In today’s digital landscape, cybersecurity is often misunderstood as a set of restrictive measures that hinder technological progress and user experience. However, this perspective couldn’t be further from the truth. Cybersecurity, when implemented correctly, acts as a powerful enabler that empowers businesses and individuals to leverage technology safely and confidently.
Freedom to Innovate
Cybersecurity provides a secure foundation upon which innovation can flourish. By implementing robust security measures, organizations can explore new technologies and digital transformations without constantly worrying about potential threats. This freedom to innovate allows businesses to stay competitive and adapt to changing market demands.
A strong cybersecurity posture builds trust with customers, partners, and stakeholders. When users know their data is protected, they’re more likely to engage with digital services and share information. This increased trust can lead to better customer relationships, improved brand reputation, and ultimately, business growth.
Contrary to the belief that security measures slow down processes, well-implemented cybersecurity actually streamlines operations. By preventing breaches and downtime, businesses can maintain continuity and focus on core activities rather than dealing with the aftermath of cyber incidents.
Raxis Penetration Testing: A Key Enabler
Raxis, a leader in cybersecurity services, offers penetration testing that exemplifies how security measures can enable rather than restrict. Here are three ways Raxis penetration testing proves beneficial:
Uncovering Hidden Risks: Raxis penetration testing identifies vulnerabilities that might otherwise go unnoticed. By simulating real-world attacks, businesses can proactively address weaknesses before they can be exploited, enabling them to use technology more confidently.
Strengthening Security Posture: Through comprehensive testing, Raxis helps organizations strengthen their overall security stance. This improved posture allows businesses to adopt new technologies and expand their digital footprint without compromising on security.
Demonstrating Value: Raxis’ approach includes data exfiltration demonstrations, which clearly show the potential impact of security gaps. This tangible evidence helps justify cybersecurity investments and enables businesses to allocate resources effectively for maximum protection.
Embracing Cybersecurity as an Enabler
To truly harness the enabling power of cybersecurity, organizations need to shift their mindset. Instead of viewing it as a necessary evil or a set of restrictions, cybersecurity should be seen as a strategic asset that facilitates growth, innovation, and trust.By partnering with experts like Raxis for penetration testing and other cybersecurity services, businesses can create a secure environment that empowers users and drives technological advancement. This proactive approach not only protects against threats but also opens up new opportunities for digital transformation and business success.In conclusion, cybersecurity, when implemented effectively, is not about limiting what people can do with technology. It’s about creating a safe space where individuals and organizations can push boundaries, explore new possibilities, and thrive in the digital age. By embracing cybersecurity as an enabler, we can unlock the full potential of technology while keeping our digital assets and identities secure.
As the head of project management at Raxis, I have been a part of many customer debriefing calls. Generally, these calls just entail the penetration tester discussing the findings on the report and answering questions such a priority to fix or best options for correcting them.
In some cases, though, there is no way to fix the finding, at least in the near term. Organizations that are looking to correct all findings in order to provide the most secure environment for their customers and to meet compliance requirements look to our team for advice.
In this blog, I’ll discuss the options of accepting risks or using compensating controls to limit the risks as much as possible until a larger solution can be implemented.
ACCEPTING RISKS
When dealing with penetration test findings, organizations sometimes have to accept certain risks instead of fixing them immediately. The decision is often part of a broader risk strategy that may mean fixing the issues is not feasible, at least in the short term.
Resource constraints include financial limitations, such as when the cost of fixing the vulnerability outweighs the potential impact of an exploit. Time constraints also come into play when fixing the vulnerability might delay critical projects or updates.
In these cases, we often recommend that the organization thoroughly discuss, and, if appropriate, accept the risk. The risk is still there, but the proper stakeholders within the company will understand the risks involved and document acceptance of the risk.
When deciding to accept penetration test risks, organizations should follow a formal risk acceptance process:
Thoroughly document the vulnerability and associated risk
Perform a detailed impact analysis, including input from several departments when necessary
Identify and implement compensating controls
Get sign-off from appropriate stakeholders, such as a CISO or CIO
Set a timeline to re-evaluate the risk
Monitor the risk closely
COMPENSATING CONTROLS
Compensating controls could include several measures that are positives to have in place at any time in case of newly discovered vulnerabilities or other issues. Examples of compensating controls include:
Encrypting sensitive data at rest and in transit
Implementing strong access controls such as least privilege, and multi-factor authentication
Enhancing monitoring and alerting for the affected systems to allow for rapid detection and response if the vulnerability is exploited
Network segmentation to contain the spread of an attack
Keeping systems as up-to-date as possible with available patches
LOWERING FINDING RISKS WITH MITIGATION
Often vulnerabilities that cannot be fixed involve legacy software that no longer receives updates from the vendor but is necessary to business operations. In these cases, until the legacy systems can be replaced, organizations can decrease risk by segmenting the system to an entirely separate area of the internal network. This way, if a compromise occurs, the rest of the network is protected.
