‘HTTP Request Smuggling’

‘The whitepaper explaines a technique to perform web based attacks by ‘smuggling’ HTTP requests.
HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices are between the user and the web server. This technique enables various attacks, such as web cache poisoning and bypassing web application firewall protection.

Read More »

‘Hacking UNIX – Second Edition’

Hacking UNIX – Second Edition is a hacking guide for absolute beginners in UNIX hacking. In total it took 3 years to write. It is meant to provide a solid introduction to the matter, and also act as a reliable reference.’

Read More »

‘SQLBlock: SQL Injection Protection by Variable Normalization of SQL Statement’

The article linked at this advisory presents a method to protect from SQL injection attack. The method involves using a virtual database connectivity drive as well as a special method named variable normalization to extract the basic structure of a SQL statement so that we could use that information to determine if a SQL statement is allowed to be executed. The method can be used in most scenarios and does not require changing the source code of database applications (i.e. the CGI web application). The presented method can also be used for auto-learning the allowable list of SQL statements, which makes the system very easy to setup. And since the decision of whether a SQL statement is allowed is to check if the normalized statement exists in our ready-sorted allowable list, the overhead of the system is very minimal.’

Read More »

‘Buffer Overflow Exploitation and Prevention’

This paper will attempt to explain usual problems encountered when trying to exploit buffer overflows in particular contexts of the stack, and propose a method to easily solve those problems.

What do you have to know before reading?
You have to know assembly language, C language and Linux/Unix. Of course, you have to know what a buffer overflow is (we highly recommend reading [1]).’

Read More »

‘Introduction to HTTP Response Splitting’

The essence of HTTP Response Splitting is an attacker’s ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response. This type of vulnerability can be exploited to perform several web application based attacks.’

Read More »

‘Bugger The Debugger’

The paper linked below will demonstrate methods that may be used by malware to execute code, simply by being loaded into a debugging session. This code execution occurs before the debugger passes control back to the user and therefore cannot be prevented.’

Read More »

‘Rootkiting Your Database’

Operating Systems and Databases are quite similar in the architecture. Both have: Users, Processes, Jobs, Executables, Symbolic Links, etc. Therefore a database can be considered to be a kind of an operating system. If a database is a kind of operating system it should be possible to migrate operating system malware (like rootkits or viruses) to the database world. The following linked paper will try to explain how this migration can be done.’

Read More »

‘The CS^2 Block Cipher’

This paper describes a new CS block cipher that is an extension of the original CS-Cipher. The new design inherits the efficiency of the original design while being upgraded to support a larger block size as well as use a slightly improved substitution box.’

Read More »

‘The Heart of Web Security’

Information and data transmission system security holds a place of ever-growing importance in today’s world. The expansion of the Web has provided businesses with an ideal platform for introducing and promoting their products and services.’

Read More »

‘Recovering Windows Password Cache Entries’

‘Users authenticate themselves on a Domain Controller (DC) using NTLM/NTLMv2. However the DC sometimes goes offline or the network cable is unplugged; in this situation, the Local Security Authority System Service (LSASS) uses password cache entries from the registry to perform offline logon.

This whitepaper explains the technical issues underneath Windows password cache entries, which are undocumented by Microsoft. This paper aims at:

 * Helping pentesters or security bso retrieving the password cache entries (hash value) for auditing purposes;

 * Providing more compatibility for programs that may require access to these entries without using the LSA API.’

Read More »

‘TCP Timestamp and Advanced Fingerprinting’

This network oriented advisory explains how to fingerprint network services on a remote host. After reading this paper you will be able to circumvent the illusion given by IP masquerading that network services are hosted by a single computer.’

Read More »

‘Remote Windows Kernel Exploitation – Step Into the Ring 0’

Over eight years have passed and almost every possible method and technique regarding Windows exploitation has been discussed in depth. Surprisingly, a topic that has yet to be touched on publicly is the remote exploitation of Win32 kernel vulnerabilities; a number of kernel vulnerabilities have been published, yet no exploit code has surfaced in the public arena.’

Read More »

‘Blind Injection in MySQL Databases (via BENCHMARK)’

‘MySQL is not an easy database for Blind SQL Injection: it displays no errors when an UNION occurs between two columns of different type and there isn’t a way to make a query displaying errors from parameters passed inside the query itself. Many times happens that auditing the code of a PHP/MySQL application, we find an injection vulnerability that is not exploitable, because we cannot see the output or we see always an error cause the value retrieved is passed to multiple queries with a different numbers of columns before the script ends.

In those cases where we cannot see the result of the SELECT…UNION statement it would appear that the vulnerability cannot be exploit. Or is it?

Read More »

‘The Misuse of RC4 in Microsoft Word and Excel’

A serious security flaw in Microsoft Word and Excel allows an attacker to easily decrypt a Microsoft encrypted document.

The stream cipher RC4 with key length up to 128 bits is used in Microsoft Word and Excel to protect the documents. However, when an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is used to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered.’

Read More »