FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

VulnNodeApp - A Vulnerable Node.Js Application

By: Zion3R


A vulnerable application made using node.js, express server and ejs template engine. This application is meant for educational purposes only.


Setup

Clone this repository

git clone https://github.com/4auvar/VulnNodeApp.git

Application setup:

  • Install the latest node.js version with npm.
  • Open terminal/command prompt and navigate to the location of downloaded/cloned repository.
  • Run command: npm install

DB setup

  • Install and configure latest mysql version and start the mysql service/deamon
  • Login with root user in mysql and run below sql script:
CREATE USER 'vulnnodeapp'@'localhost' IDENTIFIED BY 'password';
create database vuln_node_app_db;
GRANT ALL PRIVILEGES ON vuln_node_app_db.* TO 'vulnnodeapp'@'localhost';
USE vuln_node_app_db;
create table users (id int AUTO_INCREMENT PRIMARY KEY, fullname varchar(255), username varchar(255),password varchar(255), email varchar(255), phone varchar(255), profilepic varchar(255));
insert into users(fullname,username,password,email,phone) values("test1","test1","test1","test1@test.com","976543210");
insert into users(fullname,username,password,email,phone) values("test2","test2","test2","test2@test.com","9887987541");
insert into users(fullname,username,password,email,phone) values("test3","test3","test3","test3@test.com","9876987611");
insert into users(fullname,username,password,email,phone) values("test4","test4","test4","test4@test.com","9123459876");
insert into users(fullname,username,password,email,phone) values("test5","test5","test   5","test5@test.com","7893451230");

Set basic environment variable

  • User needs to set the below environment variable.
    • DATABASE_HOST (E.g: localhost, 127.0.0.1, etc...)
    • DATABASE_NAME (E.g: vuln_node_app_db or DB name you change in above DB script)
    • DATABASE_USER (E.g: vulnnodeapp or user name you change in above DB script)
    • DATABASE_PASS (E.g: password or password you change in above DB script)

Start the server

  • Open the command prompt/terminal and navigate to the location of your repository
  • Run command: npm start
  • Access the application at http://localhost:3000

Vulnerability covered

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Insecure Direct Object Reference (IDOR)
  • Command Injection
  • Arbitrary File Retrieval
  • Regular Expression Injection
  • External XML Entity Injection (XXE)
  • Node js Deserialization
  • Security Misconfiguration
  • Insecure Session Management

TODO

  • Will add new vulnerabilities such as CORS, Template Injection, etc...
  • Improve application documentation

Issues

  • In case of bugs in the application, feel free to create an issues on github.

Contribution

  • Feel free to create a pull request for any contribution.

You can reach me out at @4auvar



Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

By: Newsroom
A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites. The findings come from WPScan, which said that the vulnerability (CVE-2023-40000, CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsupp‑user 

AWS Patches Critical 'FlowFixation' Bug in Airflow Service to Prevent Session Hijacking

By: Newsroom
Cybersecurity researchers have shared details of a now-patched security vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) that could be potentially exploited by a malicious actor to hijack victims' sessions and achieve remote code execution on underlying instances. The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.

Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

By: Newsroom
A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code. According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks. "These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher

WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

By: Newsroom
A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1. "This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user

VMware Alert: Uninstall EAP Now - Critical Flaw Puts Active Directory at Risk

By: Newsroom
VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw. Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug. "A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying

Russian-Linked Hackers Target 80+ Organizations via Roundcube Flaws

By: Newsroom
Threat actors operating with interests aligned to Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations. These entities are primarily located in Georgia, Poland, and Ukraine, according to Recorded Future, which attributed the intrusion set to a threat

Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now

By: Newsroom
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The issue, tracked as CVE-2023-43770 (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of

Hackers Exploit Job Boards, Stealing Millions of Resumes and Personal Data

By: Newsroom
Employment agencies and retail companies chiefly located in the Asia-Pacific (APAC) region have been targeted by a previously undocumented threat actor known as ResumeLooters since early 2023 with the goal of stealing sensitive data. Singapore-headquartered Group-IB said the hacking crew's activities are geared towards job search platforms and the theft of resumes, with as many as 65

Juniper Networks Releases Urgent Junos OS Updates for High-Severity Flaws

By: Newsroom
Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems. The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and CVE-2023-

Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP!

By: Newsroom
The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE). The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the

Alert: New Vulnerabilities Discovered in QNAP and Kyocera Device Manager

By: Newsroom
A security flaw has been disclosed in Kyocera’s Device Manager product that could be exploited by bad actors to carry out malicious activities on affected systems. "This vulnerability allows attackers to coerce authentication attempts to their own resources, such as a malicious SMB share, to capture or relay Active Directory hashed credentials if the β€˜Restrict NTLM: Outgoing NTLM

Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups

By: Newsroom
A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. "Most of this activity occurred after the initial fix became public on GitHub," Google Threat Analysis Group (TAG)Β saidΒ in a report shared with The Hacker News. The flaw, tracked asΒ CVE-2023-37580Β (CVSS score:

Critical Flaws Discovered in Veeam ONE IT Monitoring Software – Patch Now

By: Newsroom
Veeam has releasedΒ security updatesΒ to address four flaws in its ONE IT monitoring and analytics platform, two of which are rated critical in severity. The list of vulnerabilities is as follows - CVE-2023-38547Β (CVSS score: 9.9) - An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration

Nation State Hackers Exploiting Zero-Day in Roundcube Webmail Software

By: Newsroom
The threat actor known asΒ Winter VivernΒ has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu FaouΒ saidΒ in a new report published today. Previously, it was using known

Researchers Detail 8 Vulnerabilities in Azure HDInsight Analytics Service

By: THN
More details have emerged about a set of now-patched cross-site scripting (XSS) flaws in theΒ Microsoft Azure HDInsightΒ open-source analytics service that could be weaponized by a threat actor to carry out malicious activities. "The identified vulnerabilities consisted of six stored XSS and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions,

Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

By: Ravie Lakshmanan
Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks. "The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access,

New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

By: Ravie Lakshmanan
Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites. The plugin, which is available both as a free and pro

Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

By: Ravie Lakshmanan
A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked asΒ CVE-2023-27898Β andΒ CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christenedΒ CorePlagueΒ by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are

Unpatched Security Flaws Disclosed in Multiple Document Management Systems

By: Ravie Lakshmanan
Multiple unpatched security flaws have been disclosed in open source and freemium Document Management System (DMS) offerings from four vendors LogicalDOC, Mayan, ONLYOFFICE, and OpenKM. Cybersecurity firm Rapid7 said the eight vulnerabilities offer a mechanism through which "an attacker can convince a human operator to save a malicious document on the platform and, once the document is indexed

Toxssin - An XSS Exploitation Command-Line Interface And Payload Generator

By: noreply@blogger.com (Unknown)


toxssin is an open-source penetration testing tool that automates the process of exploiting Cross-Site Scripting (XSS) vulnerabilities. It consists of an https server that works as an interpreter for the traffic generated by the malicious JavaScript payload that powers this tool (toxin.js).

This project started as (and still is) a research-based creative endeavor to explore the exploitability depth that an XSS vulnerability may introduce by using vanilla JavaScript, trusted certificates and cheap tricks.

Disclaimer: The project is quite fresh and has not been widely tested.

Video Presentation


Find screenshots here.

Capabilities

By default, toxssin intercepts:

  • cookies (if HttpOnly not present),
  • keystrokes,
  • paste events,
  • input change events,
  • file selections,
  • form submissions,
  • server responses,
  • table data (static as well as updates),

Most importantly, toxssin:

  • attempts to maintain XSS persistence while the user browses the website by intercepting http requests & responses and re-writing the document,
  • supports session management, meaning that, you can use it to exploit reflected as well as stored XSS,
  • supports custom JS script execution against sessions,
  • automatically logs every session.

Installation & Usage

git clone https://github.com/t3l3machus/toxssin
cd ./toxssin
pip3 install -r requirements.txt

To start toxssin.py, you will need to supply ssl certificate and private key files.

If you don't own a domain with a trusted certificate, you can issue and use self-signed certificates with the following command (although this won't take you far):

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

It is strongly recommended to run toxssin with a trusted certificate (see How to get a Valid Certificate in this document). That said, you can start the toxssin server like this:

# python3 toxssin.py -u https://your.domain.com -c /your/certificate.pem -k /your/privkey.pem

Visit the project's wiki for additional information.

XSS Exploitation Obstacles

In my experience, there are 4 major obstacles when it comes to Cross-Site Scripting attacks attempting to include external JS scripts:

  1. the "Mixed Content" error, which can be resolved by serving the JavaScript payload via https (even with a self-signed certificate).
  2. the "NET::ERR_CERT_AUTHORITY_INVALID" error, which indicates that the server's certificate is untrusted / expired and can be bypassed by using a certificate issued by a trusted Authority.
  3. Cross-origin resource sharing (CORS), which is handled appropriately by the toxssin server.
  4. Content-Security-Policy header with the script-src set to specific domain(s) only will block scripts with cross-domain src from loading. Toxssin relies on the eval() function to deliver its poison, so, if the website has a CSP and the unsafe-eval source expression is not specified in the script-src directive, the attack will most likely fail (i'm working on a second poison delivery method to work around this).

Note: The "Mixed Content" error can of course occur when the target website is hosted via http and the JavaScript payload via https. This limits the scope of toxssin to https only webistes, as (by default) toxssin is started with ssl only.

How to get a Valid Certificate

First, you need to own a domain name. The fastest and most economic way to get one (in my knowledge) is via a cheap domain registrar service (e.g. https://www.namecheap.com/). Search for a random string domain name (e.g. "fvcm98duf") and check the less popular TLDs, like .xyz, as they will probably cost around 3$ per year.

After you purchase a domain name, you can use certbot (Let's Encrypt) to get a trusted certificate in 5 minutes or less:

  1. Append an A record to your Domain's DNS settings so that it points to your server ip,
  2. Follow certbots official instructions.

Tip: Don't install and run certbot on your own, you might get unexpected errors. Stick with the instructions.

Changelog

2022-06-19 - Added the exec prompt command (you can now execute custom JS scripts against a session).
2022-06-23 - I added two simple, dirty scripts as templates for testing the exec prompt command. I also fixed the cmd prompt's backward history access and made some improvements.

Future

The idea is to make it sharper, more reliable and expand its capabilities. Currently, i'm working on improving file captures.



❌