While this does not remove the risk from the penetration test, we’re able to lower the risk of the finding if our customer lets us know and gives us access to test that the segmentation is correctly in place.
Another case we often see are custom web or mobile applications and APIs. Updates to codebases may be a major effort that requires planning and waiting for resources to become available to make the changes. In other cases, custom code relies on vendor APIs and changes must wait for vendor API updates.
Each of these cases is unique, but there may be opportunities to limit access to the at-risk functionality or to put in place strong compensating controls.
CONCLUSION
We understand that many factors come into play when working to keep your company and customers as secure as possible. Options are available to allow organizations to stay as secure as possible while working towards a more permanent solution.
In Scottie’s recent Cool Tools blog about discovery tools, he, like many network penetration testers, starts with Nmap. Nmap is a great discovery tool with many flags and scripts. In this post, I will expand upon Scottie’s ideas and delve more deeply into what Nmap has to offer, specifically for network penetration testing.
Hosts Marked as Down When They Are Up
If you find you have problems with Nmap flagging hosts as down, even though they should be up, I would recommend adding these flags to your command:
-PS – SYN ping scan. You can optionally add a port number after this.
–PA – ACK ping scan. You can optionally add a port number after this.
-PE – Typical ICMP ping echo request, typically blocked by firewalls.
-PP – ICMP timestamp ping query, which can sometimes get around misconfigured firewalls.
-PM – ICMP subnet mask ping query, also good for evading misconfigured firewalls.
-PO -This issues an IP protocol ping, which seems to work a lot of times when other probes don’t.
Putting that all together, my typical scans are now starting to look like this:
-oA [output] – Output in all file formats simultaneously.
-sSUV – Combo of -sS (TCP SYN scan), -sU (UDP scan), and -sV (service version scanning).
–unique – Scan each IP only once (e.g. if raxis.com resolves to 1.1.1.1, and both are targets, only scan 1.1.1.1 once).
–resolve-all – If an DNS name resolves to multiple IPs, scan each IP.
-T4 – Go a bit faster than default, recommended for modern networks (unless you’re trying to be quiet).
-O – Try to determine operating system.
-p T:-,U:53,161 – Scan all TCP ports as well as UDP ports 53 (DNS) and 161 (SNMP).
-vv – Be very verbose in output.
-iL [targets] – Use the targets in the specified file.
Additionally, when using -oA, if your scan gets interrupted, you can use this to resume the scan where it left off:
nmap --resume
The Nmap Scripting Engine
The Nmap Scripting Engine (NSE) provides 604 scripts and 139 libraries at the time I’m writing this. That number grows each year, so, needless to say, this is a very useful tool for penetration testers or for blue teams checking out possible vulnerabilities in their systems. I’ll discuss some Useful NSE scripts here, and I encourage you to take a look to see if there are others that would be helpful for your needs.
Shodan
Queries the Shodan API for the targets. Follow the instructions on the NSE site to setup a Shodan API key.
Most of us here in the US have followed the Russian invasion of Ukraine with a mix of disgust, outrage, and even existential fear. But there is a way to channel these negative feelings into positive actions by making yourself and your company a harder target for hackers, including those affiliated with or supported by the Russian government.
During World War II, families planted victory gardens to help feed our military here and abroad. As the Cold War brought us to the brink of nuclear conflict, private citizens were called on to be part of a civil defense force to supplement local emergency management personnel. Now, technology has introduced us to a new battlefield in cyberspace.
Though cyber war doesn’t offer the horrific imagery of a physical invasion, it is every bit as real, the stakes are incredibly high, and threats are growing more sophisticated. Russia sent its soldiers into Ukraine, but it also has an army of malicious hackers on its payroll and/or under its protection as well.
