海云安受邀出席第五期移动互联网App产品安全漏洞技术沙龙并发表主题演讲
近日,由中国软件评测中心、工业和信息化部移动互联网App产品安全漏洞专业库举办的“第五期移动互联网 App 产 […]
Aggregator
大模型在应用开发安全左移实践
4 months 2 weeks ago
大模型在应用开发安全左移实践 日期:2024年08月26日 阅:71 1.应用开发安
大模型在应用开发安全左移实践
4 months 2 weeks ago
1.应用开发安全左移势在必行 近年来,应用系统被入侵或敏感信息泄漏类的安全事件时有发生,大部分安全事件的根本原 […]
海云安
又一全新恶意软件曝光!专门针对Windows、Linux 和 macOS 用户
4 months 2 weeks ago
在 Windows 系统中,恶意软件通过 PowerShell 脚本发送,该脚本会执行一个名为 install.bat 的批处理文件。
客观看,有序防,拒绝漏洞PUA
4 months 2 weeks ago
这个夏天,注定不平凡。
01
老洞?新洞?
能被利用就是“漏”洞
首先,让我们看看最近哪些系统最受关注
近期热点漏洞分类统计
企业管理系统类“高居榜首”
果然得“集权”者得“天下”,
拥有大量管理权限和人员信息的资产
果然最受“青睐”,占比高达61%。
对这类系统,切记:
不要“暴露”!
不要“裸奔”!
不要把管理员账号
“刻在”您心爱的桌面上!
业务生产系统类“屈居第二”
最“要面子”的网络资产,
不接受反驳,占比高达21%。
对这类系统,我们要坚持:
该上的防护必须上!
该关的端口马上关!
别把后台推到前台,
别拿漏洞不当“干粮”!
安全产品类需要格外重视
安全资产首先要保证自身安全性。
对这类产品,一定要:
收紧管理入口
看好账户口令
能单独开辟一个管理区域
那就再好不过了~
物联网设备类需要提高警惕
最容易忽视但绝不容忽视的网络资产
攻防江湖当中的“后起之秀”
一句话:做好隔离,千万别浪🌊
排名榜首的企业管理系统类,
到底又涉及哪些系统呢?
让我们一起展开👀:
可以看到各类ERP和OA系统占比最多,
针对这类资产,
漏洞修复要及时,
防护策略提前做。
总结一句话:
守护供应链安全,两高一弱要不得!
02
遇到漏洞不要慌
先开策略再升级
漏洞的防护和扫描,
原理还不太一样。
不同的漏洞攻击,
只要提取到共性的手法特征,
一条规则就可以防护多种漏洞,
所谓一力降十会,万变不离其宗。
尤其是现在的防护产品,
既有规则匹配,又有算法检测,
还有风险模型。
检测手段多样,
能预先防御大部分漏洞攻击。
所以遇到漏洞不要慌张,
首先,确保防护策略完整覆盖,
然后,及时关注规则升级动态。
以RayWAF为例,
来感受下最近的规则更新动态:
可以看到,近期的热点漏洞当中,
70%利用通用规则即可实现检测防护,
其余30%可以采用更精细化的规则进行检测,
btw,我们的规则库已在第一时间更新同步~
03
RayWAF在手
0day防护就有
在漏洞攻击当中,0day漏洞通常会因为:
公开时间短、影响范围大、检测手段缺失、防护效果未知……令大家谈0day色变
其实,在实际的安全防护部署当中,
我们可以通过合理规划安全策略,
有序应对0day攻击。
仍以RayWAF为例,
让我们概括一些实用技巧:
(1)梳理防护资产,摸清家底
采用自学习加主动探测的方式梳理防护资产
一方面用于针对性指导安全策略的设定,
另一方面当高危漏洞爆发时,
可以快速评估风险影响范围,
合理制定应急方案。
(2)梳理安全策略,加固防护
业务的连续性与安全性需掌握好平衡点,
尤其要做好“战时”与“平时”的灵活调整。
实战化阶段,需要确保网络武器、后门攻击、
OA漏洞、S2漏洞等高风险防护规则已开启。
此外,针对关键业务资产及同等重要资产,
还可以建立自学习白名单模块
以实现更严格的防护。
(3)规则自动升级,及时补防
启用规则库在线升级功能
或安排专人跟进升级工作,
确保及时获取规则更新情况,
实现一点捕获、全网快速同步
的及时加固效果。
(4)自定义规则库,灵活响应
针对突发的高危漏洞,在规则尚未发布之前,
还可利用自定义检测规则快速补全防护能力,
为问题资产打好虚拟补丁,实现灵活响应。
(5)业务一键下线,快速止损
对于短时间较难确认的问题风险,
还可以通过一键下线功能,
来保护对应的业务资产。
在防护策略齐备之前,
先从逻辑上临时限制该业务的访问,
达到快速止损的效果,
待防护建立后再恢复上线。
赛程尚未过半,
仍需复盘再战。
盛邦安全
客观看,有序防,拒绝漏洞PUA
4 months 2 weeks ago
盛邦安全
基于邮箱的域名欺骗攻击(利用解析器绕过访问控制)
4 months 2 weeks ago
0x01 前言
