to a single IP address, 104.248.157[.]218. Fortunately, the attacks using the “neww” web shell script were unsuccessful in compromising the targeted servers.

A brute force attack was carried out by the threat actor against the scanned Tomcat servers in order to acquire access to the web application management using a variety of different credential combinations.

After successfully gaining entrance, threat actors will install a WAR file containing a web shell called ‘cmd.jsp’ on the Tomcat server that has been hacked. This will allow for remote command execution.

The “downloading and running” of the “neww” shell script is an integral part of the whole attack chain. The “rm -rf” command is then used to remove the script once it has been executed. The software then retrieves 12 binary files that are customized to the architecture of the system that is being attacked.

While all of these components work together to expedite the web app deployment on compromised Tomcat servers in an effective manner.

The last step of the malware is a variation of the Mirai botnet that uses infected systems for the purpose of coordinating distributed denial-of-service (DDoS) assaults.

Threat actor infiltrates web app manager by using legitimate credentials, uploads disguised web shell in WAR file, remotely executes commands, and starts the attack.The statistics shed light on the profitable expansion of cryptocurrency mining, which is projected to have a 399% increase and 332 million cryptojacking assaults worldwide in H1 2023.

Recommendation
In order to protect against attacks of this kind, specialists in the field of cybersecurity suggested the following measures:

Make sure that each of your environments has the appropriate configuration.
Be careful to do regular scans of your servers to look for any dangers.
Cloud-native tools that scan for vulnerabilities and misconfigurations should be made available to your development, DevOps, and security teams so that they can better do their jobs.
It is imperative that you use runtime detection and response technologies.

Web Security for Developers: Real Threats, Practical Defense

InfoSec books | InfoSec tools | InfoSec services

Tags: APACHE TOMCAT SERVERS, web security


Jun 24 2023

Web Application Security: A 2023 Guide

Category: App Security,Web SecurityDISC @ 1:29 pm

Web Application Security: A 2023 Guide | Cyber Press

Written by: Cyber Writes

Web App Security

InfoSec tools | InfoSec services | InfoSec books

Tags: Web Application Security


Jun 14 2023

HACKING WOOCOMMERCE WEBSITES TO GET ORDER DETAILS AND CUSTOMER PERSONAL INFORMATION

Category: Hacking,Web Securitydisc7 @ 1:50 am

The ever-changing topography of cyberspace always results in the introduction of new security flaws and vulnerabilities. A major vulnerability, which is now known as CVE-2023-34000 and has a CVSS score of 7.5, has been discovered in the WooCommerce Stripe Gateway Plugin, which has prompted an urgent call to action for both site administrators and security specialists. This plugin, which was built by WooCommerce and is presently being used in over 900,000 active installs, is well-known for its efficient capabilities to take payments directly on online and mobile businesses. Customers are able to finish their purchases without ever leaving the environment of the online shop thanks to an inherent feature of this plugin. This eliminates the need for an externally hosted checkout page.

Nevertheless, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability lies behind the plugin’s surface functionality. This vulnerability, in its unpatched condition, gives an unauthenticated user the potential to obtain extremely sensitive Personally Identifiable Information (PII) that is associated with any WooCommerce order. This data may contain sensitive information such as a user’s complete name, email address, and residence address in its exposed form.

Following the breadcrumb trail of this security hole leads to the ‘javascript_params’ function that is located inside the plugin. The ‘order_id’ variable is used by the code included inside this method in order to get an order object. This variable is derived from the query parameters, and it then gathers specific information from the order object, such as complete user details and addresses. Within this method, there is a noticeable lack of order ownership checks, which substantially increases the risk and makes it possible to return the ‘order’ as an object. Experts made the discovery that the ‘payment_scripts’ function might be used to activate the ‘javascript_params’ variable. This function then returns a JavaScript object variable to the front-end by way of the ‘wp_localize_script’ function. When a user visits the homepage of the website, the overall functionality causes the order’s personally identifiable information to be disclosed, which is then mirrored back into the page source.

After further examination, a second occurrence of the vulnerability was found to be placed inside the ‘payment_fields’ method. This vulnerability, like the one found in the ‘javascript_params’ function, stems from the fact that there is no order ownership verification taking place. The result is the same: the front-end has access to both the user’s billing email address and their complete name.