Many of these are coin-operated criminal gangs working with the expressed or implicit approval of Vladimir Putin. They have a track record of targeting his enemies worldwide. The United States has been and will continue to be in their crosshairs.
As with generations past, it’s our turn now to recognize we all have a role to play – as private companies and private citizens – in protecting our institutions from attack. Here are some ways to do that immediately.
For individuals, it’s critical to enable multifactor authentication, create complex passwords and/or use a secure password manager. An old poster from WWII cautioned, “Loose lips might sink ships.” The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations.
As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.
For businesses, now is the time to recognize that cybersecurity is part of your corporate mission, no matter what industry you’re in. If you’re a leader in your organization, be sure to establish regular check-ins with your information security team – if you haven’t already — and heed their advice.
This poster, found in bars across the US during WWII, was a reminder that Americans had a duty to protect information:
The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations. As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.
Remember, too, that Raxis and other companies have veteran cybersecurity experts on their teams whose life’s work is to help protect you from those who would steal from you, hold your data hostage, or disrupt your operations. Now, as always, our certified professionals are ready to help.
Raxis can perform in-depth penetration tests, conduct red team assessments, test your web applications, or help train your infosec team. But we also offer a number of free resources that are publicly available as well.
Check out our YouTube channel, follow us on social media, and make sure you subscribe to this blog. We provide a lot of great security information aimed at helping you understand the latest threats and what you can do about them.
The people of Ukraine are rightfully in our thoughts and prayers at present. It’s unconscionable for one sophisticated, powerful nation to attack and invade its neighbor simply because it can. But we can do much more than fret over what’s happening overseas. We can take action that will make it harder for the Russian government to escalate its cyber war in Europe and here at home.
This is your chance to join the fight. Make your actions count.
The results from your vulnerability scan showed only a couple of low or moderate level findings, but there is no denying that two experienced hackers now have domain admin rights; the freshly printed summary document on your desk spells out in excruciating detail how they traversed the darkest corners of your network and gained access to critical data.
Fortunately for you, they’re Raxis team members, and you’ve paid them to do just that.
The Chained Attack
This scenario plays out frequently for Raxis customers who previously relied on companies that pass off vulnerability scans as faux penetration tests. It highlights why a scan, by itself, can give businesses a false sense of security about their cyber defenses. At their best, scans only point out individual links in what skilled and experienced hackers can turn into a chained attack – using one vulnerability to discover others, increasing or escalating network access with each move. In the case of parameter or business logic exposures, scans often remain blissfully unaware, failing to identify the exposures at all.
We’ll use a real-life example from a recent Red Team engagement to illustrate just how this works. Keep in mind that the following recap is just one way to employ a chained attack. There are many others. In fact, it’s such a common technique that it’s part of the test ethical hackers take to earn the Offensive Security Certified Professional (OSCP) certification. (Read about Senior Penetration Tester Andrew Trexler’s experience with the OSCP exam.)
The First Link
Using a response poisoning attack, our testers achieved Man in the Middle (MitM) and relayed Server Message Block (SMB) handshakes to hosts with SMB signing disabled, which allowed them to execute local commands and extract local password hashes stored by the security account manager (SAM). One of those hashes was associated with a local administrator account, and they used it to connect to a system on the internal network.
Once inside, they exploited a known design flaw in Windows authentication and used this local administrator hash in a Pass-the-Hash (PtH) attack using CrackMapExec (CME). They didn’t even have to crack the hash and get a cleartext password. Just sending the hash was sufficient to allow access.
Creating the Chain
Using PtH, our ethical hackers enumerated users logged on to a system, determined valid usernames, and extracted their Kerberos ticket hashes. This time, they did have to crack the hashed ticket for an administrative service account they found. A weak password and robust cracking hardware made this possible within seconds.
Having identified the cleartext password for that administrator account, they found that it was shared amongst numerous systems. They connected to other systems across the network and found a domain administrator logged into one of them. An attempt to access the Local Security Authority Subsystem Service (lsass.exe) file failed at first because the company’s security blocked “procdump.exe,” the tool we were using to gather a memory dump of the process. However, a second attempt with Process Explorer was successful and allowed our team to download a memory dump of the “lsass.exe” process, giving us access to the runtime state of the service that performs Active Directory database lookups, authentication, and replication.
