Summary TL;DR Intro Testbed Couchbase Spring Project Build Experiments Exploitation Conclusion Summary Spring applications quite often use @Query annotation. It helps to control requests executed by database servers, like customising what data to extract. It is usually…

A new version has been released of our tool which we use to assess TLS clients security: v0.8.3. The corresponding packages for various Ubuntu versions are prepared in ppa:gremwell/qsslcaudit. Packaging for Kali is handled by Kali maintainers. Each time you dive into the process of TLS handshake…

Introduction In early 2020, we had a situation where we wanted to abuse a known username enumeration issue in Atlassian products. The vulnerability allows to enumerate valid username, but if an attacker wants to bruteforce the identified accounts, a CAPTCHA is displayed in the login page and…

In early 2019, I had to assess the latest version (9.1r3 at the time) of Pulse Secure Connect Client, an IPSEC/SSL VPN client developed by Juniper. Given that the client allow end users to save their credentials, one of my tests included verifying how an attacker could recover them. The attacker…

Initial Discovery During a recent engagement I identified an open redirect where a GET parameter would be reflected as-is in the HTTP response Location header without any kind of sanitization. Something similar to this: Trying multiple kinds of injections, I discovered that newlines and carriage…

Introduction During an audit we executed in 2019, we had to test a deployment where a third party company had to remotely connect to special purpose computers to perform maintenance. At the time, they had chosen a software called RemotePC to remotely login into these special purpose computers…

Introduction TL;DR Twilio Platform Preparing Custom Setup Traffic Interception and Analysis Information Gathering DTLS Demultiplexing Intercepting Traffic to chunderm.gll.twilio.com Signalling Traffic Intercepting DTLS-SRTP Terminating DTLS with SRTP Extension Putting It All…

The Qsslcaudit tool developed by my colleague Pavel provides an easy way for testing a client SSL implementation. To make testing of multiple connections even more straightforward, I created a proxy wrapper for this tool. How it works The user configures qsslcauditproxy as a proxy server on the…

Preface In this post we demonstrate how to use our tool to assess client-side TLS implementation: qsslcaudit. qsslcaudit helps determine if a TLS client (mobile application, standalone application, web service) properly validates server's certificate and if only secure protocols are supported.…

Intro Theory Common words ECC The issue Practice Objective Input data Evil private key generation Crafting certificates Exploitation qsslcaudit Conclusion Intro On the 14th of January 2020, Microsoft fixed CVE-2020-0601, a high severity vulnerability affecting…