kpwn

@kpwn@infosec.exchange

I'm a hacker and mainly post about web security.

By profession, I am a pentester and team leader https://infosec.exchange/@usdAG.

I like to explain and understand things and I am convinced that the two go hand in hand.
So my posts are mostly of an educational nature.

⎯⎯⎯⎯⎯⎯

Recent topics:
#CveCrowd, #Phishing, #CVSS, #PromptInjection, #OTP, #JavaScript, #HSTS, #BSCP

This profile is from a federated server and may be incomplete. Browse more on the original instance.

jerry, to random

Yes, I am now aware of the bsky bridge. No, I haven’t blocked them yet. Yes, I will take a closer look.

kpwn,

@jerry Eat
Sleep
Create a Mastodon Instance that blocks another one
Repeat

shellsharks, to random

The first 100 people to star this toot shall have their Mastodon handle forever enshrined on this page https://shellsharks.com/starsharks. A can't miss opportunity to be sure.

*Remember to star first before boosting to ensure you reserve your spot! 😆

kpwn,

@shellsharks Lucky me!

kpwn,

@shellsharks Noooo. Should have waited for 42 😭

kpwn, to random

I don’t understand how people can fall for ! All you have to do is check whether the domain is valid.

Like the following example obviously is phishing because…

Oh, it's the actual website of a German ministry?

🤦‍♂️

kpwn, to random

When I click unsubscribe in an email, I do NOT want to login to the service first to navigate to the settings and find the correct one. Just UNSUBSCRIBE me! 🙄

kpwn, to infosec

CVE Crowd Top 10: Rank 10 to 7

The year is coming to a close. Take a look back with me at which CVEs were the most popular on https://cvecrowd.com.

See information about CVEs and popular posts below 🧵

kpwn, to infosec

Huge update to https://cvecrowd.com - the place to go for current discussions about the latest CVEs.

I have now added the federated timeline of infosec.exchange as a data source.

This should find posts from non-Mastodon instances much more reliable than before!

Read more below 🧵

kpwn, to mastodon

Is there a way to distinguish a instance from other servers on the via call?

GET /api/v1/instance e.g. contains version information but afaik not the information whether its Mastodon, Firefish, etc.

I'd be grateful if you'd boost for reach ❤️

CwalkPinoy, to random
@CwalkPinoy@fosstodon.org avatar

Anyone know enough about mastodon to find an instance on a specific topic?
I was just looking for accounts that post infosec news but my Google-fu has failed me

kpwn,

@keefer @CwalkPinoy @mttaggart @shellsharks @shortridge @tib3rius @riskybusiness @thegrugq @zackwhittaker I am honored to be named alongside the others 🥰🙏

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

deleted_by_author

    •
    kpwn,

    @GossiTheDog Unlucky! My follower count in your screenshot is off by one 😂

    GossiTheDog, to random
    @GossiTheDog@cyberplace.social avatar

    deleted_by_author

    •
    kpwn,

    @GossiTheDog Hey! I'm the developer :)

    If you have any questions, suggestions or bug reports, feel free to drop me a line.

    kpwn, to infosec

    CVE-2023-49103 is a vulnerability in that exposes the PHP environment. In containerized deployments, this includes the ownCloud admin password, mail server credentials, and license key.

    Patch before your ownCloud instance becomes an ownedCloud instance :blobcatphoto:​

    kpwn, to infosec

    The average user of https://cvecrowd.com sends about 9 HTTP requests to the web server.

    On November 2nd, TWO MILLION requests were sent from three IP addresses in two hours.

    The Anatomy of an Attack 🧵

    kpwn,

    I recently evaluated the access logs of my web server and noticed that one day's log file had a file size of 350MB.

    For comparison: The average file size is 2MB.

    Since this is an order of magnitude difference, I decided to investigate.

    kpwn,

    On the left is the number of HTTP requests per IP address in ascending order.

    On the right is the anonymized IP address.

    In total, more than 2 million requests were sent from the IP addresses starting with 2a02, 46 and 80.

    kpwn,

    Let's start with IP address 80.

    It was sending almost exclusively GET requests like the ones below.

    kpwn,

    I skimmed the list and noticed a request for /strona_8.

    Since this is not an English word and quite specific, I looked to see which word lists contained the string strona_8.

    As you can see, directory-list-lowercase-2.3-big.txt contains almost as many words as requests sent from IP address 80.

    kpwn,

    Let's continue with IP address 2a02.

    The first interesting thing I found was that the first 8 requests were sent with user agent Mozilla/5.0 (Ubuntu), while all other requests were sent with feroxbuster/2.10.0.

    Looks like the subject is using Ubuntu as OS and feroxbuster for content enumeration.

    kpwn,

    But then I remembered that feroxbuster does recursive scans by default. So the wordlist would be used multiple times.

    And indeed, 957953 is pretty close to a multiple of 119600, the size of raft-large-words.txt.

    My conclusion is that IP address 46 and 2a02 are the same host, but some requests were sent via IPv6 and some via IPv4.

    kpwn,

    Interestingly, the third IP address (46) also only uses feroxbuster during the same time window.

    If we add up the requests sent by IP addresses 2a02 and 46, we get a total of 957953 requests.

    Using the same technique as above, I identified some word lists containing certain words.

    However, none of their sizes matched the number of requests sent.

    kpwn,

    Excluding feroxbuster from requests sent from IP address 46 and 2a02, there are still about 3000 requests left.

    My server's error log shows that invalid chunked bodies were sent.

    Looks like a test for request smuggling, which is quite common in Burp Suite.

    I also found requests containing the string oastify.com, which is Burp Suite's default collaborator server - a service for detecting SSRF.

    So I am pretty confident that a Burp scan was performed along the content enumeration.

    kpwn,

    I also found a bunch of requests with many query parameters.

    This is a way to find hidden query parameters that are processed by the web application.

    Since I know the subject is using Burp Suite, they may be using the Param Miner extension for this kind of enumeration.

    kpwn,

    In summary, the subjects were doing basic web application enumeration.

    cvecrowd is designed in a way that client-side interactions do not trigger any backend functions.

    This means that the only way to compromise the host via the website would be to exploit the web server itself.

    kpwn,

    Finally, I wanted to know how much load the requests produced on my server.

    As you can see, the CPU usage stayed pretty solid.

    I'm happy, the server manages to withstand the load of content enum by individuals.

    kpwn,

    I hope you enjoyed this insight.

    🔔 Follow me for more web security content!

    🔁 Also, boost the first toot to spread the word!

    I've linked it again for you:
    https://infosec.exchange/@kpwn/111472151202452136

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • kavyap
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • tacticalgear
  • cubers
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • osvaldo12
  • ngwrru68w68
  • GTA5RPClips
  • provamag3
  • InstantRegret
  • everett
  • Durango
  • cisconetworking
  • khanakhh
  • ethstaker
  • tester
  • anitta
  • Leos
  • normalnudes
  • modclub
  • megavids
  • lostlight
  • All magazines
    •