Another tool, Mimikatz, enabled our testers to extract the contents of that file, including the reusable NTLM password hash of a Domain Administrator (DA). Again, using CME, they used the NTLM DA password hash to extract the contents of the entire Active Directory database. This is the database housing all Active Directory objects, including users and their password hashes for the entire domain (that often means every employee at a small company or every employee in a division of a large company).
“Vulnerability scans are excellent point-in-time snapshots of potential problems. But it takes comprehensive penetration testing to demonstrate how easily a malicious hacker can link them together to create a chained attack.”
Tim Semchenko
Owning the Network
Using this DA access, our team created a new backdoor domain administrator account in the Domain Admins group – ample proof for the customer that Raxis had in fact pwned their network.
What else could they have done? Anything they wanted, including staying on the system indefinitely or just logging in periodically to steal data or disrupt operations. Once a hacker has this type of access, it’s very difficult for a company to know if their access has been truly and completely removed.
How is this possible? Because a serious security flaw – one that would not be revealed in full by a vulnerability scan – offered our skilled team members an entry way to take down an entire network had they been bad guys.
The point is that vulnerability scans are excellent at providing a point-in-time snapshot of potential problems on your network. But it takes comprehensive penetration testing to find out just how serious those issues are and to demonstrate how easily a malicious hacker can link them together to create a chained attack.
Cookies are a way to store information across multiple HTTP requests. HTTP is a stateless protocol, meaning each request is completely independent of subsequent requests. Cookies are set by the web server, and then stored in the user’s web browser. Each subsequent request to the domain specified in the cookie will then include the set cookies in the HTTP request headers, so the web server can continue to associate the following requests to that user. Some common use cases for cookies are authentication, analytics IDs, and user preferences.cook
So, what are cookie flags, then?
Cookie flags are attributes for a cookie that are set when the cookie is initialized. These attributes live for the duration of the cookie’s lifespan, so it’s important that they are set with secure attributes, especially for important cookies used for maintaining sessions or other sensitive user information. These attributes can quickly be seen by looking at a cookie in the browser, as shown below:
HttpOnly Flag
The HttpOnly flag prevents a cookie from being accessed from protocols other than HTTP. This flag is mostly used so that client-side JavaScript cannot access the cookie.
Security Impact
When the HttpOnly flag is not set, client-side JavaScript is able to access and use the cookie. From an attacker’s perspective, it means the cookie is vulnerable to being stolen or used during other client-side attacks, such as in a Cross-Site Scripting (XSS) attack. For example, in our recently discovered XSS Vulnerability in ManageEngine Applications Manager (CVE-2021-31813), cookies were accessed through the inserted JavaScript and reflected back to the screen, as shown below:
In a real scenario, an attacker may send the cookie to themselves instead of reflecting it to the screen. However, if the HttpOnly flags had been set, the malicious JavaScript could not have accessed the application’s cookies in the first place.
Secure Flag
The Secure flag prevents a cookie from being sent over HTTP and enforces the cookie to only be sent over HTTPS. This flag is used to prevent attackers from stealing cookies by sniffing unencrypted HTTP traffic. Even though there is a high usage of HTTPS, cookies can still be sniffed on redirects and through other means without the Secure flag.
Security Impact
When the Secure flag is not set, the user’s cookies will be sent over HTTP if a request is made to that website’s HTTP port. Most websites now support HTTPS, but there are still multiple ways for cookies to be sent over HTTP even when the server supports HTTPS. For example, if a website’s web server redirects HTTP requests to use HTTPS, it’s possible the initial web request will have sent cookies that are not using the Secure flag. Similarly, if a user clicks on a link (e.g., from a phishing email) that doesn’t have https:// appended to it, the initial request will send any cookies for that website that are not using the Secure flag. An attacker that is sniffing traffic would then be able to see the cookie’s value in cleartext. The Strict-Transport-Security header can help to mitigate some of this impact, but, to ensure cookies are never sent over an unencrypted channel, the Secure flag should always be used.
As someone who has lived through several hurricanes and worked as a first responder for years, my heart breaks for our neighbors on the Gulf Coast and inland areas who are now assessing the damage from Hurricane Ida. For those who haven’t experienced it, devastation doesn’t begin to describe the aftermath of such a powerful storm.
While we hope and pray for the people who were in the storm’s path, I want to offer a few tips from the cybersecurity career I’ve pursued since leaving emergency services work 16 years ago:
Scammers strike when we’re most vulnerable. Don’t let your guard down now.
