Tag Archives: Vulnerability

Subdomain Enumeration

Subdomain enumeration is an information gathering technique. It can be used to define the all sites opened to the internet in a company. In large organizations, it is very common to have some forgotten websites that having vulnerabilities or some sensitive data. So, subdomain enumeration also important for bug bounty.

The first technique is searching for passive dns information. There are a lot of ways to search for dns information however it should also be noted that the DNS information of closed servers may remain in the cache.

DNSdumpster.com: can give archive information about the domain also with some additional information like geolocation, nmap port scan, visualization of the domain mapping, and HTTP responses to check whether the site is alive or not.

crt.sh: is another interesting tool for searching for SSL certificates used by a domain and its subdomains.

Virustotal: When you search a domain in virustotal, it gives you all subdomains and additional information about the domain.

Other technique is automated.

amass: has a lot of options showing subdomains and things associated with it.

Sublist3r: Sublister lists subdomains of a domain, meanwhile it has a bruteforce module. Domain wordlists can be used with this module called subbrute.

#sublist3r -v -d facebook.com

Carbon Black Critical Bug

VMware Carbon Black has published an update to resolve critical authentication bypass vulnerability on Carbon Black App Control product. App Control is a solution to lock down critical systems and servers to prevent unwanted changes and ensure continuous compliance with regulatory mandates.

This authentication bypass vulnerability was followed by CVE-2021-21998. VMware Carbon Black App Control versions 8.6.x, 8.5.x, 8.1.x, and 8.0.x are affected by this vulnerability.

With this auth bypass vulnerability, threat actors who can access to the management server of the App Control application can bypass the authentication and get admin privilege. With this privilege, attackers can seize critical information on the system and can deactivate EPP and EDR features on the target systems.

VMware announced that the vulnerability has been solved with the 8.6.2 and 8.5.8 versions. It is critical to upgrade the system not to be affected from critical attacks.

SQL Injection Vulnerability in WPStatistics

WPStatistics, as the name suggests, a plugin allows site owners see and show their visitor count. It also brings IP address and country details of the visitors.

Wordfence Threat Intelligence team announced that they find a vulnerability in WPStatistics plugin. This plugin is installed more than 600.000 WordPress website. This is an SQL-injection vulnerability and allows visitors reach all kinds of information including web database, emails, and passwords.

Description: Unauthenticated Time-Based Blind SQL Injection
Affected Plugin: WP Statistics
Plugin Slug: wp-statistics
Affected Versions: < 13.0.8
CVE ID: CVE-2021-24340
CVSS Score: 7.5 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Fully Patched Version: 13.0.8

WPStatistics lets administrators to see page statistics like which page gets how much traffic and according to the researchers, this feature allows attackers to reach database as unauthorized. “As this was a Time-Based Blind SQL injection vulnerability, exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records, but high-value information such as user emails, password hashes, and encryption keys and salts could be extracted in a matter of hours with the help of automated tools such as sqlmap. In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored..” written in their post.

XSS Detection and Prevention

XSS is a common and very popular vulnerability also took place in Owasp Top10 from the beginning. XSS is hard to detect and very dangerous since an attacker can gain the ability what user can do and see like passwords, financial information, etc.

XSS has two mail types called Stored XSS which is when malicious script directly injected to the vulnerable application, and Reflected XSS which involves reflecting malicious script into the page, and it would be activeted when the link has been clicked.

It is hard to detect XSS attacks, I try to give some detection and prevention suggestions.

Detection:

Common XSS attacks use HTML tags like <script></script>, <BODY>, <INPUT>, or <IMG>. Atackers also can use encoding to bypass safeguards like below;

XSS Script: <script>alert(“XSS”)</script>

HEX encoded: %3cscript%3ealert(“XSS”)%3c/script%3e

It is important to check logs to detect these tags to detect an XSS attack. Double encoding can be also used by attackers since some WAFs can detect encoding on the traffic;

Double encoded: %253cscript%253ealert(1)%253c/script%253e

Some applications can block the lower case strings, so attackers can toggle the code to bypass hem;

Toggle case: <sCRipT>alert(“XSS”)</ScRiPt>

It is also possible to detect XSS attacks in logs with some regex;

To detect an attack like; <script>alert(1)</script>

It is possible to check with this regex; ((\3C)|<)(\2F)|\/*(script)((\%3E)|>)

Prevention:

  • To prevent against XSS attacks, web application must perform HTML encoding on the output sent to the users. Thus, in the user side, web browsers can only display but cannot run the scripts placed in the request. HTML encoding prevents the execution of the response
  • WAF is the most important prevention method against XSS. WAFs can also detect and block similar attacks like file injection
  • All non-alphanumeric characters must be checked before displaying the users’ input in the web application
  • PKI must be used for authentication
  • A security review of the code is needed to identify XSS vulnerabilities and search all of the places where the input from an HTTP request comes
  • Attackers can use different HTML tags, so vulnerability scanners provides ease to check all of them in the web application
  • Check headers, cookies, string form and hidden fields in the code with a security perspective
  • Input fields should be limited to a maximum character count when you allow user input in the web application
  • Do not publish users’ input directly in forums and comment fields, all comments should be reviewed with a security perspective firstly
  • A proxy and web content filtering must be used in the organization to filter unnecessary websites, especially like forums
  • Do not trust HTTPS when it comes to XSS

OpenVAS Vulnerability Scanner

OpenVAS is a preinstalled vulnerability tool in both Kali and Parrot. It is completely free and even if it is preinstalled in these OSs, you need to do something before you use it.

First, you need to start a new installation;

Meanwhile, if you updated your Kali or Parrot, it is possible you see such error while trying to run OpenVAS;

“the default postgresql version is not 13 required by libgvmd”

It is because there are two versions of postgresql on the machine, and very easy to solve it. You can easily find the solution in here (https://joepke.com/).

After solving the postgresql issue, you can try to start a new installation again (it is also same with the “gvm-setup” command), and it was take a time to install all modules;

After the complete of the installation, OpenVAS will create a complex password for admin user. Do not forget to save it.

We need to start OpenVAS service to use after these steps; “gvm-start”

Then, it is ready to use; https://localhost:9392

🙂 ————————————————————>

It is possible to check if the installation is successful, with the “gvm-check-setup” command or from “Applications > Pentesting > Vulnerability Analysis > OpenVAS – Greenbone > Check Setup of Greenbone Vulnerability Management” menu.

You can check newly updated CVEs from the “SecInfo > CVEs” menu. All CVEs you have will be listed here.

Scanning with OpenVAS:

To start scanning, we first need to create a target from Configuration> Targets menu.

From Scans>Tasks menu, we create a new scanning task and show the target we created in previous step, as Scan Targets and we save the task. Then, we can start scanning in the Scans>Tasks menu. When the scanning is completed, the status is shown as “Done”.