Blog

  •

    Discord saves deleted images to your filesystem

    • General
    • by Jacob Riggs
    • 08-05-2023
    4.90 of 93 votes

    This post outlines a security issue with Discord due to how it handles deletion records and localised caching for media posted in shared channels. The issue Media posted in Discord channels is written to the filesystem of every channel participant, even if that media is deleted from the channel immediately after being posted. It's important to note that this form of caching is a common practice and typically employed to facilitate quicker loading of content. However, the fact that Discord allows for the deletion of channel posts without any clear evidence of the deletion may present a potential vector for attack that I think all Discord users should be mindful of. In an extreme hypothetical scenario, consider if a malicious party was to post indencent images of children or bomb-making plans to a wide-audience Discord channel, then immediately delete the posted images and proceed to file an anonymous report to law enforcement agencies alleging the participants in the channel have copies of that data stored on their filesystems. Whilst some might consider this attack unlikely, the possibility remains, particularly if your threat-model includes state actors with a desire to get their hands on your devices. Finding your Discord cache Open File Explorer and navigate to %AppData%/discord/Cache/Cache_Data Right-click in the window and navigate to Open in Terminal Rename all files in the folder to use the .png extension by running the command:Get-ChildItem -Path "$env:APPDATA/discord/Cache/Cache_Data" -File | ForEach-Object {Rename-Item $_.FullName -NewName "$($_.BaseName).png"} Unfortunately, Discord's lack of configuration options adds to this issue. At the time of this blog post, there are no settings present within the application that allows for cache control. My recommendation is simply to be careful what Discord channels you choose to participate in.Alternatively, you can also opt to employ the use of a Windows Task Scheduler to automatically run a PowerShell script that deletes the folder every 24 hours. Whilst this doesn't solve the problem, it may offer some assurance that cached media won't persist forever. This approach of course also doesn't prevent forensic recovery. Set up a task scheduler to auto-delete your Discord cache Open a notepad file and paste this command into it Remove-Item -Path "$env:APPDATA/discord/Cache/Cache_Data" -Recurse -Force Save the file somewhere you won't lose it, such as to your Documents folder, and rename it to use the .ps1 file extension (such as discord-cache-deletion.ps1). Open the Windows Task Scheduler by searching for Task Scheduler in the start menu. Navigate to Task Scheduler in the start menu. Click on Create Basic Task in the pane on the right side of the window and then add a name and description for the task. Configure the Trigger conditions to run Daily In the Action step, select Start a program In the Program/script field enter powershell.exe and in the Add arguments field, enter the file path -ExecutionPolicy Bypass -File "C:/[YOUR_ACCOUNT_NAME]/Documents/discord-cache-deletion.ps1" Click Finish to save the task.

