Any authenticated user can takeover other accounts, including the admin account, due to Broken Object Level Authorization on the /api/SecuritySettings/ResetPassword endpoint.
According to Danphe Health, “Danphe EMR is a enterprise web-based application which covers all day to day aspects of Hospital management end to end. Its currently live 50 plus hospitals in Asia(India,Nepal and Bangladesh)”.
This article explains what I learned while discovering how an email spammer hid the “External Email” enterprise banner.
I recently noticed that some spam emails that landed in my inbox were missing the “EXTERNAL EMAIL” banners. They didn’t appear to be malicious. They simply were trying to get me to sign up for their webinar, or so it seemed from the email content. I deleted them before realizing that I hadn’t seen the usual external email banner. This piqued my interest and I decided to do an analysis to find how they removed the banner.
This article explains why using XML solves some problems with prompting and provides better results from an LLM.
Large Language Models (LLMs) have revolutionized natural language processing, but crafting effective prompts can be challenging. Unstructured prompts often lead to inconsistent results. Enter XML-structured prompts. XML-structured prompts enhance LLM interactions by improving clarity, accuracy, and parsability of AI responses. This concept is even more critical when using smaller models.
This article demonstrates how to find CDN (Akamai & Cloudflare) web application origin servers. If these origin servers aren’t properly limiting source IP addresses to the CDN, you can hard-code the name to IP address mapping in your hosts file to bypass the WAF.
This works to bypass WAF’s when a company hosts a website through a CDN such as Cloudflare or Akamai. There are two approaches:
This article discusses the importance of using hostnames instead of IP addresses when conducting vulnerability scans or penetration tests. It explains how protocols like HTTP behave differently depending on how they are addressed, and how this can lead to missed vulnerabilities when only IP addresses are used.
When performing a penetration test you’re likely to start off with a list, range, or network of IP addresses. While it’s a logical first step to scan based on IP addresses, you should always follow up by scanning and enumerating based on hostnames. A webserver may respond with a different web application depending on the value sent in request “Host” header. If you scan by IP address, the IP address is what is submitted in the Host header and the server will respond with the default web application. The default may be the default IIS page which looks like a base installation of IIS with no other content, or it may be the default one of may hosted web applications. Enumerating DNS PTR records and TLS certificate Subject Alternative Names (SAN) are likely to provde you with a list of hostnames that an IP address hosts. If the DNS record for any particular IP address doesn’t match the SAN, you may need to add the hostname to your /etc/hosts file before continuing your scanning and enumeration. The Nuclei scanner will output any discovered DNS PTR hostnames as well as TLS certificate SANs. You should run additional scanning and enumeration targeting these hostnames.
Adobe Experience Manager (AEM) password hashes are not supported by Hashcat. Follow along as I show how to install a compatible version of John, convert, and finally crack the hash.
On a recent pentest I discovered Adobe Experience Manager (AEM) password hashes from a Nuclei scan. I found that Hashcat doesn’t support cracking these hashes, although there is a forum post about it which is what ultimately led me to John.
As a pentester, you’re going to be going up against external or web app scopes that have been beat up by pentesters and vulnerability scanners. This is about using Blind Cross-Site Scripting (BXSS) in going the extra mile.
This morning I was thinking back to a pentest I did on a credit union’s customer-facing website some years ago. Their website had been tested yearly and I wasn’t expecting to find much there. About three days into a five day test, all I had to show for findings was low severity stuff. I had been trying to pop Cross-Site Scripting (XSS) and some of my payloads were getting reflected but not popping an alert. I put in a lot of time trying to escape the context surrounding my payload, without success.
For your pentest, you’re given a list of IP addresses and some domains in scope. Using this methodology you can use the Chaos API to enumerate subdomains.
I was recently preparing for an upcoming external pentest which included a very large scope. I was given a list of thousands of IP addresses, and a few hundred domain names. If you’ve ever hacked on Hack The Box you may have seen boxes where the exposed web app is different based on the hostname or vhost. An important part of performing external network pentests is enumerating domains and subdomains to help you find more web app content to hack.
I was helping a teammate on an internal network pentest. One of my tasks was screenshotting and reviewing HTTP/S services for default credentials and exploitable versions. That’s when I stumbled upon a Remote Code Execution (RCE) vulnerability in Symmetricom SyncServer. This post outlines the challenges we faced when developing the exploit proof of concept (PoC) and Metasploit code.
The (known) affected software version is 9.0.146 of both the KACE Systems Deployment and Remote Site appliances.
The vision to lead the way forward with the experience to avoid the pitfalls.