Blog

  •

    A simple way to view documents safely

    4.82 of 67 votes

    Working in the media industry has shown me that the weakness of many journalists is their desire to click on and open things that promise something they want. This presents a security risk, one often compounded by the demanding speed at which reporters must compete to ingest information and make rapid editorial decisions. The reality is that journalism commands a commitment to discovery, fact-finding, and meeting strict publishing deadlines. Because of this, many non-technical journalists consider a habitual routine of basic security rituals a wasteful employment of their already limited time, which means I am often relied on, by those I know, to validate if particular files are safe to open.Validating whether or not a file is malicious in nature requires a more laborious approach than simply viewing the content safely (it’s important to understand the distinction here). Like malware, legitimate files naturally differ in size and format, and attackers are always adapting their exploitation techniques to maximise the efficiency of their payloads evading detection. If the volume of data is significant, malware analysis can occupy a considerable amount of time. In most cases, simply being able to open a document in a safe and readable format is sufficient to satisfy the necessary security balance, and there are tools that can help facilitate this. Enter dangerzone Dangerzone is a simple open-source application that can safely open a variety of documents (PDFs, Microsoft Office, LibreOffice, images, etc) in a sandbox environment. This is a tool I have used on the fly in substitution of Qubes, and something I would recommend for non-technical audiences aiming to safely view the contents of common files themselves. In short, dangerzone leverages Linux containers to sandbox files, flattens the content into images, then uses optical character recognition (OCR) to produce a safe searchable text layer which is output into a safe-to-view PDF. Dangerzone can be installed on Windows, Mac, and Linux, and is capable of converting the following document formats: .pdf, .docx, .doc, xlsx, .xls, .pptx, .ppt, .odt, .ods, .odg, .jpg, .jpeg, .gif, .png, .tif, .tiff Download WindowsMacLinux Please note, dangerzone is only a file converter. It does not perform malware analysis and is not a detection utility. Using dangerzone to convert a suspect file into a document you can view safely does not mean the original source file is clean.   How does it work? Dangerzone uses Linux containers (two of them), which are sort of like quick, lightweight virtual machines that share the Linux kernel with their host. The easiest way to get containers running on Mac and Windows is by using Docker Desktop. So when you first install dangerzone, if you don’t already have Docker Desktop installed, it helps you download and install it. When dangerzone starts containers, it disables networking, and the only file it mounts is the suspicious document itself. So if a malicious document hacks the container, it doesn’t have access to your data and it can’t use the internet.The first container: Mounts a volume with the original document Uses LibreOffice or GraphicsMagick to convert original document to a PDF Uses poppler to split PDF into individual pages, and to convert those to PNGs Uses GraphicsMagick to convert PNG pages to RGB pixel data Stores RGB pixel data in separate volume Then that container quits. A second container starts and: Mounts a volume with the RGB pixel data If OCR is enabled, GraphicsMagick converts RGB pixel data to PNGs, and Tesseract converts PNGs to searchable PDFs Otherwise uses GraphicsMagick to convert RGB pixel data into flat PDFs Uses poppler to merge PDF pages into a single multipage PDF Uses ghostscript to compress final save PDF Stores safe PDF in separate volume Then that container quits, and the user can open the newly created safe PDF. Credit: Micah Lee, https://tech.firstlook.media Further points to consider Converting a file can damage the integrity of any original file content. Relying on the availability and expertise of third-party analysis could be unnecessarily exposing them to potentially confidential information. Encrypted, password protected, or compressed files are naturally obfuscated, which attackers may rely on to circumvent network, application, and anti-virus security controls. Uploading potentially sensitive files to cloud-based file scanning services such as VirusTotal may risk loss of confidentiality. Such services automatically index file signatures into public databases as ‘artifacts’, which APTs may correlate against known signatures (such as leaked documents) to identify what source material you possess.

