A security researchers' thoughts on cybersecurity education, training, AND hacking ALL THE THINGS: web, mobile, cloud, etc.
Another day, another challenge…
In today’s post we’re going to solve the Fawn box from HackTheBox’s Starting Point Series.
The Appointment box explores the following concepts – Linux, FTP (File Transfer Protocol), and Account Misconfiguration.
Want to learn more? Watch the below video.
Like the content — support by Buying a Coffee
Another day, another challenge…
In today’s post we’re going to solve the Crocodile box from HackTheBox’s Starting Point Series.
The Appointment box explores the following concepts – Linux, PHP, and FTP.
Want to learn more? Watch the below video.
Like the content — support by Buying a Coffee
Another day, another challenge…
In today’s post we’re going to solve the Dancing box from HackTheBox’s Starting Point Series.
The Appointment box explores the following concepts – Linux, Structured Query Language (SQL), Structured Query Language Injection (SQLi), and MariaDB which is a community supported fork of the MySQL database.
Want to learn more? Watch the below video.
Like the content — support by Buying a Coffee
Another day, another challenge…
In today’s post we’re going to solve the Appointment box from HackTheBox’s Starting Point Series.
The Appointment box explores the following concepts – Linux, Networking, and Account Misconfiguration.
Want to learn more? Watch the below video.
Like the content — support by Buying a Coffee
Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our fifth challenge, we’re presented with a scenario where the elves express their joy in a forum. Unfortunately for the elves, the Grinch has created an admin an account on the forum and has installed a bad plugin that changes Christmas to Buttmas *GASP*. We can’t have that for the kids and Santa!
The topic explored in this challenge was Cross-Site Scripting (XSS). We learned there are four flavors – Document Object Model (DOM), Reflected, Stored, and Blind, and why XSS is important. XSS in a nutshell is an injection attack where the input is not being validated or sanitized. Meaning the application allows ANY input from the user. This can be *hint, hint* HTML, JavaScript, etc. Of all the different flavors of XSS the most dangerous/catastrophic is Stored XSS. As the name implies it stores the payload into for instance a database. Meaning anyone that visit the website or invokes the particular database will be susceptible to that attack. We will use Stored XSS in this challenge.
Can we use the information we learned about XSS to remove the bad plugin in the forum?
Well… click the below video to find out!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007
Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our fourth challenge, we’re presented with a scenario where Santa is running behind! We also learned that Santa has been naughty and did not adhere/follow the password requirements. Christmas is in jeopardy, and we need to help Santa get back on track. In this challenge the topics explored are authentication which is used to verify who we are to a system. The most common way to do this is with a username and password, but another technique is to use biometrics which is something that is unique to a person such as their fingerprint and/or retina (eye) scan.
The next topic discussed is fuzzing which is the automated process of finding information. In our case, we’re going to use fuzzing to find Santa’s password to get into the system and view his calendar. With fuzzing, there’s a tool that’s going to be used an interception proxy which intercepts requests before they are sent to the server. Remember the HTTP protocol (which we’re using) relies on requests and responses to communicate.
Can we use the topics above to make sure Santa stays on schedule and deliver the presents on time?
Well… click the below video to find out!
P.S. We also need to have a serious talk with Santa on following the password requirements in the future, so this doesn’t happen again!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007
Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our third challenge, we’re presented with a scenario where there’s a Christmas blackout due to the email system and McSysAdmin losing access to their admin panel thanks to the Grinch nefarious activities! In this challenge we learn about content discovery. Content discovery is the process of looking for un-listed or un-related content online. This content is useful as it can be passwords, configuration files, etc. which can help us log into a website. Finally, we learn about default credentials and how it can help us gain access to a website.
Can we use the topics above to repair the email system and McSysAdmin to save Christmas?
Well… click the below video to find out!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007
Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our second challenge, we’re presented with a scenario where there are HR problems due to the Grinch and his nefarious activities! In this challenge we learn about HTTP(S) – HyperText Transport Protocol (Secure) which uses a client-server model by sending requests and responses. The challenge also delves into cookies which can be used to store information about a user. We can use cookies to do authentication bypass which means we can log in as another user without their password.
Can we use the topics above to repair the HR system and continue to save Christmas?
Well… click the below video to find out!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007
Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our first challenge, we’re presented with a scenario where the Grinch is trying to destroy Christmas by possibly using an IDOR (Insecure Direct Object Reference) vulnerability. IDORs are a vulnerability where sensitive information can be accessed without the proper authorization. These types of vulnerabilities can be found in real world applications and are good test cases for bug bounties… *hint, hint*
Can we save Christmas by solving the first challenge by stopping the grinch?
Well… click the below video to find out!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007
On Friday February 5, 2021, I provided a training on teaching Application Security concepts using the OWASP Top 10.
The Open Web Application Security Project or OWASP is a non-profit organization whose mission is to make application security better. Members of OWASP meet every few years to create a top 10 list of the prevalent vulnerabilities in the industry. The last list was from 2017.
The structure of my training is the first part is to present the theoretical part – concepts and definitions. The last part of the training is a practical or application of the first part of the training (theoretical).
For the practical piece I used the website – BodgeIt Store. The BodgeIt Store is an insecure app, that should NOT be deployed in commercial servers. Many will say that the BodgeIt Store is a SUPER old insecure app (it’s close to 10 years old).
The app is close to 10 years old, but I find this app is good to teach application security as there’s a scoreboard and 12 challenges to complete.
Anyway, without further ado below are my slides from my training
I also provided documents that provide a walkthrough of the BodgeIt store as well as installing and using an interception proxy such as Burp Suite.
Finally, I included instructions on how to import the OWASP Broken Authentication VM which have a series of insecure apps.
See below.
Enjoy and keep hacking!