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

InfoSec tools | InfoSec services | InfoSec books

Tags: web app security, WOOCOMMERCE WEBSITE


May 15 2023

Salt Security Achieves AWS WAF Ready Designation

Category: App Security,Information Security,Web Securitydisc7 @ 9:30 am

Today, API security company Salt Security announced it is now an Amazon Web Service (AWS) Web Application Firewall (WAF) Ready Partner. This service helps customers discover Partner solutions validated by AWS Partner Network (APN) Solutions Architects that integrate with AWS WAF to accelerate adoption of an enhanced and holistic security approach. AWS WAF is available to all AWS customers and all AWS Regions and can be deployed directly from the AWS console.

This partnership differentiates Salt Security as an APN member with a product that works with AWS WAF and is generally available for AWS customers. AWS WAF Ready Partners help customers quickly identify easy-to-deploy solutions that can help detect, mitigate, and analyse some of the most common internet threats and vulnerabilities.

Today, businesses of all shapes and sizes are focused on ensuring that websites and applications are protected from external threats that can lead to a loss of revenue, loss of customer trust, and loss of brand reputation. Implementing a WAF can be a challenging task that requires deep security experience that can be expensive and hard to find in-house. AWS WAF Ready Partners offer customers a simpler solution to deploying and maintaining their application layer security solution through easy-to-deploy solutions in order to detect, mitigate, and analyze some of the most common internet threats and vulnerabilities.

Gilad Barzilay, head of business development, Salt Security said: “As an AWS Software Path Partner and member of AWS ISV Accelerate Program, Salt is proud to expand our existing relationship with AWS by becoming an AWS WAF Ready Partner. Many of our customers rely on Salt to secure their APIs on AWS. By achieving these designations, we make it easier and faster for businesses to protect the APIs running on their AWS environments. Our customers benefit from our unique cloud-scale API data lake architecture, which applies AI and ML for API discovery and threat protection.”

“Deploying the Salt platform took almost no effort,” said Jason Weitzman, senior application security engineer at Xolv Technology Solutions. “It integrated quickly with our existing Cloudflare, AWS, Jira and other systems. It also started identifying errors and delivering insights on how to craft better APIs within minutes.”

The Salt platform deploys out of band, to avoid any interference with application performance or availability. The Salt platform pairs with AWS WAF as an API traffic collection point and to block detected attackers. To support the seamless integration and deployment of solutions such as the Salt platform, AWS established the AWS Service Ready Program. The program helps customers identify solutions integrated with AWS services and spend less time evaluating new tools, and more time scaling their use of solutions that are integrated with AWS services.

APIs are a hot topic among cybersecurity professionals and C-suites at the moment due to their increasingly vital business roles. Earlier this year Salt released a new API report that showed a 400% Increase in Attackers, demonstrating the prevalence.

Security of services hosted in the Cloud with Le WAF: Web Application Firewall

 InfoSec tools | InfoSec services | InfoSec books

Tags: WAF, Web Application Firewall


May 05 2023

5 WAYS TO MAKE YOUR COMPANY WEBSITE MORE SECURE

Category: Web Securitydisc7 @ 9:48 am

Your company website should be protected from bugs, hackers, and other online threats. If it isn’t, it might crash, your data will be put at risk, and the company might lose a lot of money. 

WAYS TO MAKE A WEBSITE SECURE INCLUDE:

  • Using anti-malware.
  • Obtaining a Secure Sockets Layer (SSL) certificate.
  • Setting tough passwords to crack.
  • Keeping the site updated.
  • Controlling who can leave comments. 

The first step is obtaining an SSL certificate. Anti-malware helps detect malicious agents and prevent attacks. 

Make sure you look out for phishing emails and other scams. Finally, it might be a good idea to accept comments manually if you wish to enable this function on your site. Don’t forget to run regular backups.

Below, each suggestion is explored in detail. 

1. USE ANTI-MALWARE TOOLS

Some providers of this type of software offer free plans, but the more effective ones are paid. They have features like malware detection and removal, web scanning, web application firewalls, DDoS protection, vulnerability patching, and PCI compliance. 

If you choose a reliable hosting platform for your website, it will do all the work around your site’s security for you. Many hosting services provide anti-malware tools and devices as part of their plans.

2. INSTALL AN SSL CERTIFICATE  

There are a few ways to get SSL installed. Your hosting company might have a free certificate with your plan. Platforms like WordPress typically have this option too. A high-quality website builder will have free SSL. 

