OWASP has added two new categories to the revised version of its Top 10 list of the most critical risks to web applications.
The post Two New Web Application Risk Categories Added to OWASP Top 10 appeared first on SecurityWeek.
Continue readingEmpire: LupinOne Walkthrough β Privilege escalation through Python Libs
Security is too often an afterthought in the software development process. Itβs easy to understand why: Application and software developers are tasked with getting rid of bugs and adding in new features in updates that must meet a grueling release schedule.Β
Asking to include security testing before an update is deployed can bring up problems needing to be fixed. In an already tight timeline, that creates tension between developers and the security team.Β
If youβre using traditional pentesting methods, the delays and disruption are too great to burden the development team, who are likely working a continuous integration and continuous delivery process (CI/CD). Or if youβre using an automatic scanner to detect potential vulnerabilities, youβre receiving a long list of low-level vulns that obscures the most critical issues to address first.Β
Instead, continuous pentesting, or even scanning for a particular CVE, can harmonize development and security teams. And itβs increasingly important. A shocking 85% of commercial apps contain at least one critical vulnerability, according to a 2021 report, while 100% use open-source software, such as the now infamous Log4j. Thatβs not to knock on open-source software, but rather to say that a critical vulnerability can pop up at any time and itβs more likely to happen than not.Β
If a critical vulnerability is foundβor worse, exploitedβthe potential fines or settlement from a data breach could be astronomical. In the latest data breach settlement, T-Mobile agreed to pay $350 million to customers in a class action lawsuit and invest additional $150 million in their data security operations.
This is why many companies are hiring for development security operations (DevSecOps). The people in these roles work in concert with the development team to build a secure software development process into the existing deployment schedule. But with 700,000 infosec positions sitting open in the United States, it might be hard to find the right candidate.Β
If you want to improve the security of your software and app development, here are some tips from Synack customers:Β
Security is a vital component to all companiesβ IT infrastructure, but it canβt stand in the way of the business. For more information about how Synack can help you integrate security checkpoints in your dev process, request a demo.
The post Testing Early and Often Can Reduce Flaws in App Development appeared first on Synack.
In this installment of Exploits Explained, weβre going to demonstrate a vulnerability in an Oracle WebLogic Server that allows attackers to perform remote code execution via a single HTTP request.
Exploit teardown credit goes to Jang on medium.
To see the vulnerability in action, read on, or check out this video walkthrough:
This vulnerability was recently encountered by one of our Synack Red Team researchers during a web application penetration test.Β
Hereβs why this vulnerability is such a big deal:
1. Itβs a Remote Code Execution (RCE) Vulnerability, which is the root cause of many modern Ransomware attacks
2. It affects a widely distributed application
3. Thereβs a public exploit available
4. Itβs not hard to pull off and requires no authentication
While this particular vulnerability has already been patched, weβll walk you through how an attacker would be able to exploit this in the wild.Β
Oracle WebLogic Server sets an auth flag based on URL paths in requests. Attackers were able to determine the allowed paths via the values set in βWebAppSecurityWLS.getConstraint ()β. Β In this attack, the path is set to /css/, and when the web application evaluates the request, it sets the value of βflag unrestrictβΒ to true. This allows the request to be passed along unauthenticated. The attacker then utilizes the path traversal to access the console.portal endpoint.
The console.portal portion of the web application can use a constructor called ShellSession.exec () which allows for system commands on both Linux and Windows systems.
These commands are sent via an MVEL expression under the handle βcom.tangosol.coherence.mvel2.sh.ShellSessionβIn the publicly available exploit, the MVEL expression contains a function to evaluate the value of an HTTP header value named cmd and uses this value for the command to be executed. As seen here:
The output of the command is then written into the serverβs response where the attacker can see the results of the command sent.
The serverβs response for the commands whoami and ipconfig can be seen here:
This was patched in the October 2020 Critical Patch Update or CPU. These are some of the affected versions:
10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0
Organizations running these versions of Oralce WebLogic Server should review logs for HTTP requests made to the console.portal endpoint or any requests containing the double url encoded value for ../ (%252E%252E%252F)
Organizations should also check for any suspicious processes spawned by the application. This typically includes cmd.exe ( for windows) or /bin/sh (for *nix systems).
Itβs critical that organizations check to make sure they canβt be compromised by this vulnerability by performing penetration testing. We recommend taking a crowdsourced penetration testing approach for higher quality results and to achieve a true adversarial perspective.Β
Stay tuned to the Exploits Explained series for further walkthroughs of vulnerabilities encountered by the SRT in the field.Β
Learn more about the SRT, or about Synackβs crowdsourced penetration testing at www.synack.com
The post Exploits Explained Part 2 β Remote Code Execution (RCE) via a Single HTTP Request appeared first on Synack.
Login