…and abusing localStorage, again!

I am willing to share a story about one of my latest exploitations, and how this was both fun and interesting.

As I cannot disclose the details about the product I was testing, I will have to abstract and make some generic examples. So you won’t find any actual working exploit on some specific target.

What I want to focus on is how to mix XSS techniques to develop a chained exploit, and prove impact while doing so.

The Scope

For the sake of context, let’s say the target was an on-premise instance of a Java Web Application…


The devil might be in the details, but a man is in the mail

There are some concepts to keep in mind while doing e-mail forensics, or while managing e-mail messaging systems.

Nowadays, e-mails are still the main vector for communications, being it for simple notices and greetings, for business contracts, or payments. It follows that they are also the main attack vector for malicious actors.

We are at a point in time in which the tendency is to look for sophisticated protection solutions, from next-gen AV endpoints, anti-spam, ATP, IPS and sandboxes, to the more imaginative custom rules and approaches.

While all of the above are powerful and useful, we need to remember…


…and the bad habits of companies…

Preface

While many are catching the current, enforcing extremely complex policies and excessively frequent password changes, I am now embracing a simpler loose approach: passwords should be easy!

I am not the first one to be talking about it, so let’s take the short and easy road: what are good passwords requirements?

A good password should be:

  1. hard to guess
  2. easy to remember
  3. not reused
  4. f̶r̶e̶q̶u̶e̶n̶t̶l̶y̶ ̶c̶h̶a̶n̶g̶e̶d̶
  5. easy / quick to type

So, point 1 is the usual: an easy to guess password is actually bad habit, and this goes for simple ones, counting in…


Or how I discovered a vulnerability in the integration between ServiceDesk Plus Enterprise and Desktop Central, by the means of a mixed approach.

The vulnerability itself is an unauthenticated information disclosure, the leak of the API key used by SDP and DC to establish a link, the takeover of DC and the hijack of the integration of the two (Man In the Server).

ManageEngine SDP / DC by Zoho Corp.

Background

A few months ago, I approached the ManageEngine suite’s bug bounty program, mainly because of two reasons:

  1. I had to train for the OSWE (Offensive Security Web Expert) certification
  2. Zoho doesn’t pay for bounties on ME products


ERP / SAP Penetration Test — Metasploit

What to do if we happen to be committed with SAP Penetration Test?

One of the many things I had never tried before (because of fear) was trying to mess with SAP.

Why? Because SAP is a mystery, SAP requires vertical expertise, SAP is haaaard.

False. False. False. Or better, SAP is cryptic, hard, strange and incomprehensible unless it’s your job and almost the only thing you focus on and, because of this tough nature, many believe some big expert is needed to understand something about it at all. …


The quieter you become…the quieter you become

Practical Steganography

A few years ago I came across a very academic challenge: it was a ZIP file containing a particular HTML page, the aim was to obtain the usual FLAG.

The web page didn’t have any “juicy clue”, script, image or anything else. The only strange thing was the size (a few MB) and the source was all in one line.

The element that made me suspicious was the content: it was an extract from a Wikipedia page that kept repeating itself many times. So I tried looking for differences between one repetition and another, but I couldn’t find anything at…


K8s Takeover

Talking about “learn by taking apart”, I got tired of hearing about Kubernetes (K8s) and decided to take a look at it in my own way: through CTF and ethical learning / hacking.

I am going to tell you about my personal experience, partly from CTF (Capture The Flag), and my considerations on K8s and containers in general.

Why you say? Because containers are so coool!

What is K8s? Wikipedia explains it like this:

Kubernetes (commonly stylized as k8s) is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google and is now…


Bad Janitor — ScrUSBs

About “ephreet” (me)

Well everyone, for the sake of translation, reachability and editing capabilities I chose this as the first of a series of articles to be moved from LinkedIn.

This is really just a “train of thoughts” and will serve more as an introduction to what I like to talk about.

I am an Ethical Hacker and a System Engineer, job doesn’t always provide a way to actually be the first and so I try to be a researcher / bounty hunter / CTF player whenever I can. But maybe, more than anything else, I might be just a big classic nerd.

Walter Oberacher

Ethical Hacker and a System Engineer, I try to be a researcher / bounty hunter / CTF player whenever I get the chance.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store