Alternatively, you can opt for a basic Let’s Encrypt SSL and install it for free. However, an advanced certificate is imperative as a guarantee of the best security level possible. The prices of these certificates vary. You can purchase them from domain registrars and hosting providers. 

The free SSL version might suffice for a startup or small company. However, if you’re processing large volumes of personal or financial data or operating a big online store, free SSL will not suffice for your needs.

3. MAKE YOUR PASSWORDS STRONGER 

It’s tempting to use simple, but easy-to-guess passwords and passphrases. You should never reuse passwords for multiple profiles. Instead, opt for a password manager and use unique ones everywhere. 

You could combine a few random but memorable phrases or use a randomly generated character sequence. Use long passwords or passphrases, and don’t use personal information in them. 

You can create a truly uncrackable password using the above and other tips. Of course, you should never share passwords with anyone. It would help if you changed them occasionally too. 

4. DISABLE AUTOMATIC COMMENTS

If you wish to enable comments on your company blog, don’t let visitors post comments directly. This makes you vulnerable to malicious links, on which other visitors to your site might click, thereby installing malware or exposing personal data. Sometimes, comments are just plain annoying.

One option is setting up the website so that comments need to be manually approved before they appear. You can use an anti-spam plugin or software or obligate people to register to leave comments. 

After a few weeks have passed, you could turn off comments on posts. 

5. KEEP YOUR WEBSITE’S SOFTWARE UPDATED

Most website builders handle security issues and software updates, so this shouldn’t concern you if you’re using a reputable one. 

WordPress and other free platforms tend to leave updates to the user. It depends on what type of hosting you choose. Managed hosting is more expensive, but the hosting provider will run updates when necessary. Unmanaged hosting is more affordable, but you’ll be responsible for the updates for your core software as well as for any installed plugins. 

  InfoSec tools | InfoSec services | InfoSec books

Tags: COMPANY WEBSITE


Apr 28 2023

YOU DON’T HAVE TO BE A SUPER HACKER TO HACK INTO MILLIONES OF WEBSITES, THIS CPANEL FLAW MAKES IT EASY FOR ANYONE

Category: Hacking,Web SecurityDISC @ 1:49 pm

The software known as cPanel is used extensively online as a control panel for web hosting. At the time this blog article was being written, there were precisely 1.4 million exposed cPanel installations on the public internet.

The researchers found a vulnerability known as reflected cross-site scripting, which could be exploited without the need for any authentication. Additionally, the XSS vulnerability could be exploited even if the cPanel management ports (2080, 2082, 2083, and 2086) were not open to the outside world. This was the case regardless of whether or not they were exposed. This means that if your website is hosted by cPanel and runs on ports 80 and 443, it was also susceptible to the cross-site scripting vulnerability.

An invalid webcall ID that may include XSS content is at the heart of CVE-2023-29489, the vulnerability that it causes. When this content is displayed on the error page for cpsrvd, it is not appropriately escaped, thus enabling the XSS attack.

The repercussions of being susceptible to these dangers are quite concerning. Using cPanel with its default configuration allows malicious actors to run arbitrary JavaScript pre-authentication on almost any port on a web server. This is as a result of the proxy rules that enable access to the /cpanelwebcall/ directory even on ports 80 and 443, which were previously inaccessible.

The effect of this vulnerability is that they are able to run arbitrary JavaScript, including scripts that need pre-authentication, on practically every port of a webserver that is using cPanel with its default configuration.

The proxy restrictions  are to blame for this situation. Even though it is being proxied to the cPanel administration ports by Apache on ports 80 and 443, they were still able to access the /cpanelwebcall/ directory.

Because of this, an adversary may launch attacks not only against the administrative ports of cPanel but also against the apps that are operating on ports 80 and 443.

An adversary may employ this cross-site scripting attack to take over the cPanel session of a legitimate user if the cPanel administration ports were exposed to the assault in the first place.

After successfully authenticating as a user of cPanel, it is often quite simple to upload a web shell in order to get command execution privileges for oneself.

