Today I want to show you a demo that I recorded on how you can use the amazing tool Evilginx2 (by Kuba Gretzky) to bypass Multi-Factor Authentication (MFA). In the demo I used Evilginx on a live Microsoft 365/Office 365 environment but It can be used on almost any site that doesn’t use a more […] The post how to use Evilginx2 to grab session tokens and bypass Multi-factor authentication first appeared on TzuSec.com.| TzuSec.com
This blogpost is about a minor discovery I made regarding a writeable file inside the Windows folder that is present on Lenovo machines. Initially when I found it I thought it was only a handful of…| Oddvar Moe's Blog
How does Suricata’s URL decoding work? It’s more complex than you think!| GreyNoise Labs
The last two blog posts in this series were about SNI spoofing and Host header spoofing. We also learned that the latter is addressed by some vendors with a technique called “Domain Fronting Detection”. But what exactly is domain fronting? This will be explained in this blog post.| blog.compass-security.com
In the last post about bypassing web filters, I discussed how SNI spoofing works and how this can also be prevented by web filters. This post is about another bypass technique called Host Header spoofing.| blog.compass-security.com
This is the first part of a series of blog posts about techniques to bypass web filters, looking at increasingly advanced techniques with each part.| blog.compass-security.com
While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset. When a machine is deployed and the first user logs in, that user will … Continue reading A small discovery about AppLocker→| Oddvar Moe's Blog
I thought it would be useful to have a blog post about two different techniques you can use to bypass AppLocker if you are an admin on a host that has AppLocker enabled. The first technique that uses the GUI was briefly discussed in a tweet I posted a while back: https://twitter.com/Oddvarmoe/status/996147947975962624 My goal with this … Continue reading Bypassing AppLocker as an admin→| Oddvar Moe's Blog
TL;DR Done as a normal user without admin privs Change %TEMP%/%TMP% to point to a location that allows execution of scripts defined by AppLocker Start Powershell with the new environment variables that you set for %TEMP%/%TMP% and profit! Background This blogpost covers a technique I discovered when digging further into AppLocker to bypass Powershell Constrained … Continue reading %Temp%orary Constrained Language mode in AppLocker→| Oddvar Moe's Blog
TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon: Cortana app: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy /d "C:\windows\system32\cmd.exe" OR reg add HKCU\Software\Classes\ActivatableClasse...| Oddvar Moe's Blog
The Content-Disposition response header tells the browser to download a file rather than displaying it in the browser window.| markitzeroday.com
Overview Techniques gathered to bypass PHP file upload filters.| Boku
Some VPNs allow split tunneling, however, Cisco AnyConnect and many other solutions offer a way for network administrators to forbid this. When that happens, connecting to the VPN seals off the client from the rest of the LAN. As it turns out, breaking this seal is not that hard, which can be useful for special cases like performing pentests over a VPN designed for average users.| Silent Signal Techblog
As intra-app URLs used in web applications are generated and parsed by the same code base, there’s no external force pushing developers towards using a human-readable form of serialization. Sure, it’s easier to do debugging and development, but that’s why I used the word “external”. Many frameworks use custom encodings, but one of the most extreme things a developer can do in this regard is completely encrypting request parameters. We encountered such a setup during a recent web app...| Silent Signal Techblog
Here’s a little trick we’d like to share in the end-of-year rush:| Silent Signal Techblog
Last year we published a proof-of-concept tool to demonstrate bypasses against security products that still rely on the obsolete MD5 cryptographic hash function.| Silent Signal Techblog
Sanitizing input (as in trying to remove a subset of user input so that the remaining parts become “safe”) is hard to get right in itself. However, many developers doom their protection in the first place by choosing the wrong tool to get it done, in this case, regular expressions (regex for short). While they’re powerful for quite a few purposes, as the old saying goes,| Silent Signal Techblog
In this post I will share my testing experiences about a web application protected by a web application firewall (WAF). The investigation of the parameters of web interfaces revealed that I can perform XSS attacks in some limited ways. The target implemented blacklist-based filtering that provided some HTML tag and event handler restriction. Since this restriction appeared at quite unusual places I suspected that there might be a WAF in front of the application. To verify my suspicion:| Silent Signal Techblog
01 – Introduction On November 2, 2023, POC2023 took place as scheduled in South Korea. I was fortunate to attend this conference where YYJB and I presented on the topic of “Modern Chrome Exploit Chain Development.” Given the title “Modern”, it would indeed be a bit awkward if we didn’t share something relatively new with […] The post Use Wasm to Bypass Latest Chrome v8sbx Again appeared first on Numen.| Numen
Published on| offsec.almond.consulting