Archive June 2018

Red Teaming: Flaring CSP Report-URIs

TL;DR: This is a flaring script for report-uri. It will distract the blue team by sending random false positives.

No question: CSP and report-uri is a strong team and it helps the blue team detecting you. So in the latest Red Team Assessment we had an externally available employee portal. It was kind of self-written, although I assumed it was built around a template engine. We also had a few other external sites. Perfect material for XSS. But wait – there is more: Multiple deployed CSP. Even if it wasn’t that sophisticated, it might make your life as a red team member harder.

In my mind’s eye I could see the blue team checking their reports while the assessments was going on.

But what if this could help us in some way? While you may trigger a WAF to report some false positives, with the report-uri this is even easier: You literally can send your own “alerts”. And you can determine when and what to be reported. Read More

Local File Include with Redirects

Local File Inclusion via Remote Redirect

When you Pentest a Web-App it is not unlikely that you find something like this:

Sometimes the Developer thought only of injects inside the Input-Value. When only the Input Value is sanitized you might be lucky with a remote-to-local redirect. That means a URI like “https://example.com/xyz” will redirect to “file:///…”.

Read More