Proof of Concept

For the purpose of demonstrating the vulnerability, the researchers supplied the following proof of concept URLs:

  • http://example.com/cpanelwebcall/<img%20src=x%20onerror=”prompt(1)”>aaaaaaaaaaaa
  • http://example.com:2082/cpanelwebcall/<img%20src=x%20onerror=”prompt(1)”>aaaaaaaaaaaa
  • http://example.com:2086/cpanelwebcall/<img%20src=x%20onerror=”prompt(1)”>aaaaaaaaaaaa
  • http://example.com:2082/cpanelwebcall/<img%20src=x%20onerror=”prompt(1)”>aaaaaaaaaaaa

Please don’t be concerned if you believe that this vulnerability may be affecting your website. Because the majority of cPanel installations on the internet have the auto-update capability activated, it’s possible that you are no longer at risk of being exploited even if you don’t apply a patch. Upgrading to any of the following versions of cPanel or above will eliminate the risk associated with this vulnerability:

11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Hacking Websites


Apr 20 2023

DANGEROUS 0 DAY VULNERABILITY IN GOOGLE CHROME

Category: Security vulnerabilities,Web SecurityDISC @ 7:56 am

DANGEROUS 0 DAY VULNERABILITY IN GOOGLE CHROME : CVE-2023-2136

The previous week, Google put out an emergency security fix for its browser, and today, the company rolled out another emergency security update to address a vulnerability that is being exploited in the wild.
The update is now available for desktop versions of Google Chrome as well as the Android version of Chrome. Users are encouraged to install updates as soon as they are made available in order to safeguard their devices against prospective attacks that exploit these vulnerabilities.

Google has listed five of the eight security problems that were addressed in the most recent version to Google Chrome. Google says that these issues have been handled. The official Chrome Releases blog has provided documentation of these recent improvements. On the other hand, Google does not make publicly known the security flaws that were found during the company’s own internal investigations.

Out-of-bounds memory access in the Service Worker API is a high-risk vulnerability (CVE-2023-2133).

Out-of-bounds memory access in the Service Worker API is a high-risk vulnerability (CVE-2023-2134).


Use after free in DevTools is a high-risk vulnerability (CVE-2023-2135).

Integer overflow in Skia, a high-risk vulnerability( CVE-2023-2136).


Heap buffer overflow in sqlite, rated as medium severity (CVE-2023-2137).


According to Google’s findings, the security flaw CVE-2023-2136 is being actively exploited in the wild.

A 2D graphics library called Skia, which is frequently used in web browsers, operating systems, and other software applications, has a flaw known as CVE-2023-2136, which is an integer overflow vulnerability. An integer overflow happens when an arithmetic operation results in a number that is more than the maximum limit of the integer type. This causes the value to wrap around and become either much smaller or much bigger than what was meant for it to be. An integer overflow may be avoided by ensuring that the maximum limit of the integer type is not exceeded.

This indicates that threat actors have already started exploiting this vulnerability in order to target systems and breach them. The results of a successful exploit may be somewhat variable, but they almost always involve at least one of the following: unauthorized access to sensitive information; data corruption; or even a total system takeover.

The Chrome Stable channel has been updated to version 112.0.5615.137 for Windows and Mac, and it has been updated to version 112.0.5615.135 for Android; these updates will roll out over the next few days or weeks.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Google Chrome


Apr 10 2023

What is Server-Side Request Forgery (SSRF)?

Category: Web SecurityDISC @ 8:38 am

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: SSRF, SSRF cheatsheet


Apr 03 2023

Tor Project Creates New Privacy-Focused Browser using VPN Layer

Category: Information Privacy,Web SecurityDISC @ 3:18 pm

The Tor browser guarantees that your communication remains operational through a decentralized network of transfers maintained by volunteers located worldwide.

It safeguards your internet connection from prying eyes by preventing any individual from monitoring the websites you visit, shields your physical location from being disclosed to the websites you browse, and enables access to blocked websites.

Numerous reasons exist for why individuals may seek to share files anonymously, with the most prominent being the case of whistleblowers or political activists striving to avoid persecution.

When a user initiates Tor, it initially passes through the first node in the circuit chosen from a pool of 2500 out of 7000 computers referred to as the “Entry Guard.” These nodes are known for their high uptime and availability.

New Mullvad Browser

A new browser was launched today, featuring an alternative infrastructure that includes a layer of VPN support in place of the Tor network.

With the new Mullvad Browser, anyone can fully utilize the privacy features developed by the Tor Project.