Be mindful of what you post on social media. Giving too much personal information could lead to identity theft or give a criminal the location of your home you just evacuated. Provide personal information only to valid sources like FEMA, the Red Cross, and your insurance companies.
Be on high alert for phishing emails disguised as aid requests. Legitimate rescue personnel (volunteer or professional) will never ask for money. Donate to the Red Cross, Salvation Army, or a local organization you already know and trust.
Rely only on reputable sources for critical information. Social media is good for keeping up with friends and relatives, but it’s also full of misinformation and scams. Double-check important news by cross-referencing it on local, state, or federal government pages, or with reliable media. Also, remember that there are a lot of “fake” media pages.
If you’re in an area that is hard hit and don’t have cell phone service, turn off your phone. The phone will die more quickly if it’s searching for a cell tower. Turn it on later and see if cell service is restored. If not, turn it back off, and try again later.
Likewise, don’t send sensitive information over public WiFi. In the wake of a disaster, it’s all too easy for scammers to intercept traffic and collect passwords, credit card numbers, banking information, and other private data.
We can’t prevent hurricanes, and it’s likely there will always be scammers and hackers among us. However, a little caution can help us avoid being victims of a man-made disaster at the same time we deal with nature’s worst destruction.
Unwanted text messages are always annoying, but some can be dangerous. Smishing is a phishing attempt carried out via text and it can be more effective than you might think.
We’ve all been there — waiting on an important text message, receiving a notification, and opening the phone only to see a message about our car’s warranty expiring.
Isn’t that just the worst?
As it turns out, no. Far more damaging are the ones that bring phishing and spear-phishing into the more personal, less-guarded world of SMS texting. You’ve probably heard the portmanteau “smishing” (SMS + phishing) to describe the practice, but you may wonder how and why it works. More importantly, you should know what you can do to make sure it doesn’t happen to you.
The psychology of smishing
At its essence, smishing is a form of social engineering that relies on the implied urgency and intimacy of a text message. Whereas most businesses have effective spam and virus filters in place, and we’re reminded often about the dangers of email, text messages often bypass company security. What’s more, they occupy a different place in our minds than standard business communications.
If email reflects the type of discussion you might have in the conference room, texting is more like banter over drinks after work. In the former, we’re conscious about what we say and what we hear. In the latter, we’re more relaxed and trusting of those around us. And, like other forms of social engineering, that’s what hackers count on when they send a smish.
Enabling technology
There are several widely available consumer-grade apps that allow the user to spoof a phone number, display a fake name, and send a message directly to voicemail or text. In the name of privacy, they offer anonymity to the sender, making it extremely hard to trace. Though the phone companies are working to identify and warn users that such messages may be fake, more customizable and concealable apps are available for sale on the dark web.
As with email, these provide scammers with the ability to deliver malicious phishing links to a broad audience. One click could download malware to your device or take you to a website that will attempt to harvest your credentials. But more troubling is the advanced spear-phishing abilities they provide. We might suspect a direct request for money (or gift certificates) or something obvious. However, consider the image above and ask yourself how many of your employees would immediately comply just to be helpful. If they do, it could render your multi-factor authentication meaningless.
Protecting yourself and your company
There are several other ways smishing can put your organization at risk, and there’s only so much technology can do to protect. With that in mind, here are several things you can do to make sure you and your organization don’t become smishing victims.
Remember that a legitimate person or company sending you a text message will want you to be wary and check.
Even if you recognize the company, think about other texts you’ve received from them. Most pay services, like Venmo and PayPal for example, include “we will never call or email you to request this PIN.” Most banks tell you to login to their site rather than include a URL in the text.
Even if the phone number looks correct, remember that numbers and names are easily spoofed. A strong phish may email, text, and call you so that you feel like someone has backed up the claim that it’s legit.
A true alert should provide a way for you to take the requested action without using the text. Login to a trusted URL that you have bookmarked. Call the number on the back of your credit card to confirm. Or, reach out in some other way that doesn’t rely on information provided by the same person or company.
Messaging apps often provide a way that you can report spam, scams, and phishes. Reporting them helps them block further attacks and makes it harder and more expensive for the hacker to continue.
The bottom line is that any form of electronic communication is subject to compromise by a determined hacker and there is an ongoing “arms race” between hackers and the experts working to keep us safe. That’s why personal vigilance will always be the most important security measure in our cybersecurity toolkit.
