Grey Zone

API Security Issues General Status Code Error Access Control Injection XSS Brief Summary (updated on 10/09/2020) Papers on web penetration testing are interesting in way that they propose several state-machine based tools that help to automate web penetration testing and identify the state changes. Papers on Injection are mostly about defense mechanism, that utilizes machine learning or other techniques to filter out the malicious traffic. As for attacking algorithm, most are discussing the a ...

Literature ReviewCurrent problems Exposed information in url HTTP request type; url change; Cache-control; authentication; XSS and CSRF

Robotic Security Proposal StudyExisting Vulnerabilities sensor data spoofing tamper controller input ROS vulnerability: auth, DoS, BoF, etc. A summary: Objectives and Specific AimsThe objective of this proposal is to design a secure and efficient multi-robot system, providing comprehensive protections for the workloads’ data and executions Systematization of knowledge about vulnerabilities in robot applications: understand the problems through literature review; develop tools for security s ...

Writing Probabilistic ProgrammingProbabilistic Models and Probabilistic Programs Using the model to answer a query 1.1 Conditioning based on evidence to produce the posterior probability distribution 1.2 Answering queries The ingredients of probabilistic models A probabilistic model is a formal representation of a probability distribution, and many representations are possible. One representation is a table of explicit probabilities, but that’s not practical for all but the simplest problems. ...

Lab: Blind SQL injection with conditional responsesIntroThis lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie. The results of the SQL query are not returned, and no error messages are displayed. But the application includes a “Welcome back” message in the page if the query returns any rows. The database contains a different table called users, with columns called username ...

This topic is explained in details in OSWE courses, and I assume that it will be tested in the exam. Lab: Blind SQL injection with conditional responsesIntroThis lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie. The results of the SQL query are not returned, and no error messages are displayed. But the application includes a “Welcome back” message in the page if the query ...

Lab 1: SQL injection UNION attack, determining the number of columns returned by the queryIntroThis lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full atta ...

(Lab 1 and 2 are skipped because the contents are easy. The main purpose for this practice is to prepare myself for OSWE exam.) Lab 3: Using application functionality to exploit insecure deserializationIntroThis lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos’s home directory.You can access ...

ReconTarget is a Linux machine with IP: 10.10.10.191. Nmap shows that port 80 is the only open port. Dirbuster on target: login panel (/admin) todos (to-do.txt) other content pages The login page can be brute-forced through a crafted wordlist, with the username “furges” from to-do and wordlist built from web page. www-dataAfter obtain the web login information, a bludit metasploit module can be used to obtain www-data shell userExamine the web server source code, and the password hash for norm ...

ReconPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))| http-methods:|_ Supported Methods: OPTIONS HEAD GET POST|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: CacheNo exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). So the target should be port 80. Run Dirbuster on port 80 without any useful input. One interesting thing is that the .js cod ...