“Mullvad Browser, a free, privacy-preserving web browser to challenge the all-too-prevalent business model of exploiting people’s data for profit,” Torproject said.

This could be another privacy-focused browser that does not require extensions or plugins to bolster its privacy features.

“Our goal was to give users the privacy protections of Tor Browser without Tor. For instance, the Mullvad Browser applies a “hide-in-the-crowd” approach to online privacy by creating a similar fingerprint for all of its users.”

The Mullvad Browser has a default private mode that obstructs third-party trackers and cookies while providing convenient cookie deletion options.

Mullvad aims to handle all of that for you, allowing you to open the browser with the assurance that you are not easily traceable.

“Our mission at the Tor Project is to advance human rights by building technology that protects people’s privacy, provides anonymity and helps them bypass censorship.”

“We want to free the internet from mass surveillance and a VPN alone is not enough to achieve privacy. From our perspective there has been a gap in the market for those who want to run a privacy-focused browser as good as the Tor Project’s but with a VPN instead of the Tor Network,” says Jan Jonsson, CEO at Mullvad VPN.

The Tor Project has released a statement affirming that the Tor Browser will continue to evolve and enhance its capabilities.

Dark Web Onion Sites For Anonymous Online Activities: Browse The Dark Web Safely And Anonymously

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: dark web, Privacy-Focused Browser, Tor Project


Mar 23 2023

APACHE TOMCAT VULNERABILITY LEAKS APPLICATION SESSION COOKIE TO ATTACKERS

Category: Web SecurityDISC @ 2:10 pm

One of the most popular and widely used web servers for Java is Apache Tomcat. It is small, simple to install, and highly pleasant for constructing Java web applications. It can also be used to create applications that are a bit more sophisticated than the conventional JSP application online since it can include JSF implementations like MyFaces, Primefaces, RichFaces, and others (standard library, defined in J2EE for the development of dynamic web applications using Java).

All of this is very beneficial, and in fact, many web application developers use it on their computers in order to be able to develop quickly and to be able to focus on what really interests them: ensuring that the logic of their Java pages and classes works as it should. All of this is very beneficial. It really is that straightforward… a software developer typically does not worry about the safety of the Tomcat server that he has installed on the computer that his employer has provided for him. In fact, the concept of security is so foreign to him that it does not even enter his mind very often. “pure Java” HTTP web server environments are made available by the Apache Tomcat server, which incorporates the technologies of Jakarta Servlet, Jakarta Expression Language, and WebSocket. These technologies allow Java code to be executed in these environments. Because of this, it is a frequently chosen option among developers who want to use Java to build online apps.

Up to and including versions 8.5.85/9.0.71/10.1.5/11.0.0-M2 of Apache Tomcat have been determined to have a vulnerability that has been rated as problematic (Application Server Software). An unidentified feature of the component known as RemoteIpFilter Handler is broken as a result of this bug. The manipulation using an unknown input results in a vulnerability involving the unsecured transmission of credentials. The user name and password are not adequately protected when they are being sent from the client to the server via the login pages, which are not using suitable security measures.

Session cookies generated by Apache Tomcat versions 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute when used in conjunction with requests received from a reverse proxy over HTTP and which had the X-Forwarded-Proto header set to https. Because of this, the user agent could send the session cookie through an unsecured connection. Hence, this might be dangerous.

The vulnerability was disclosed on March 22nd, 2023. The advisory is now available for download at lists.apache.org, where it is also shared. Since March 21st, 2023, this vulnerability has been assigned the identifier CVE-2023-28708. There is neither a technical description nor an exploit that is readily accessible to the public. The attack method has been given the designation of T1557 by the MITRE ATT&CK project.

This vulnerability may be remedied by upgrading to version 8.5.86, 9.0.72, 10.1.6, or 11.0.0-M3 respectively.

Tags: APACHE TOMCAT


Mar 14 2023

TWO VERY CRITICAL VULNERABILITIES PATCHED IN NEW APACHE HTTP SERVER UPDATE

Category: Security vulnerabilities,Web SecurityDISC @ 8:22 am

Apache HTTP Server is one of the web servers that is used the most often throughout the globe. It is responsible for providing power to millions of websites and apps. Recent vulnerabilities found in the server, on the other hand, have the ability to disclose sensitive information and make it easier for attackers to carry out further attacks. The Apache HTTP Server has recently been found to contain two significant vulnerabilities, both of which are detailed below. It is imperative that you rapidly upgrade Apache HTTP Server to the most recent version in order to protect your system against the vulnerabilities described.