There ought to be words for these things . . . and now there are. How many examples do you see in your work each day?
Over the course of hundreds of penetration tests, red team assessments, and incident responses, we’ve encountered situations that left us without words. So, rather than just stand around speechless, we decided to create some new verbiage to fill in the blanks. See if you find any of these appropriate around your office or within your company.
Againstigation. uh-gain-stuh-GAY-shun. n. Studying the root causes of a large-scale breach even though the same basic tactics have been used repeatedly and the underlying problems remain.
Backoops. BACK-oopz. n. The act of deploying a secure backup solution after sensitive company data has been encrypted by ransomware.
Breacher’s pet. BREE-churz-pet. n. Anyone who leaves helpful notes with usernames and passwords on sticky notes attached to their monitor.
Chivalregret. SHIV-ul-ree-gret.n. The realization that a person for whom you’ve politely opened a door was actually a hacker who has now owned your network.
Clickmate. KLIK-mate. n. The moment when a hacker realizes a phishing campaign has captured the credentials of a network administrator.
Cyberchosis.si-bur-KO-sus. n. Delusional state that causes business owners to imagine they live in a world where hackers only attack other companies.
Duhpgrades. DUP-gradez. n. A series of long-overlooked and time-consuming upgrades that must be completed before a critical software patch can be installed.
Homepwnrship. HOME-PONE-er-ship. n. Taking over a corporate network by first hacking a remote worker who fails to follow proper security protocols.
Pastword. PAST-werd. n. 1) A password in use on multiple sites. 2) Any password that remains in use after a site where it is used has been hacked.
Pen-guesting. PIN-guess-ting. v. Using visitor login information to access sensitive data improperly secured on a company network.
Premiscuity. pri-miss-KEW-e-tee. n. Allowing an unknown person or persons into secure areas of a facility.
Ransomdare. RAN-sum-dair. v. To passively invite a cyberattack by refusing to provide cybersecurity training, allowing poor password hygiene, and failing to employ secure backup.
Do you have any terms you’d like to add to our list? If so, visit us on Facebook, LinkedIn, Twitter, or Instagram and leave us a message. Better yet, share this post and bring your friends in on the fun.
If you’d like to learn about cybersecurity terms we didn’t just make up, visit our glossary.
Clickjacking is an easily preventable but sometimes difficult to understand vulnerability. In this article, we’re going to talk about the different ways this vulnerability can be exploited, the associated risk, and how to defend yourself against these types of attacks.
Let’s start with an explanation of how this attack works.
What is Clickjacking?
At its core, clickjacking is an attack that is made possible when the web application does not implement the proper protections against embedding its pages in an iframe. An attacker leverages this behavior to “hijack” a user’s click and trick them into executing an action in their account.
I’ve set up an instance of bWAPP, an intentionally vulnerable web application by ITSec Games, that will allow us to look at a clickjacking attack in practice. Our vulnerable web application is running at “bwapp.raxis.local,” and you’ll see this reflected in the screenshots and sample code below.
Finding a Target
The first thing we’ll need to do is find a page we can target. When looking for a page that might be vulnerable to clickjacking, it should allow for an action that meets three criteria:
It can be executed in a single click (or very few);
It affects a logged in user; and
It could have an undesirable effect on the user or the organization.
It looks like our vulnerable web application has a page that meets all three criteria:
This page allows authenticated users to purchase movie tickets in a single click with a default of 10 tickets. No confirmation is required, and without manipulating the forms on this page, this will result in an unwanted purchase of €150 worth of movie tickets.
This behavior might seem unlikely to exist in the wild, but there are many different types of susceptible pages, from order confirmations like this to functionalities allowing a user to delete entire databases. Some of these susceptible pages may even incorporate parameters in the URL, which can be passed by an attacker. For example, an application might use a URL like the one below to create an order confirmation page dynamically:
Now that we have our target page, let’s look at how to use it in an attack.
The first thing we need to determine is whether the target page can be embedded in an iframe. While there are several methods of doing this, the easiest and most reliable by far is to try to embed a target page into an iframe on an attacker-controlled web page and see if it works. Let’s code up the web page now.
As we can see, there’s nothing very complex to this code. It’s a barebones HTML file, which includes an iframe referencing the page we want to embed. Let’s open up our HTML file in our browser and see if this works.
