Introduction In early 2020, we had a situation where we wanted to abuse a known username enumeration issue in Atlassian products. The vulnerability allows to enumerate valid username, but if an attacker wants to bruteforce the identified accounts, a CAPTCHA is displayed in the login page and…

In early 2019, I had to assess the latest version (9.1r3 at the time) of Pulse Secure Connect Client, an IPSEC/SSL VPN client developed by Juniper. Given that the client allow end users to save their credentials, one of my tests included verifying how an attacker could recover them. The attacker…

Initial Discovery During a recent engagement I identified an open redirect where a GET parameter would be reflected as-is in the HTTP response Location header without any kind of sanitization. Something similar to this: Trying multiple kinds of injections, I discovered that newlines and…

Introduction During an audit we executed in 2019, we had to test a deployment where a third party company had to remotely connect to special purpose computers to perform maintenance. At the time, they had chosen a software called RemotePC to remotely login into these special purpose computers…

Introduction TL;DR Twilio Platform Preparing Custom Setup Traffic Interception and Analysis Information Gathering DTLS Demultiplexing Intercepting Traffic to chunderm.gll.twilio.com Signalling Traffic Intercepting DTLS-SRTP Terminating DTLS with SRTP Extension Putting It All Together Spoofing…

The Qsslcaudit tool developed by my colleague Pavel provides an easy way for testing a client SSL implementation. To make testing of multiple connections even more straightforward, I created a proxy wrapper for this tool. How it works The user configures qsslcauditproxy as a proxy server on the…

Preface In this post we demonstrate how to use our tool to assess client-side TLS implementation: qsslcaudit. qsslcaudit helps determine if a TLS client (mobile application, standalone application, web service) properly validates server's certificate and if only secure protocols are supported.…

Intro On the 14th of January 2020, Microsoft fixed CVE-2020-0601, a high severity vulnerability affecting "the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates". Corresponding advisories were issued by NSA and CERT on the same day. On the next day it…

This is a new release of our tool designed to assess TLS clients security (certificates validation, protocols and ciphers support): v0.8.1. The corresponding packages for various Ubuntu versions are prepared in ppa:gremwell/qsslcaudit. Packaging for Kali is handled by Kali maintainers. The single…

During a recent engagement, we tried to enumerate email accounts by abusing previously reported user enumeration issue affecting Office 365, but found out it no longer works. In the past, sending authentication requests to ActiveSync with Basic HTTP authentication mechanism would return different…