Category Archives: Blog

Breaking Crypto – Padding Oracle Attacks

Overview This post presents a lab-based demonstration of a padding oracle attack targeting AES-CBC with PKCS#7 padding. The aim is to illustrate how an oracle that reveals padding errors can be leveraged to decrypt ciphertext—and even encrypt arbitrary plaintext—within a controlled environment, using publicly available tooling.https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC) A “Padding Oracle” tells you whether or not the…

Breaking Crypto – Known Plaintext Attack on ECB – Abuse Password Reset for Account Takeover

OverviewThis write-up demonstrates a known-plaintext attack against AES-ECB within a controlled lab environment. It showcases how predictable password reset codes in ECB mode can be exploited to forge valid tokens and hijack accounts. The key objective of this lab is to highlight how misuse of ECB mode in sensitive operations—like password resets—can lead to account…

XXE in File Upload via Metadata

OverviewThis post demonstrates an XML External Entity (XXE) injection in a lab environment through a .docx file upload. The purpose of this exercise is to show how XML metadata parsing can be abused if secure parser configurations are not applied. ObservationsWhen uploading a .docx resume, the application returned the “Test Title” field from docProps/core.xml. This…

Mass Assignment – Understanding Web Security

Mass Assignment Mass Assignment is a vulnerability that occurs when the web application defines variables from user input, even if those variables weren’t expected to be provided. First, I want to give a huge shout out to https://NotSoSecure.com for the excellent training they provide at Black Hat events. It is 100% worth the money if…

Evading FireEye EX Email Filtering with the Dirty Screen Attack

Timeline Reported to FireEye on May 7th FireEye confirmed receipt of the vulnerability disclosure and stated that it was already a known issue being prioritized for a future release FireEye EX releases update to remediate this issue on August 13th Inspect What You Expect Organizations spend heavily on security tool suites designed to detect, block,…

Using CA Process Automation to Get Command Execution as SYSTEM

On internal penetration tests, it is common to get a foothold using man-in-the-middle techniques such as Link-Local Multicast Name Resolution (LLMNR) or WPAD. On a recent engagement, we encountered an added challenge because NetBios over TCP was disabled and WPAD was configured correctly. At this point, it is typical to begin hunting for systems with…