The web page loads into the iframe without issue. We can also see that, since we were already logged in to bWAPP, our session carried over.
Executing the Attack
Now that we have a good idea that the page is vulnerable, all we have left to do is code up a page designed to trick the user into clicking the Confirm button and convince the user into visiting to our malicious page.
To build this malicious page, we’re going to construct an enticing user interface:
Then, we’ll stick the iframe on top and align the Confirm button with the View button. I’ve made the iframe partially transparent in the screenshot below so you can see the multiple layers.
And finally, we’ll make the iframe completely transparent so that the user doesn’t even know that it’s there.
Now, when the user clicks the view button, they’ll actually be clicking the invisible Confirm button and purchasing 10 movie tickets, provided they’re logged in to their account.
Mission accomplished.
Here is the code that I threw together quickly for the purposes of this demo:
Perhaps the trickiest part of this attack is coming up with a method that will get users to go to our malicious page. An attacker might:
Post a link to the malicious page in social media
Email a malicious link to a user or group of users
Embed a link in a QR code
Attach the malicious HTML file to an email
Leverage another vulnerability such as cross-site scripting (XSS) or open redirection
When Clickjacking isn’t Clickjacking
Let’s look at a different style of attack that’s popular among some penetration testers. This attack embeds a login page and places input elements on top of the login fields:
The overlaid fields are shown in blue for this article but would normally be completely invisible to the user. When a user fills out this form and submits it, the login request is instead sent to an attacker-controlled server, giving the attacker access to the user’s unencrypted credentials. You can read more about this style of attack here.
But is this type of attack really considered clickjacking? It involves an embedded iframe and overlays, but it is drastically different from our previous example. To determine this, let’s put ourselves into the mindset of an attacker.
As an attacker, our goal here is to capture as many credentials as reliably as possible while evading detection. There are at least two approaches we can take:
Embed the target login page in a malicious HTML page as shown in the proof of concept, or
Clone the HTML code of the login page and modify the form to send to a malicious server
These approaches are very similar. Both require hosting the page on a malicious web server, both require misleading the user into visiting a malicious link, and both redirect user input to a malicious server. Both approaches even run the same risk of the malicious web server being reported, blocked, or shut down.
However, when embedding the login page, there are additional factors that the attacker must consider:
The target login page may already have clickjacking protections in place;
The target login page could be altered, breaking the malicious page;
The target login page could implement clickjacking protections, breaking the malicious page;
The target login page cannot be easily modified by the attacker;
It’s possible for the target page to determine and report the URL of the malicious page; and
The malicious page may not look or function correctly if the window is resized
When considering the large number of downsides of using an iframe and overlay elements to conduct this attack, it is extremely unlikely that an attacker would attempt to execute it through clickjacking. Far more likely is that an attacker would simply clone the login page using a myriad of freely available tools designed to do exactly this.
Implementing protections against clickjacking would not stop this attack from occurring. Instead, the attacker would simply clone or recreate the page, which cannot be prevented. The proof of concept itself is also a stretch from the commonly agreed upon definition of clickjacking. For these reasons, Raxis in most cases no longer considers this type of attack to be clickjacking. Instead, we label this as a misconfigured security-related header, which continues to inform the customer of the small but perceptible risk, without blowing what’s essentially a non-exploitable vulnerability out of proportion.
Protecting Against Clickjacking
Despite the complex nature of a clickjacking attack and its reliance on phishing, developers should still take a layered approach to protecting their applications from this type of attack. This can be done by properly configuring two response headers and by properly setting flags on cookies.
Content-Security-Policy
For the uninitiated, Content-Security-Policy is a highly versatile header which can offer a large amount of protection to the end user when configured properly. You can generate one at https://report-uri.com/home/generate, and verify your existing one at https://csp-evaluator.withgoogle.com/.
To prevent pages from being embedded in iframes, we can use the frame-ancestors directive. Here’s a few ways this can be properly implemented:
Content-Security-Policy: frame-ancestors ‘none’ – Prohibits the page from being embedded anywhere
Content-Security-Policy: frame-ancestors ‘self’ – Allows the page to be embedded on the same domain only (exclusive of subdomains)
Content-Security-Policy: frame-ancestors https://*.raxis.local https://raxis.local – Allows the page to be embedded on raxis.local and any of its subdomains
X-Frame-Options
X-Frame-Options used to be the primary line of defense against iframe embedding but has since been made obsolete by the frame-ancestors directive. Unless, of course, your users are using any version of Internet Explorer. To cover all our bases and take off this 1.1% of users, we need to add this header for legacy purposes. Configure this header in one of the following ways:
X-Frame-Options: DENY – Prevent the page from being embedded anywhere
X-Frame-Options: SAMEORIGIN – Allow the page to be embedded on the same domain only
Cookie Attribute – SameSite
A relatively new cookie attribute, SameSite, can also help protect against clickjacking by restricting the conditions in which cookies (such as a session token or JWT) are sent by the browser.
