My Interview experience with EY as Senior Penetration Tester

Its been 2 years and 8 months I was working as a Penetration tester looking after application security for the most part of my day. As it was an in-house work the job got boring as not much new and exciting was coming up, although it was well paying job and best part of it was laid back work culture, I decided to look for new a challenge. I wanted to get into a niche field in Penetration testing. Due to the advancements in framework oriented applications (built-in security) and tons of defensive products I feel few years down, traditional […]

How I was able to delete 13k+ Microsoft Translator projects

Introduction Sometime back I was hunting for Vulnerabilities in Microsoft Web services, as Microsoft has large online infrastructure, finding a vulnerability which could lead to Microsoft hall of fame for security researchers wasn’t difficult. While browsing around their online services, one of their services, Microsoft hub translator caught my attention. Microsoft hub translator is and I quote:  “Microsoft Translator Hub empowers businesses and communities to build, train, and deploy customized automatic language translation systems—-”.  I signed up and started looking for vulnerabilities and found critical level vulnerability through which I was able to delete All Microsoft hub translator 13000+ projects. As the vulnerability is fixed now, I’m sharing […]

second order sql injection

Second Order SQL Injection Explained with Example

Introduction Second Order Sql injection is an application vulnerability, it occurs when user submitted values are stored  in the database, and then it gets used by some other functionality in the application without escaping or filtering the data. Usually data from external sources (user supplied) is considered dangerous and is escaped/filtered. Developers trust the data coming from the database. This behaviour is similar to Stored Cross Site Scripting attack. Second Order Sql Injection requires more knowledge of how submitted values are later used in order to perform successful second order sql injection. Still confused? follow the example below:- Second Order […]

google Interview questions

My experience with Google interview for information security engineer

Couple of months back I saw a post on Linkedin about open roles for information security engineer at Google Zurich Switzerland office. I believe working for google (apart from perks they offer) is a privilege, you get to work with cutting edge technologies in a “comparatively stress free” environment (Check out Google’s offices you will know what I mean). Looking at the job responsibilities they seemed generic and short. Google keeps job responsibilities and required skills precise (Because of a reason explained later). This blog post is about my Google interview experience for information security engineer role. As you can guess, […]

encode shellcode to bypass antivirus

Fully undetectable backdooring PE file

Introduction During Penetration testing engagement you are required backdooring PE file with your own shellcode without increasing the size of the executable or altering its intended functionality and hopefully making it fully undetectable (FUD) how would you do it?. For example, after recon, you gather information that a lot number of employees use a certain “program/software”. The social engineering way to get in the victim’s network would be a phishing email to employees with a link to download “Updated version of that program”, which actually is the backdoored binary of the updated program. This post will cover how to  backdoor […]

Convert Hex To Assembly Using Simple Python Script

Convert Hex To Assembly Using Simple Python Script

How many lines of code it takes to convert Hex to Assembly? only FIVE Thanks to Python and Capstone!. During binary analysis, exploit development or reverse engineering you require a quick dissembling of hex shellcode to assembly. You could do that using a dissembler like Ollydbg or IDA Pro, if you don’t want to use a full fledged dissembler to perform this small task the following code will help to convert hex to assembly using simple python script. Firstly if you don’t already have capstone you need to install it using the following:- Debian based Download and install using the following […]

Questions to ask from client before penetration testing engagement

5 Questions to ask from client before penetration testing engagement

In software development they say “Clients don’t even know what they want, they just want it and want it now!” no wonder they keep showing them prototypes. The case is similar in Information security as well, they just want it “secure”.  When you go out to perform Penetration testing engagement, you must have a clear mind on what the client wants. What are the do’s and don’t. What matters them the most. Chances are that even if you performed technically good, they would still not be pleased. Maybe its the “first time getting their boxes penetrated” and they had different […]

Application Threat Modeling using DREAD and STRIDE

Introduction Application Threat Modeling using DREAD and STRIDE is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, classify, rate, compare and prioritize the security risks associated with an application. Application Threat modeling should be considered separate from Risk Assessment, although similar but Application Threat Modeling is more of a calculated approach. Inducing Application Threat Modeling into SDLC process has its advantages for the security of the entire project. Most importantly when performing security assessments following the threat modeling approach gives the reviewer a comprehensive overview of the Application. This […]

Linux Privilege Escalation using weak NFS permissions

Linux Privilege Escalation using weak NFS permissions

Recently during a penetration testing assessment I was able to get Linux Privilege Escalation using weak NFS permissions in “/etc/exports”. Initially I got a restricted shell access with limited permissions by exploiting a vulnerable service. Started to recon for privilege escalation to root access but couldn’t get the “usual suspects” (Kernel Exploits, vulnerable services etc). Having no further progress for linux privilege escalation I went back to my pre-limitied shell recon results, its important to mention that penetration testers when they get the initial shell access often don’t look back at recon results and start gathering only the internal information about […]

10 Methods to Bypass Cross Site Request Forgery (CSRF)

10 Methods to Bypass Cross Site Request Forgery (CSRF)

During web application security assessments, Cross Site Request Forgery is often an underrated vulnerability and often ignored, either due to the fact that it requires some sort of user interaction or lack of severity. Lack of severity part is debatable, it depends on which functionality the CSRF vulnerability exists, for example it would be severe if it exists on a password change functionality, an attack could send a crafted link to victim, victim clicks the link (Actual click is not required, one could use embedded HTML links in a page), attacker rides the victims session and password gets changed of […]