每年blackhat总是会有一些新奇的攻击思路值得大家学习,在2024年blackhat的议题中发现一篇很有意思的文章,作者提出了一套基于邮箱的欺骗攻击思路,利用RFC标准中对SMTP协议中邮箱地址的特性,提供一系列绕过技巧,我们从中挑选一些实用性较高的思路分享。
0x02 邮箱欺骗
1)邮箱地址注释
在RFC2822规范中规定了邮件数据格式标准,其中3.2.3章节提到可以对消息头中的内容进行注释,邮件地址属于消息头的一部分,也支持注释,注释符是单括号。
在上面表格中的邮箱地址是属于添加了注释的邮件地址,本质上都是代表[email protected]。可以使用python的smtplib库复现了邮件发送过程中的注释功能,如下所示。
#发送邮件def send_mail(html,mails_to,title='xxxxxxx'): ret=True mails_to_old=mails_to mails_to=','.join(mails_to) try: my_sender='[email protected]' # 邮件内容 msg=MIMEText(html,'html','utf-8') # 括号里的对应发件人邮箱昵称、发件人邮箱账号 msg['From']=formataddr(["xxx",my_sender]) # 括号里的对应收件人邮箱昵称、收件人邮箱账号 msg['To'] =formataddr(["xxx",mails_to]) # 邮件的主题 msg['Subject']=title # 邮件服务器的SMTP地址 server=smtplib.SMTP_SSL("smtp.target.cn", 465) # 登录服务器,括号中对应的是发件人邮箱账号、邮箱密码 server.login(my_sender, 'yourpassword') # 发送邮件,括号中对应的是发件人邮箱账号、收件人邮箱账号、发送邮件 server.sendmail(my_sender,mails_to_old,msg.as_string()) # 关闭连接 server.quit() # 如果 try 中的语句没有执行,则会执行下面的 ret=False except Exception as e: print('发送邮件错误',e) ret=False return ret
if __name__ == '__main__': send_mail("xxxxxxx", ["zhangsan@([email protected])webray.com.cn"])
那么这样的邮件欺骗的攻击行为有什么用处呢?
恶意邮箱注册(低危)
攻击者只有一个邮件收件箱,但是通过引入不同的注释符在同一个网站注册多个账号。
认证与鉴权绕过(高危)
有的网站只允许特定域名进行注册(或者通过用户注册邮箱提取其域名信息),如果对域名数据的获取逻辑存在问题,则可能导致获取到的域名是属于注释中的域名,导致认证与鉴权绕过漏洞。
2)邮箱地址编码
在RFC2047规范中规定了邮件传输协议中邮件头的标准,规范中介绍可以使用多种不同的编码方式对邮件头的值进行编码。如下图所示。
其中=?代表编码开始的位置,utf-8代表后续的字符集类型(其它支持的类型包括utf-8、iso-8859-1等),q代表编码方式的简称(其中q代表Q-Encoding,是一种hex编码方式;b代表Base64-Encoding,是base64编码),?=代表编码结束的位置。
通过对邮件地址进行编码提供了另一种邮件地址表示方式,可以使用github的邮箱验证功能来复现这一特性。在github的settings->emails模块中,添加邮箱地址的base64编码后的值,可以在自己的邮箱正常收到github的邮件。
单纯通过对邮箱地址的用户名字段进行编码似乎并不足以产生较大的危害,其灵活性似乎还没有上面邮箱注释的方式高。而且在更多场景下,网站获取邮箱域名是直接获取的邮箱地址的末尾的域名。例如用户输入的邮箱地址是[email protected],网站会获取最后的webray.com.cn来进行校验,判断输入邮箱是否属于允许注册的域名,这样的验证无法通过上面两种方式来绕过。
为了应对上面这种场景,作者提出了一种%00截断的方式,通过邮箱编码结合%00截断可以在输入的邮箱地址末尾添加任意字符。如下图所示。
其中最关键的是在后面添加了=3e(代表右尖括号>)和%00用于截断后面的内容。其中%00可以截断后面的内容应该是属于C语言在字符遍历时的特性,这个很容易理解。前面的右尖括号是什么作用呢?这是因为在SMTP协议头中真实的目的邮箱地址是下面的方式通过左右尖括号的方式来包裹的。
在作者给出的案例中,通过这样的方式可以在github上面认证任意后缀的邮箱地址,如下图所示。
那么这样的欺骗攻击有什么用处呢?