  • Configuring Burp to proxy traffic from mobile apps

    4.92 of 100 votes

    In this blog post, I'll explore how to configure Burp to proxy traffic from mobile apps to assist with the security testing of mobile applications. Getting started To get started, there are a few pre-requisites needed: Windows OS An up-to-date Windows OS with Android Debug Bridge (adb) installed. Kali VM An up-to-date Kali VM with Android Debug Bridge (adb) installed (run sudo apt-get install adb) Burp Suite An up-to-date Burp Suite. Mobile Device A rooted Android device (in this example I'm using a rooted Nexus 5X running LineageOS). Configuring the Burp listener Open up Burp Setup listener Navigate to Proxy > Proxy settings > Proxy listeners then Add a new proxy listener and bind it to port 8081 across All interfaces Connecting the mobile device Connect mobile device via USB Connect the Android mobile device (in this example I'm using a rooted Nexus 5X running LineageOS) via a USB data cable. Configure the USB connection On the device, navigate to Settings > Connected devices > USB and select Transfer files Mirroring the mobile device to desktop Download and install Vysor You can download Vysor from here. Run Vysor Open Vysor and select the View Device button with a play icon. Your Android mobile device should not be mirrored to your computer screen. If Vysor cannot find your device, follow the steps below: (a) Restart your mobile device and restart your computer. (b) Make sure you are using a USB data cable. Charge cables will not always allow data transfer over USB. (c) On Windows, download the Universal ADB Drivers. If that doesn't work, try installing your manufacturer's drivers. (d) Enable ADB debugging on the mobile device. (e) Set your mobile device USB mode to PTP (it is usually MTP or Charge Only).   Configuring the mobile device proxy Configure the mobile device network On your Android mobile device, navigate to Settings > Network & Internet > Wi-Fi > and select the access point you wish to connect to. Then select Advanced options and set the Proxy to ManualIf you're already connected to the access point before starting this step, ensure you first select Forget network Configure the mobile device proxy The proxy settings should be set as follows: (a) Proxy hostname = The IP address of the device using Burp which you wish to proxy traffic through (b) Proxy port = The port we set earlier which is 8081 Example: (c) Now click CONNECT Exporting the CA Certificate Now Burp is configured to intercept the Android mobile device traffic, but without a valid CA Certificate in place will be unable to decrypt HTTPS traffic. Export the CA certificate Open Burp and navigate to Proxy > Proxy settings > Proxy listeners then select the Import / export CA certificate button Select the CA certificate format Export the CA Certificate in DER format. In this example we will name it cacert.der Converting the CA certificate format Convert the DER file into PEM Now we need to convert the DER file into PEM format for Android and have the filename equal to the subject_hash_old value appended with a .0. To achieve this, we can move the cacert.der file over to a Kali VM and execute the following commands: openssl x509 -inform DER -in cacert.der -out cacert.pemopenssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1mv cacert.pem [hash].0 Example: Move the PEM file to the mobile device Now we need to move the newly created PEM file over to the Android mobile device /system filesystem. To achieve this we can leverage the following adb commands: adb rootadb remountadb push [cert].0 /sdcard/ adb shellmv /sdcard/[cert].0 /system/etc/security/cacerts/chmod 644 /system/etc/security/cacerts/[cert].0exit adb reboot Example: Verifying the CA certificate is installed Verify the certificate installation Once restarted, the CA Certificate should be installed on the Android mobile device. This can be verified by navigating to Settings > Security & privacy > Encryption & credentials > Trusted credentials and searching in the System directory to validate the CA Certificate from PortSwigger is present.

  • Setting up an API pentesting environment

    4.92 of 92 votes

    This is my go-to reference documentation for setting up a fresh dedicated API pentesting environment within Kali. Setting up Burp Download Jython Head over to https://www.jython.org/download.html and download the latest Jython standalone installer. Set the Python Environment path Set the downloaded Jython installer as the Python Environment path. Install the Autorize extension Within Burp, navigate to Extender > BApp Store > search for Autorize and install the extension. Install FoxyProxy With Firefox open, press Ctrl + Shift + A to open the add-ons menu. Search for FoxyProxy Standard Add FoxyProxy to Firefox Navigate to FoxyProxy options Add Burp to FoxyProxy Add Postman to FoxyProxy Configure Burp Suite Certificate Start Burp With Burp Suite enabled in FoxyProxy, navigate to http://burpsuite and click the CA Certificate to download the certificate. In Firefox, open Preferences and use the search bar to look for certificates. Import the downloaded certificate. In Chrome, open Settings > Privacy and security > Certificates managed by Chrome and import the downloaded certificate (may need to change the file type options to 'All Files'). Postman Download Postman sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz Extract and install Postman sudo tar -xvzf postman-linux-x64.tar.gz Link the postman command sudo ln -s ~/Postman/Postman /usr/bin/postman mitmproxy2swagger Install mitmproxy2swagger sudo pip3 install mitmproxy2swagger Git Install Git sudo apt install git Docker Install Docker sudo apt install docker-composesudo apt install docker.io Golang Install Golang sudo apt install golang-go At this point a restart may be required. JWT Tool Pull down the JWT Tool repo sudo git clone https://github.com/ticarpi/jwt_tool.git Install JWT Tool cd jwt_toolpython3 -m pip install termcolor cprint pycryptodomex requestssudo chmod +x jwt_tool.pysudo ln -s ~/jwt_tool/jwt_tool.py /usr/bin/jwt_tool Kiterunner Pull down the Kiterunner repo sudo git clone https://github.com/assetnote/kiterunner.git Install Kiterunner cd kiterunnersudo make buildcd distsudo ln -s ~/kiterunner/dist/kr /usr/bin/kr Arjun Pull down the Arjun repo sudo git clone https://github.com/s0md3v/Arjun.git Install Arjun cd Arjunsudo python3 setup.py install ZAProxy Install ZAProxy sudo apt install zaproxy Update OpenAPI add-on

