BuzzSec

I was recently involved in an engagement where access was controlled by Basic Authentication. One (1) of the findings I discovered was a Cross-Site Request Forgery (CSRF) vulnerability. The client was unsure of the best approach to prevent CSRF in the context of using Basic Authentication. In this blog post, I will examine the security deficiencies of Basic Authentication, compare it to token-based and JWT-based authentication and authorization, and explore strategies for mitigating CSRF vulnerabilities while utilizing Basic Authentication. The Deficiencies of Basic Authentication Basic Authentication has been a foundational method of user authentication on the web for decades. However, as technology and security threats evolve, the deficiencies of Basic Authentication have become increasingly apparent. Let’s examine the inherent weaknesses of Basic Authentication and why it’s important to consider alternative authentication methods. One (1) of the most critical deficiencies of Basi...

For a long time, Red Teamers have been preaching the mantra “Don’t make Domain Admin the goal of the assessment” and it appears that customers are listening. Now, you’re much more likely to see objectives focused on services critical to an organization, with many being hosted in the cloud. With this shift in delegating some of the security burden to cloud services, it’s commonplace to find Identity Providers (IDP) like Microsoft Entra ID or Okta being used. This means that our attention as attackers also needs to shift to encompass these services too. In this blog post, I’ll discuss some of the post-exploitation techniques that I’ve found to be useful against one such provider, Okta, which has been one of the more popular solutions found in customer environments. It should be noted that everything in this post is by design. You’ll find no 0dayz here, and many of the techniques require administrative access to pull off. However, to say that the methods demonstrated in this post have ...

This blog post was co-authored with Charlie Clark and Jonathan Johnson of Binary Defense . 1    Introduction One thing often forgotten is that detection engineering isn’t always centered around 1 action to 1 query but also to drive effective incident response to optimize the triage of an alert. This is best served with context. We often say, ‘context is king,’ because this exposes a story that helps defenders understand the intent behind the actions. Context doesn’t always surround one process but potentially multiple processes, network connections, and different hosts. Context paints the picture for responders to best measure how to handle the event/incident that they are answering to. It is through context that the defensive team can get a better understanding of the attack they are facing and ultimately attribution. Charlie and Andrew have been trying to bring more offensive and defensive awareness around Kerberos, and Jonny has helped close the gaps by leveraging...

Introduction Attackers are always looking for new ways to deliver or evade detection of their malicious code, scripts, executables, and other tools that will allow them to access a target. We on the Tactical Awareness and Countermeasures (TAC) team at TrustedSec strive to keep up with attacker techniques and look ahead to develop potential evolutions in tactics and behavior. This is especially useful when we perform Purple Team engagements—we can keep our actions fresh and push the envelope on emulating attacker behavior. In following this ideology, I set out to look for some novel, first-stage techniques that might allow initial access or execution without raising too much suspicion. A colleague of mine, Andrew Schwartz ( @4ndr3w6S ), suggested to look for file types that could be leveraged for malicious purposes that also have default associations with Windows applications. This led us down a path of many interesting file types. Amazingly, countless file extensions end up being som...

As a web application tester, I encounter a recurring challenge in my work: receiving incomplete responses from Burp Collaborator during DNS and HTTP response testing. Figure 1 – Burp Collaborator Responses For example, Collaborator will provide the IP address that performed the DNS look up or HTTP Request. Sometimes, these responses turn out to be false positives caused by intrusion protection systems or other mechanisms in front of the actual application. In many cases, I find that the request is coming from a device in front of the web application related to Akamai or CloudFlare rather than the target server itself. What’s also missing from the information in Collaborator is the URI and User-Agent. Both of these can be important for determining where the request originated and what actions the requests were taking. I developed CoWitness as a solution. CoWitness is an application that mimics an HTTP server and a DNS server. This saves time by not having to install and configu...

1.1      Introduction I love when I get tossed a piece of unique malware. Most of the time, malware is obfuscated using PowerShell or a dropper written in C. This time, however, it was obfuscated using Python. How fun! My first thought when I was asked to look at it was, “It’s Python. I’ll just read the code”. As it turned out, that statement was both true and false. This post will focus on the technique that the malware sample utilized. We will explore some smaller samples, then increase the complexity until we can put a complete tool together. The goal of the final tool will be to build a Python stager. This stagers’ only job is to download a DLL from a preconfigured web server and execute it from memory. All the while, making it more difficult to see what is going on when simply “Reading the code”.  All sample code will be available here. This method of obfuscation, in certain environments, will bypass EDRs and anti-virus tools because it is a Python...