As of mid-2020, SameSite is set to Lax by default when the attribute is not set in Set-Cookie. This value prevents cookies from being sent in iframes, which essentially breaks any clickjacking attack that relies on the user being logged in.
To use the SameSite attribute as an additional layer of protection against clickjacking, configure the SameSite attribute on your session-related cookies to one of the following values:
SameSite=Strict – No cross-site cookies, ever
SameSite=Lax – Cross-site cookies only when the user is navigating to the original site
Since Lax is the default, you can leave this value unconfigured, but it’s a best practice to explicitly configure it as one of the above values, both from a documentation and security standpoint.
I’m Matt Dunn, lead penetration tester at Raxis.This is a summary of the first stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the AD Self Service Plus Version 6.1.
Summary
Recently I discovered a stored cross-site scripting (XSS) vulnerability in the Zoho-owned ManageEngine AD Self Service Plus for Version 6.1 (CVE-2021-27956). The vulnerability exists in the email field of search results on the page: /webclient/index.html#/directory-search. After searching for a user, if the “More” tab is clicked, the email field is loaded with unescaped content, allowing for malicious JavaScript to be reflected back to users.
Proof of Concept
The vulnerability can be triggered by inserting HTML content, in this case script tags, into the email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:
<script>alert(document.cookie)</script>
An example of this on one such user is shown here:
After searching for that user, the HTML is then presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML as loaded is shown here:
After loading the search page, clicking the “More” tab triggers the vulnerability, which is shown in Figure 3:
Affected Versions
Raxis discovered this vulnerability on ManageEngine AD Self Service Plus 6.1, build 6100.
Remediation
Upgrade ManageEngine AD Self Service Plus to Build Version 6104 immediately. The ServicePack can be found here with release notes here.
Disclosure Timeline
February 19, 2021 – Vulnerability reported to Zoho
February 19, 2021 – Zoho begins investigation into report
March 5, 2021–CVE-2021-27956 assigned to this vulnerability
May 8, 2021 – Zoho releases patch for this vulnerability
Ever wonder if hackers sit around talking about phishing expeditions and the “big one” that got away? The big one, of course, being a huge cache of sensitive data.
According to research from Proofpoint, those conversations probably don’t happen nearly as often as they should. That’s because 75% of organizations around the world experienced a phishing attack in 2020, and nearly 75% of attacks aimed at US businesses were successful. Sadly, not many actually get away.
What makes this stat even more concerning is the same report found that 95% of organizations claim to deliver phishing awareness training to their employees. That tells me the training isn’t being validated with the type of rigorous testing it takes to make sure it’s working.
To make sure we’re all clear on terminology, phishing is the practice of sending emails pretending to be from reputable companies or people in order to entice an individual to reveal information such as passwords or sensitive data. Verizon’s 2020 Data Breach Investigations Report found that phishing was the second-leading threat action behind security incidents and the top activity that led to data breaches.
As a lead penetration tester at Raxis, I work with our clients to figure out what type of test they need, and then I customize a phishing attack designed to trick their employees and even their spam and virus filters, depending on the scope. Just like the blackhats, I’ll use any trick I can to get employees to give me their credentials or click on a malicious link. Unlike my unethical counterparts, however, all my phishing is catch-and-release.
In today’s video, I share some of my favorite tips and tricks for phishing assessments. The reason I’m happy to show you how is because, the more realistic the testing, the better prepared companies are when the bad guys come calling.
Phishing attacks are a significant threat to all organizations, no matter the size. It is important that members in your organization are up to date on security training, know how to spot the most common phishing scams, and understand the safeguards in place to help protect them and the company.
Raxis offers a variety of cybersecurity services, such as penetration testing, red team assessments, and other ethical hacking solutions, to help companies take a proactive approach to improve their security posture.
