honoki.net
honoki.net
Cyber entomology
Skip to content

websec

There are 13 posts filed in websec (this is page 1 of 2).

Post navigation

WILSON Cloud Respwnder

If you’re a Burp Suite user, you’ll be familiar with Burp Collaborator: a service that allows you to monitor out-of-band interactions to a remote server, which can indicate a potential security vulnerability. More recently, Projectdiscovery.io have come up with their alternative Interactsh which achieves the same goals. However, I found that I sometimes wanted to […]

in websec | Comment

Introducing BBRF: yet another Bug Bounty Reconnaissance Framework

Like anyone involved in bug bounty hunting, I have encountered a number of challenges in organizing my reconnaissance data over the years. In this article, I want to introduce the solution I have designed to address some of those headaches, hoping that it may prove useful to you in some way. Get started If you’ve […]

in websec | 21 Comments

CVE-2020-11518: how I bruteforced my way into your Active Directory

Last May, I discovered that a critical vulnerability I had reported earlier this year had resulted in my first CVE. Since the combination of vulnerabilities that led to this unauthenticated remote code execution (RCE) was pretty fun to discover, I want to share the story about how brute force enabled me to hack into two […]

in websec | 2 Comments

XXE-scape through the front door: circumventing the firewall with HTTP request smuggling

In this write-up, I want to share a cool way in which I was able to bypass firewall limitations that were stopping me from successfully exploiting an XML External Entity injection (XXE) vulnerability. By combining the XXE with a separate HTTP request smuggling vulnerability, I was able to grab some secret information and escape through […]

in websec | 3 Comments

HTTP Request Smuggling – 5 Practical Tips

When James Kettle (@albinowax) from PortSwigger published his ground-breaking research on HTTP request smuggling six months ago, I did not immediately delve into the details of it. Instead, I ignored what was clearly a complicated type of attack for a couple of months until, when the time came for me to advise a client on […]

in websec | Comment

How to: Burp ♥ OpenVPN

Update February 2024: Most of the contents of this article can now be achieved with this Burp plugin that I wrote: https://github.com/honoki/burp-digitalocean-droplet-openvpn – make sure to give it a spin! When performing security tests, you will often be required to send all of your traffic through a VPN. If you don’t want to send all […]

in websec | 8 Comments

RCE in Slanger, a Ruby implementation of Pusher

While researching a web application last February, I learned about Slanger, an open source server implementation of Pusher. In this post I describe the discovery of a critical RCE vulnerability in Slanger 0.6.0, and the efforts that followed to responsibly disclose the vulnerability. SECURITY NOTICE – If you are making use of Slanger in your […]

in websec | 2 Comments

From blind XXE to root-level file read access

On a recent bug bounty adventure, I came across an XML endpoint that responded interestingly to attempted XXE exploitation. The endpoint was largely undocumented, and the only reference to it that I could find was an early 2016 post from a distraught developer in difficulties. Below, I will outline the thought process that helped me […]

in websec | 4 Webmentions | 19 Comments

Punicoder – discover domains that are phishing you

So we’re seeing homograph attacks again. Examples show how ‘apple.com’ and ‘epic.com’ can be mimicked by the use of Internationalized Domain Names (IDN) consisting entirely of unicode characters, i.e. xn--80ak6aa92e.com and xn--e1awd7f.com respectively. As I found myself looking for ways to discover domain names that could be used for phishing attempts, I created a Python script called […]

in Programming, websec | Comment

Hack.lu 2015: Creative Cheating

Write-up of Hack.lu 2015’s Creative Cheating challenge. The first challenge I solved on Hack.lu 2015, hosted by FluxFingers, was Creative Cheating. The challenge Mr. Miller suspects that some of his students are cheating in an automated computer test. He captured some traffic between crypto nerds Alice and Bob. It looks mostly like garbage but maybe […]

in websec | Comment

Post navigation

  • GitHub
  • Mastodon
  • Bluesky
  • LinkedIn

Recent Posts

  • WILSON Cloud Respwnder
  • Introducing BBRF: yet another Bug Bounty Reconnaissance Framework
  • CVE-2020-11518: how I bruteforced my way into your Active Directory
  • XXE-scape through the front door: circumventing the firewall with HTTP request smuggling
  • HTTP Request Smuggling – 5 Practical Tips

Recent Comments

  • mohamed on XXE-scape through the front door: circumventing the firewall with HTTP request smuggling
  • Chase Jensen on Introducing BBRF: yet another Bug Bounty Reconnaissance Framework
  • Esonhugh on Introducing BBRF: yet another Bug Bounty Reconnaissance Framework
  • pieter on I’ve Got You Under My Skin, Bill Evans Solo Transcription
  • Frank Barrett on I’ve Got You Under My Skin, Bill Evans Solo Transcription

Archives

  • July 2021
  • October 2020
  • August 2020
  • March 2020
  • February 2020
  • June 2019
  • May 2019
  • March 2019
  • December 2018
  • April 2017
  • October 2015
  • July 2015
  • January 2015
  • May 2014
  • September 2013
  • April 2013
  • November 2011
  • January 2011

Categories

  • Computers
  • Music
  • Programming
  • websec
  • Words

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
Independent Publisher empowered by WordPress Mastodon