TL;DR, There used to be a bug in Internet Explorer allowing attackers to force victims to send requests with malformed Host headers. File Descriptor used it to steal GitHub OAuth tokens, and we used it to confuse Heroku and Fastly’s host routing to make them serve our content on their customers’ domains. Fastly and Heroku have since then patched the issue on their side.
When it comes to Amazon Web Services (AWS), both S3 and CloudFront lack domain validation. If a domain has a DNS entry pointing to either S3 or CloudFront but the domain is not actually claimed in S3 or CloudFront, it’s possible for anyone to claim the domain and serve their own content on the domain using these two AWS services. We will explain another problem with the lack of domain verification, combining trailing dot domains, conflict checks and how SSL common name matching works today.
This is a walkthrough of a hard-to-reproduce bug I found in Slack a few months back. Even though the payload was only working because of a legacy migration, by utilizing Python’s AppKit to insert data into Chrome’s rich text format clipboard, I was able to add and modify the XSS payload already inside Slack.
HTTP Public Key Pinning (HPKP) is very powerful if configured correctly. It has the ability to protect against the most sophisticated targeted attacks that seriously threaten the security on the Internet, for all of us. But, with great security comes great responsibility. If HPKP is deployed into a production environment without being thoroughly tested and designed, the website may be inaccessible for all the previous visited clients. The fear of incorrectly deploying an HPKP-policy could scare the security-responsible into not using the security mechanism at all. So is it worth it? Should you use HPKP?
Reverse engineering has been used by the military, big companies and many more. It is the act of taking something (computer, device, weapon, software) and “stripping” it to learn or analyze its inner working in detail. Compaq, one of IBM’s major competitors, did this in the early 1980s, using the reverse engineering process to dissect the IBM PC and build their own product. In this blog post, we list 7 tools for reverse engineering on the Microsoft Windows platform that have influenced the reversing community the most.
TL;DR: Exploit-mitigation techniques such as Address Space Layout Randomization, in conjunction with Data Execution Prevention, make executing traditional shellcode a non-trivial challenge. A common way to bypass aforementioned protections is to use Return-Oriented Programming, which reuses small pieces of code that end in a return instruction commonly referred to as a gadget. This article covers the thoughts and concepts in regards to solving this challenge.
Developers are leaking access tokens for Slack widely on GitHub, in public repositories, support tickets and public gists. They are extremely easy to find due to their structure. It is clear that the knowledge about what these tokens can be used for with malicious intent is not on top of people’s minds…yet. The Detectify team shows the impact, with examples, and explains how this could be prevented.
UPX (Ultimate Packer for eXecutables) is an open source executable packer that is common in the malware scene (albeit often heavily modified). UPX supports all major operating systems and both x86 and x64 platforms. UPX on its own features no anti-debug checks, no scrambled code/stolen bytes and no encryption. For this post I have coded my own software in the C language to demonstrate how UPX works, what it does to the .code/.data segment in the PE header and how you can rebuild an executable that has been packed with UPX.cram