  • How to perform SQL injection attacks

    4.58 of 65 votes

    SQL injections are one of the most popular server-side injection attacks. During an SQL injection attack, the attacker injects a malicious SQL query input. If the web application fails to sanitise that input, the query will be successfully executed on the server database and trigger an output response. These responses can vary, but most consist of error syntax leading to information leakage. Once an attacker possesses enough knowledge about the backend database table structure, they can inject specific commands to insert, update, and delete data within the database. If elements of an application communicate with a SQL database for authentication (such as login forms), a malicious query can also be leveraged to subvert the application logic. How SQL injection attacks work To explain how SQL injections work, I will use an example of a web application configured to require a username and password for authentication. This is typical of most web applications that have an SQL database on the backend. When a username and password is submitted via this login form, the web application takes this user input and queries the backend database to see if those credentials exist. The SQL query this user input generates will look something like this: This query commands the database to select any number of rows that match our conditions from users (where users is the table name), and then check the username and password columns for the user supplied input values. If the user supplied input values match those within the database, the SQL statement will be TRUE and the user will be logged in successfully. If any user supplied input values are incorrect, missing, or invalid, the SQL statement will be FALSE and the login will fail. It is important to remember that the SQL query is always generated by the web application and that the only control the user ever has (in this example) is over the username and password input values within it. This means an attacker is limited to what those fields accept when crafting a malicious string in effort to manipulate an SQL query. In this example, the objective of the attacker is to login successfully without knowing the user credentials. This means the focus of the attack will be to trick the SQL database into issuing a TRUE response to an attacker crafted query when attempting to login. OR logic gates To achieve this, an attacker can rely on an OR logic gate. An OR logic is a basic function that takes certain inputs and produces an output. The way this works can be illustrated via the simple A/B table below. This table shows that when rows A and B meet certain boolean conditions, the logic gate will produce a specific output. What is shown in this example is that the output TRUE is always consistent with TRUE inputs in any given row. This is irrespective of whether or not inputs within those rows also reflect FALSE. Putting it simply, the function of this logic gate defines any TRUE input as an overriding value which results in a TRUE output. Example To illustrate how this works in practice, I will be using the logic of this OR function in my SQL injection attack by amending the username value to the following: This query will return TRUE. The reason for this is because the first apostrophe closes the string parameter, and then the database takes the OR function and applies the 1=1 statement. As 1 is equal to 1, the database considers this part of the SQL statement TRUE. The purpose of the double hyphens is to comment out the rest of the SQL query, resulting in the database believing the conditions of the login are TRUE. This will result in the login being successful. Whilst this example demonstrates a single SQL injection string, it is important to remember that there is no universal string an attacker can leverage to craft a working malicious query. SQL databases typically differ greatly in format, size, and content, as do the defensive measures some web applications adopt to validate user input. The conditions that need to be satisfied for an SQL injection to be successful will depend entirely on how any target web application is built. Different SQL injection attack types There are two primary types of SQL injection attacks, error based and blind based. Error based attacks rely on inferences an attacker can make from specific errors produced by a web server whenever specific SQL statements are submitted to it. Blind based attacks are a form of indiscriminate fuzzing, where the expected application output is usually unknown. Responses (or lack thereof) produced by a web server to blind based attacks can enable an attacker to make informed determinations about the database structure, which – when combined with a carefully crafted SQL query, can amount to exploitation.   Prevention To prevent SQL injection attacks, the following layers of defence can be adopted: Special characters submitted as input such as ' and '' should be encoded before the web application passes them into an SQL query and special string characters used within input parameters should be escaped. Suspicious user inputs submitted should be checked against a predefined blacklist of strings and rejected wherever the same values are shared.

