Operating system (OS) command injection attack is a variant of code injection attacks which are considered a major security threat that in fact, is classified as No. 1 on the 2013 OWASP top ten web security risks . The main objective of this article is to examine the detection and exploitation capabilities of Commix against blacklisting techniques. The general idea behind blacklisting is to check for malicious patterns before allowing the execution of users input.
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.
A possible attack path during a penetration test is having access to the administrative console of a JAVA Application Server (like WAS, JBOSS and Tomcat) installed on a Windows server with default or guessable (e.g. through brute-force) administrative credentials.
This is the 2nd part, out of 2 blog articles, which demonstrate some tips and techniques (T&T) for client side penetration tests. The previous article included tips and techniques on how to deliver spoofed emails without being blocked. This article includes techniques on how to embed an executable file within attachable files, without being detected by mail filters and anti-virus.
This is the 1st part, out of 2 blog articles, which will demonstrate some useful tips and techniques (T&T) for client side penetration tests. This article includes tips and techniques on how to deliver spoofed emails and how to defend against email spoofing. The next article will include techniques on how to embed an executable file in attachable files without being detected by mail filters and anti-virus.
About a month ago I identified four vulnerabilities in Aircrack-ng suite. A brief but technical description may be found below. Furthermore, references on the proof-of-concept exploit code and the OSI advisory maybe be found at the end of this article.
Being in and remaining in a “secure state” requires a continuous process of awareness, preparedness and readiness. It is a highly demanding, cross-domain activity that covers nearly all aspects of an organization and involves resources with different skills and levels of expertise.