Apache HTTP Server request splitting vulnerability, CVE-2023-25690. This vulnerability is brought about by an issue that occurs in mod proxy whenever it is activated with a RewriteRule or ProxyPassMatch of some kind. This vulnerability might be used by a remote attacker to overcome access constraints in the proxy server, route undesired URLs to existing origin servers, and poison cache. Attacks using HTTP Request Smuggling are possible on Apache HTTP Server versions 2.4.0 through 2.4.55, if the server is configured with certain mod proxy settings. It occurs when mod proxy is enabled along with some form of RewriteRule or ProxyPassMatch. In these configurations, a non-specific pattern matches some portion of the user-supplied request-target (URL) data, and the matched data is then re-inserted into the proxied request-target utilizing variable substitution. This causes CVE-2023-25690 to be triggered. This might result in requests being split or smuggled, access rules being bypassed, and unwanted URLs being proxied to existing origin servers, all of which could lead to cache poisoning.

Versions of the Apache HTTP Server ranging from 2.4.30 to 2.4.55 are impacted by the problem. This attack is carried out by introducing unusual characters into the header of the origin response, which has the potential to either truncate or divide the response that is sent to the client. An attacker might take use of this vulnerability to inject their own headers into the request, causing the server to produce a split response.

Secure By Design

Tags: Apache HTTP Server



Mar 07 2023

3 simple steps to evaluate a web vulnerability scanner

Category: Web SecurityDISC @ 3:38 pm

There are many web vulnerability scanners available on the market and their performance varies widely. Here we show you how you can quickly and objectively evaluate web vulnerability scanners, to help you find the best product for detecting security issues in your web applications.

Evaluating a web vulnerability scanner can be a complex task, but here are some key factors to consider:

  1. Accuracy: The most important factor to consider is the accuracy of the scanner. A good scanner should be able to detect all types of vulnerabilities accurately, without generating false positives or negatives.
  2. Coverage: The scanner should be able to scan all areas of the web application, including dynamic and static content, as well as all types of input fields, including cookies and hidden fields.
  3. Speed: The scanner should be fast and efficient, with the ability to scan large web applications quickly.
  4. Ease of use: The scanner should be easy to use, with a user-friendly interface and clear reporting of vulnerabilities.
  5. Reporting: The scanner should generate detailed reports of vulnerabilities, with clear descriptions of each vulnerability, its severity, and recommendations for remediation.
  6. Integration: The scanner should be able to integrate with other tools, such as bug tracking systems and penetration testing tools.
  7. Support: The vendor should provide good technical support and regularly update the scanner with new vulnerability signatures and features.

It’s also important to test the scanner against known vulnerabilities to see how it performs in real-world scenarios. Additionally, comparing multiple scanners against the same web application can help identify strengths and weaknesses of each scanner.

Burp Vulnerability Scanner | Bugcrowd

It’s easy – follow these 3 simple steps:

1. Choose a web app that will make testing easy

2. Select web vulnerability scanners and scan your apps

3. Determine how well the scanners performed

https://portswigger.net/burp/enterprise/resources/how-to-evaluate-a-web-vulnerability-scanner

Previous posts on Web Security

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: web vulnerability scanner


Mar 06 2023

Browser Security report reveals major online security threats

Category: Information Security,Web SecurityDISC @ 12:27 pm
browser safety report 2022

LayerX has published its annual browser security report in which the company highlights the most prominent browser security risks of 2022. The report includes predictions and recommendations for 2023 as well.

The report focuses on Enterprise environments, but several of its key takeaways apply to small business and home environments as well. The browser security threats of 2022 make up the largest part of the document, but users find predictions, recommendations and an interesting monthly overview of major security events in the report as well.

The nine major threats that LayerX identified in 2022 were the following ones:

  • Phishing attacks via high reputation domains.
  • Malware distribution via file sharing systems.
  • Data leakage through personal browser profiles.
  • Outdated browsers.
  • Vulnerable passwords.
  • Unmanaged devices.
  • High-risk extensions.
  • Shadow SaaS.
  • MFA bypass with AiTM attacks.