  • The mystery 50p coin I found

    • General
    • by Jacob Riggs
    • 13-09-2022
    4.90 of 94 votes

    Over 50 years ago a coin entered circulation. A coin that once belonged to a man named Sean Creamer. Engraved on the faces of this coin are the wordsThis once belonged to Sean Creamer 58 Henry St Limerick — worth £5 to me if returned Today this mystery coin resides with me, after what I suspect has been a very long journey.I'm not sure who Sean Creamer is or what motivated him to inscribe his message, though the words do make me think there's a certain desperation in the creative fight to declare our existence. Much like the reason many of us post online, we're participants of the past speaking our own timeless messages like a familiar chapter in a tattered book — messages that we hope might survive the test of time and someday outlive us. "See me. Remember me. I was here." Perhaps this small relic of the past is intended to function as more than a memento, a keepsake, or a souvenir. Maybe it's an artifact of history that truly belongs to nobody, only temporary caretakers during its journey, and serves to teach an important lesson about value.Maybe a value worth more than we ever realise at the time.

  •

    Shark Tank success 'LARQ' sent me a free water bottle

    • General
    • by Jacob Riggs
    • 27-08-2022
    4.93 of 129 votes

    Last week I fell into the abyss of watching random YouTube videos and at one point landed on a video featuring LARQ, the highest valuation company to ever pitch on the popular US television show Shark Tank. The product line they were offering was simple – self-cleaning water bottles that use UV light to purify water. Intrigued to find out if the company had found success since airing and intending to purchase one of their bottles for myself, I registered to their site.Shortly after registering I noticed a security vulnerability, and duly reported this to them that sameday. My report was well received, and as a thank you, they kindly offered to send me any product I wanted for free.Hi Jacob, Our Digital team is very grateful for your time and the issue you have brought to our attention, we would be happy to ship you any LARQ Product of your choice as a thank you! Please be so kind as to confirm which product you would like and your shipping address. Thank you! I opted to select the LARQ Bottle PureVis 740ml (insulated), as I figured this would have been my preferred choice for purchase. Thanks to the LARQ customer experience team for sending me this free gift.

  •

    UK ISPs prohibit ethical security research activities

    • General
    • by Jacob Riggs
    • 26-08-2022
    4.91 of 100 votes

    All major UK ISPs seem to stipulate contractual terms which specifically prohibit their customers from employing the use of their home broadband service for security testing activities, regardless of the lawful basis for those activities (such as when penetration testing and bug bounty engagements are authorised). Below are the relevant extracts I pulled from those associated policies. If you're a UK customer of these services and engage in any bug bounty or penetration testing activities, it's likely you've already agreed to comply with these terms, and may therefore be at risk of having your home broadband service suspended for violating them. POLICY EXTRACT Source: Vodafone Acceptable Usage Policy 2.  Your use of the Service ... 2.9   You must not use the internet to send information that has forged addresses or are deliberately constructed to adversely affect remote machines or other computer systems. 4.  Network security 4.1   You must not take any action that could inhibit or violate the network security of any person or company (including Vodafone) or that could adversely affect their use of the internet. POLICY EXTRACT Source: BT Acceptable Usage Policy Security Violations The BT Network may not be used to violate the security of a network, service or other system. Examples of security include hacking, cracking into, monitoring, or using systems without authorisation; scanning ports; conducting denial of service attacks; distributing viruses or other harmful software; smurf attacks; and unauthorised alteration or destruction of websites or other information. POLICY EXTRACT Source: Virgin Media Acceptable Usage Policy 5.   Your responsibilities - Virgin Media’s systems, services and equipment ... 5.2.   Specific prohibited acts in relation to Virgin Media’s systems, services and equipment are: ... 5.2.5.   attempting to circumvent user authentication or security of any host, network, or account (also known as “cracking” or “hacking”). POLICY EXTRACT Source: Sky Acceptable Usage Policy Do not violate anyone's systems or network security You must not use Sky Broadband, or allow someone else to use Sky Broadband, to violate Sky’s networks’ security or any third party’s system or network security by any method including: ... You must not send, receive, store, distribute, transmit, post, upload or download any materials that are designed to violate Sky Network’s security or any third party’s system or network security. Examples of such prohibited material may include (but are not limited to): ... •  tools designed to compromise the security of other sites; These terms make up the components of valid contracts, and as ISPs are in the business of making money, this raises a few questions. Do ISPs actually care what their customers do with their service? How enforcable are the relevant legal obligations in practice? Are ISPs actively monitoring customer traffic for attack characteristics? Do reports of abuse ever result in ISPs terminating services? Such unanswered questions might incentivise security professionals to consider the wider use of commercial VPNs.