1. Time-Based Username Enumeration: Practical or Not?

    Username enumeration is one of those vulnerabilities that appear to be everywhere. Facebook has it, Twitter has it, and basically every default Wordpress installation has it. Companies don't appear to see the risk associated with the vulnerability.

  2. Using the Rails 5 Attributes API Today, in Rails 4.2

    In 2014, I gave a talk at RailsConf that touched on some problems I've come to experience with the opinions that Rails employs to achieve its "convenient" APIs. One part of the talk described something I really wanted to see, which was a sane attribute API. Well, Sean Griffin started working on one not long after that talk. It'll be "official" in Rails 5, but it's in Rails 4.2 and is already being used under the hood by your apps today—it's just missing documentation.

    If you've ever tried doing something as simple as overriding attribute accessors and found yourself chasing down and plugging endless edge cases, this post is for you.

  3. Static Analysis of Grails Applications with CodeNarc

    Since we last visited Grails (and Grails.nV), the Grails project has updated to a new major version (3.x) that comes with a host of performance improvements, Gradle support, and security enhancements. With these changes, it is a good time to revisit the project.

    For Grails applications, one topic that needs attention is the use of static analysis to identify common security vulnerabilities. If developers have access to effective automated tools that alert of security concerns during development, these problems can be fixed before the code is released. Furthermore, these tools reveal issues in large and well-established codebases by automating the code checks performed during code promotion. For example, tracing tainted variables or variables influenced by user-provided input shows the impact of unchecked user input through an application. Stored XSS or SQLi are simple to detect in a majority of cases.

    There are currently only two static analysis tools that provide coverage for Groovy: IntelliJ IDEA's built-in debugger and CodeNarc, an open-source static analysis tool. Since it is not reliant on a single development interface, this post will examine CodeNarc.

  4. Advanced SQL Injection

    Ah, SQL injection. Probably one of the most iconic vulnerabilities in the web appsec sphere. Even given how easy it is to fix (parameterize your queries please, none of this blacklisting garbage), it's still found in the wild on a regular basis. While there are a million posts out there detailing vanilla exploitation, this post is going to delve into more advanced attacks. Specifically, I'm going to discuss enumerating the schema of a database in a single payload, greatly reducing the number of queries required to exfiltrate data via bit shifting, and viable attacks in a blind and asynchronous situation. The focus will revolve around a SQL Server context, but most if not all of these techniques should transfer to exploitation of other databases.

    Before we begin: do not leverage these techniques against a system unless you have the express permission of the system owner. nVisium is not liable for any trouble you get into not using common sense. Now, with that out of the way, let's dive in.

  5. Regex: Regularly Exploitable

    Here's a quick demonstration of why Regular Expressions (regex) can be bad for implementing character whitelisting.

    I was reading through an application security assessment report recently and noticed a recommendation for preventing Operating System Command Injection (OSCI) that implemented character whitelisting on a given filename through the following regex:

    /^[\/a-zA-Z0-9\-\s_]+\.rpt$/m
    

    At first glance, the regex seems legit, right? It attempts to match any combination of letters, numbers, dashes, underscores, slashes, and whitespace, ending with the ".rpt" extension. Already knowing that there was a flaw here (we'll get to that in a moment), I put together the following proof-of-concept to demonstrate the security (or insecurity) of the filter:

  6. SecCasts Live: Beyond the Pentest – The Evolving Security Landscape

    On May 27th, security professionals joined nVisium to share their views on a variety of topics concerning the cybersecurity industry. The conversation began on a light-hearted note, sharing the projects and technologies they are each currently involved in. A debate soon followed about what the security community is doing right and wrong and the public's role (if any) in it. To wrap up the discussion, each panelist recommended a few good books that could be helpful to those in the industry. While this blog post summarizes the important points that were raised, a complete recording of the conversation can be found here.

  7. Exploration of the Apple Watch Backup Files

    The release of the Apple Watch has opened many lines of research for the wider security community. While a jailbreak of Apple's newest device is not yet available, there are hints of privacy issues and possible security flaws. Some suspect considerations include the way communicates with an iPhone (using both Bluetooth and WiFi) and how a synced iPhone delivers an updated image to the watch. This post reviews one reliable method of determining how the watch operates and communicates with various applications and devices.