  • How to identify Path Traversal vulnerabilities

    4.77 of 66 votes

    Websites are made up of two types of file, those intended to be accessible by the browser (like JavaScript and CSS files), and those that are not. Web servers often route URLs to particular template files or assets on the file system. Typically, the layout of the files on the server mirror the URL structure of the website. A poorly configured web server can be too permissive about what files it returns and this can allow an attacker to access files which were never intended for public access. This may allow commands to be executed on the web server and data can be copied or modified. How does this work? For example, a website hosts a document at the https://jacobriggs.io/documents?files=whitepaper.pdf URL. An attacker visits this URL triggering a request to download the document via their browser. The attacker notices the name of the requested document is passed in the files parameter of the query string. Unfortunately, in this instance, the raw file name whitepaper.pdf is used in the download URL, so an attacker can abuse the files parameter to climb out of the directory that holds documents within the files location. An attacker can now craft a URL using relative path syntax ../ to explore the local file system.  If the normal file path URL is https://jacobriggs.io/documents?files=whitepaper.pdf then the instruction that is passed to the server when requesting this is to open the /etc/apache2/jacobriggs.io/documents/whitepaper.pdf location. If the attacker crafted URL is https://jacobriggs.io/documents?/files=../../../../ssl/private/private.key then the instruction that is passed to the server when requesting this is to access the /etc/ssl/private/private.key location. Since the server does not validate file paths, an attacker is now able to access sensitive files.   Tutorial For this example I will be using PortSwigger’s web security lab. To solve the lab, we must retrieve the contents of the /etc/passwd file. Whilst this is a rudimentary task and can be done without the need of automation, I will be using their lab environment to demonstrate Burp Suite tooling and common path traversal fuzzing techniques used in practice. First we open the lab environment website and navigate to a product listing. We view the source code of the web page and notice that the requested images are being passed in the filename parameter. We open up Burp, turn on Proxy > Intercept, and we request the image directly via its normal file path URL in our browser. We then check our captured HTTP GET request, and send the vulnerable parameter to Intruder. We then navigate to Intruder > Positions and we review the payload positions within the request template. We can see that the cookie session parameter within our base request is automatically assigned a payload position. This is not needed, as the current session will be sufficient for our attack, so we highlight and clear the entry. We then navigate to Intruder > Payloads to configure our attack. Under Payload Options we click Load and add the dotdotpwn.txt file which contains a list of common attack strings to help automate our fuzzing. Now we need to instruct Burp to identify which of our captured responses contain the strings we're interested in. We know that the passwd location is structured in the format of a standard user account table. We also know that this table always contains the user root within it. So we navigate to Intruder > Options and instruct Burp to flag any responses matching the root: string. As everything is now configured, we can navigate to Intruder > Target to double check we are targeting the correct host and initiate our attack. For each query sent within our payload parameters, Burp captures the responses. This is where we pay particular attention to any anomolies within the length of the responses, and any flags matching the root: string. We can see that request 9 is identified as a match, and that when viewing the server response the full structure of the passwd table format is returned. We have now achieved the path traversal attack by proving we can access the passwd file and content within it. Whilst this is a basic example, it demonstrates the simple risks associated with websites allowing the placement of user input in file paths.   Prevention To prevent path traversal vulnerabilities, it is important that web applications avoid passing arbitrary strings of user supplied input to filesystem APIs. Where passing arbitrary strings of user supplied input is necessary, two layers of defence can be adopted: User supplied input should be validated by the web application before processing it. This validation should compare against a whitelist of permitted values. Once user supplied input has been validated, the web application should append it to the base directory, ensure the path is canonical to the filesystem, and that the canonicalised path starts with the expected base directory. .

  • Entra ID honeytoken with automated alerting and blocking

    5.00 of 14 votes

    Automated Alerting Microsoft Teams Slack Google Chat   Automated Blocking Microsoft Defender Mimecast Web Cisco Umbrella Company Name: Required Web Host Path: Required Background Image: Optional Webhook: Required Webhook: Required Webhook: Required Tenant ID: Required App ID: Required Client Secret: Required Policy ID: Required Client ID: Required Client Secret: Required API Key: Required Key Secret: Required Submit   Step 1   Download the above 3 files, and host them at your specified URL path here: Step 2   Download the above CSS file. Navigate to your Azure Entra ID login customisation page. Choose Layout, scroll down to Custom CSS, click Browse and choose the downloaded file.