Week 37 In Review – 2013


  • Video Tutorial: Introduction to XML External Entity Injection – community.rapid7.com
    This video introduces XML injection to achieve XML external entity injection (XXE) and XML based cross site scripting (XSS).
  • Errata Security’s blog
    • We scanned the Internet for port 22 – blog.erratasec.com
      Errata Security scanned the entire Internet for port 22 — the port reserved for “SSH”, the protocol used by sysadmins to remotely log into machines. Unlike their normal scans of port 80 or 443, this generated a lot more “abuse” complaints, so Robert Graham thought He’d explain the scan.
    • Masscan: the entire Internet in 3 minutes – blog.erratasec.com
      Robert thought he’d write up some notes about his “masscan” port mapper. Masscan is the fastest port scanner, more than 10 times faster than any other port scanner.
  • 44CON Presentation – Additional Resources – shadow-file.blogspot.com
    Zach included a single slide with a link to this post. Here you’ll find links to additional resources that he may have referenced in his talk.


  • BurpCSJ extension release – blog.malerisch.net
    Roberto Suggi Liverani released a new Burp Pro extension which integrates Crawljax, Selenium and JUnit. Download link is available here.
  • Introducing SpearPhisher – A Simple Phishing Email Generation Tool – trustedsec.com
    SpearPhisher is a simple point and click Windows GUI tool designed for (mostly) non-technical people who would like to supplement the education and awareness aspect of their information security program. Not only is it useful to non-technical folks, penetration testers may find it handy for sending quick and easy ad-hoc phishing emails.
  • OWASP ZAP 2.2.0 is out  – code.google.com
    The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.


  • Stealing passwords every time they change – carnal0wnage.attackresearch.com
    Rob Fuller created an installer and “evil pass filter” that basically installed itself as a password filter and any time any passwords changed it would store the change to a log file locally to the victim (in clear text) as well as issue an HTTP basic auth POST to a server he own with the username and password.The full code can be found in his blog post.
  • Changing proxychains’ “hardcoded” DNS server – carnal0wnage.attackresearch.com
    If you’ve ever used proxychains to push things through Meterpreter, one of the most annoying things is its “hardcoded” DNS setting for, if the org that you are going after doesn’t allow this out of their network, or if you are trying to resolve an internal asset, you’re SOL. There isn’t much magic here other than knowing that this file exists, but /bin/proxyresolv is a bash script that calls “dig” using TCP and the DNS server specified so it goes through the proxychains. Here is what it looks like.
  • The Windows Flaw That Cracks Amazon Web Services  – slashdot.org
    Some code tinkering allows you to copy data from Amazon Web Services (or another hosting provider) without the data’s owner realizing what’s going on. Here are the possible steps for making that happen.
  • Automated SQL Injection Detection  – arneswinnen.net
    SQL Injection is still a common web application vulnerability these days, despite the fact that it’s already around for ages. However, because of limited adoption of best security practices by web application developers and, more importantly, the default use of parameterized queries in popular DB frameworks such as LINQ, SQL Injection is slowly becoming less prevalent in the wild.
  • How did I get a root shell in my NAS, 0day inside  – blog.pentbox.net
    One day, Alberto Ortega realized that his firmware version was outdated so he decided to update it to the latest version. One thing led to another, and he end up with a root shell in the device, here is how.
  • Cloning an Infrared Disarming Remote of a Consumer Grade Home Security System  – volvent.blogspot.com.au
    This blog post looks at a cheap home security system purchased from E-Bay and ways of defeating it by cloning the remote that disarms it. This post can also serve as a taster for Silvio’s Ruxcon talk in October.
  • 64bit Pointer Truncation in Meterpreter – buffered.io
    The purpose of this post is to document the process and resolution of a bug that OJ Reeves have helped resolve since joining. He also aim to lift the lid on Meterpreter a little and help expose how some bits of it work. Hope you enjoy.

Vendor/Software Patches


Other News

  • The Geeks on The Frontlines – rollingstone.com
    Inside a darkened conference room in the Miami Beach Holiday Inn, America’s most badass hackers are going to war – working their laptops between swigs of Bawls energy drink as Bassnectar booms in the background. After decades of seeming like a sci-fi fantasy, the cyberwar is on!
  • Wi-Fi isn’t radio!? – blog.kismetwireless.net
    The 9th Circuit Court of Appeals has ruled that Google can be prosecuted for the capturing of wireless data by Street view cars. The most controversial aspect of the ruling is the declaration that Wi-Fi isn’t radio.

  • E-ZPasses Get Read All Over New York (Not Just At Toll Booths) – forbes.com
    A man in New Jersey became obsessed with the loss of privacy for vehicles on American roads. (He’s not the only one.) The man, who goes by the Internet handle “Puking Monkey,” did an analysis of the many ways his car could be tracked and stumbled upon something rather interesting: his E-ZPass, which he obtained for the purpose of paying tolls, was being used to track his car in unexpected places, far away from any toll booths.

Leave A Comment