Should a Tier 0 WSUS be put in a silo or not ?

    The question was: should I put my WSUS server into my T0 silo? Even if people are familiar with the concepts of Active Directory Tiering, ...
    Read more ...

    How to mimic Kerberos protocol transition using reflective RBCD

    As I am often looking for misconfigurations dealing with Kerberos delegation, I realize that I was missing an interesting element while playing with the Kerberos protocol extensions S4U2Self and S4U2Proxy.
    Read more ...

    What solutions to prevent git leaks ?

    Hello,

    I will do a quick and dirty post about what’s out there to find / prevent leaks of secrets in your git repositories.
    I did not try all of these tools. For the search part, i’m mainly using a fork of Trufflehog with some added features (search in filenames, commits comments, also with custom regexes).

    Objectives :

    • Look into the commits history for sensitive information publicly accessible by an attacker ;
    • Prevent secrets leaks ;
    • Monitoring and integrating these checks in the Continous Delivery process - aka DevSecOps
    Read more ...

    Gathering some information from web exposed GIT repositories

    Hello folks,

    Last week, while i was doing recon on some websites, i noticed that we can still found some versioning repositories in production. I found some classic .git exposed, and in a lesser extent some .svn directories. I decided to gather a bunch of websites caught in the TOP Alexa in order to look for the proportion of .git exposed; with 112332 domains scanned (mixed TLDs), i found 453 .git exposed, which is only 0.4%. Not bad.

    How to scan for web exposed git directories:
    nmap --open -PN -n -p80,81,82,8000,8080,443,8443,9443 --script http-git -oA http-git -iL domains.lst

    Read more ...

    Play with permissive CORS

    Hello folks,

    While i was playing with a ‘code search engine’ tool called publicwww, i decided to gather some top Alexa domains and to look for some permissive CORS. I tried the following researches, site:fr "type=\"password\"", the same for the TLDs .org and .com, in order to spot webpages with a login form, meaning authenticated users..

    Read more ...

    A fun case of XSS and other web concepts

    Hello folks,

    I would like to share with you a practical case of reflected XSS while i was looking at my national health service account. Right now the XSS has been patched (we have an efficient dedicated national service where we can report such issues).

    Read more ...

    Fingerprinting Web Application static files

    Hello folks,

    Today i would like to share with you the first version of a script i wrote to help determining the version of a software.

    So what the hell am i talking about?

    Ok let me explain the context: You are looking at a website and trying to get the exact version of the underlying CMS, let say Drupal. We know that Drupal has suffered from the Drupalgeddon for versions 7.X before 7.32. So you can have at look at some obvious files (CHANGELOG.txt), but what happens if the webmaster deleted these files? How to maximize the chance to find the right version or at least the smallest delta as possible ?

    Read more ...