Some of these are quite clear, others may require explanation. For phishing attacks, the researchers discovered that threat actors are hosting phishing URLs on legitimate SaaS platforms at an alarming rate. The rate of phishing attacks that use these legitimate platforms has increased by 1100% when compared to 2021, according to a Palo Alto Networks study.

LayerX conducted tests on how well browsers and network security tools protected against 1-day phishing sites. According to the test, the best performing browser had a catch rate of just 36%. Network security software blocked 48% of threats.

Similarly, malware is distributed via sanctioned services such as Google Drive and Microsoft OneDrive, to overcome blocks that may be in place for lesser known services and sites.

An analysis of data leakage in browsers concluded that 29% of users connected work browsers to personal profiles, and that 5.8% of identities were exposed in data breaches.

Outdated browsers are another threat to security, according to LayerX’s report. Ana analysis of 500 Chrome browsers revealed that a good number was either critically outdated or vulnerable to 1-day attacks.

Weak passwords and the reuse of passwords continue to be major issues. According to LayerX’s report, 29% of users use weak or medium strength passwords, and 11% of users reuse passwords regularly. The company noticed that 29% browser profiles were personal and set to sync.

Web browser extensions are another attack vector, as they “can grant excessive permissions once installed”. A recent Incogni study found that almost half of the analysed browser extensions posted either a high security or privacy risk.

The report includes an overview of browser security highlights of the year 2022. It is an interesting account that lists major security events in 2022. Some of these involved attacks, like the January 2022 video player attack that stole credit card information from over a hundred sites. Others highlight security advances, like the passwordless logins announcement by major tech companies in May, or the end of Internet Explorer in June.

The report ends with four predictions and recommendations. Predictions include that browsers will become “the main attack surface”, that attacks will “be increasingly SaaS-based and less file-based”, and that malicious web pages “will become more sophisticated”.

Closing Words

The report offers insights on the browser threat landscape of 2022, and how threats will evolve in 2023 and beyond. While most of it is aimed at Enterprise and large business environments, it may still be of interest to home users and small businesses alike.

The recommendations focus on SaaS and Enterprise-grade protections, but all users may use the listed threats to improve security. For example, outdated browsers may be updated more frequently, and weak or reused passwords may be replaced with unique strong passwords.

The report is available for download here, but a short form needs to be filled out before the download link is made available.

Source:

https://www.ghacks.net/2023/03/05/browser-security-report-reveals-major-online-security-threats/

Previous posts on Web Security

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Web App Security

Tags: browser security


Feb 16 2023

How to Find Web Server Vulnerabilities With Nikto Scanner

Category: Security Tools,Web SecurityDISC @ 10:55 am

Find Web Server Vulnerabilities with Nikto Scanner.

Nikto is an open source web server vulnerabilities scanner, written in Perl languages. It function is to scan your web server for vulnerabilities.

Nikto scan for over 6700 items to detect misconfiguration, risky files, etc. and some of the features include:

  • You can save report in HTML, XML, CSV
  • It supports SSL and Full HTTP Proxy
  • Scan multiple ports on the server
  • Find subdomain
  • Apache user enumeration
  • Checks for outdated components
  • Detect parking sites
  • Server and software misconfigurations
  • Default files and programs
  • Insecure files and programs
  • Outdated servers and programs

Lets get started with the installation and how to use this tool

This can be installed on Kali Linux or other OS (Windows, Mac OSX, Redhat, Debian, Ubuntu, BackTrack, CentOS, etc.), which support Perl.

Also Read- Kali Linux Commands Cheatsheet

In this article, I will explain how to use Nikto on Kali Linux .

Firstly we will install the Nikto tool from Github or Using apt install command on terminal.

Using help manual of Nikto we can see various options or parameters on how we can use this tool very efficiently.

Firstly we will use the basic syntax to check the vulnerability of the website.

However, Nikto is capable of doing a scan that can go after SSL and port 443, the port that HTTPS websites use (HTTP uses port 80 by default). So we’re not just limited to scanning old sites, we can do vulnerability assessments on sites that use SSL, which is pretty much a requirement these days to be indexed in search results.

If we know it’s an SSL site that we’re targeting, we can specify it in Nikto to save some time on the scan by adding -ssl to the end of the command.

So by using this tool we can analyze the vulnerability of the website.

Previous posts on Security Tools

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Nikto Scanner


Next Page »