用于欺骗钓鱼攻击(低危)
在业务系统中伪造目标内部邮箱域名后缀,增加钓鱼成功率。
绕过特定域名邮箱注册限制(高危)
有的重要系统限制了必须是特定域名的邮箱才能注册,通过这样的方式可以绕过系统注册限制。在原文中作者提到有的自建gitlab服务器会限制只允许特定域名后缀的邮箱注册,通过这种方式可以绕过限制,这也应该算是邮箱欺骗攻击的典型应用场景了。
使用github管理员权限登陆,在管理配置中配置允许注册的后缀域名。
配置之后就使用其它域名后缀的邮箱注册,则会返回禁止注册的错误。
这个时候可以通过[email protected]对gitlab邮件限制进行欺骗,绕过域名注册限制。
0x03 实网体验
基于邮件地址的域名欺骗攻击是一种新型的攻击思路,在特定场景下能产生重要的作用,但是经过笔者实际测试效果似乎并没有那么好:
大多数网站对邮件地址有格式校验,不允许在邮件地址中存在特殊字符。
我们测试了python的smtplib、php的phpmailer、java的javax.mail.jar三种语言的常见SMTP发邮件的方式,从测试结果上来看三种方式原生均不支持通过编码的方式来定义收件箱地址。原文中也并没有明确当前主流邮件服务器对编码邮件地址的支持情况。
github仅有老版本受域名欺骗攻击影响,在最新的gitlab上面进行测试,是不允许对邮箱地址进行编码的。使用编码的域名会返回邮件地址错误。
也欢迎大家在实际具体业务中多做尝试,肯定能发现其它利用的思路。
0x04 参考链接
盛邦安全
基于邮箱的域名欺骗攻击(利用解析器绕过访问控制)
4 months 2 weeks ago
盛邦安全
国内无线充电新规将在9月1日起施行 Qi2/MagSafe等无线充电设备将被停产
4 months 2 weeks ago
Secure Web Gateway Vulnerabilities Exposed: SquareX’s Research Stirs the Industry
4 months 2 weeks ago
Vivek Ramachandran, Founder & CEO of SquareX, at DEF CON Main Stage.
At DEF CON 32 this year, SquareX presented compelling research that revealed the shortcomings of Secure Web Gateways (SWG) in protecting the browser and demonstrated 30+ foolproof methods to bypass them. Anybody can test these bypasses against their SWG at https://browser.security/
This research has a huge impact on all SWG vendors and enterprises relying on them to secure their employees.
The talk garnered a strong response from the audience and received widespread attention on social media and in various media outlets. Numerous journalists have covered the findings, highlighting the unfixable flaws of Secure Web Gateways and sparking discussions about the efficacy of SWGs against modern web threats that enterprises are facing today.
https://medium.com/media/7c9925fcd33d9c908217928aecf2ce24/hrefhttps://medium.com/media/e9bc04d8f305c64e4b3ef891b8844c00/hrefhttps://medium.com/media/34722dfdddbab16f9f29578d3837ab3f/hrefhttps://medium.com/media/cca1255f72e4380382117e231cb2e4ed/href
- Matthew Douglas on LinkedIn: DEF CON 32: the unfixable bug that allows malware to be deployed via a...
- MarTech Cube on LinkedIn: SquareX presents at DEF CON 32, Releases Enterprise Testing Framework
There's more than 25 ways to bypass a Secure Web Gateway
CyberNews SC Media Cyber Defense MagazinePublisher's Spotlight: SquareX
Decrypted TechAre Modern Web Browsers a Blind Spot on the Threat Landscape? We talked to SquareX About It.
IT Security WireSquarex Releases New Website For Testing SWG Products
CIO Influence News Planet IndiaSquareX Exposes SWG Flaws at DEF CON 32, Calls for Change
Yahoo! Finance Cybersecurity NewsLast Mile Reassembly Attacks Bypass Leading Secure Web Gateways
Global Security MagazineSquareX Last Mile Reassembly Attack Vector - Global Security Mag Online
GTT Korea SG Business NewsSquareX Discovers New Cybersecurity Attacks Leaving Most Enterprises Vulnerable
BestGamingProDEF CON: Major Flaws Found in Supposedly 'Secure' Web Gateways
Cypherlock Daily UK News DSL Reports BU CertSecure Web Gateways are anything but as infosec hounds spot dozens of bypasses
i3 InvestorSecure Web Gateways are anything but as infosec hounds spot dozens of bypasses
Benzinga Hindustan Times US World Today World News Network AP News Advanced Financial Network Thailand Business News Morningstar Asia One Menafn StreetInsider Voice of ASEAN Ohsem News Wire OnlineSquareX Exposes Failures of Secure Web Gateways at DEF CON 32
Ani News LokmatTimes The Print Indian Economic Observer CFOtech Asia— Technology news for CFOs & financial decision-makers
SquareX exposes SWG flaws at DEF CON, urges browser security
eCommerceNews Asia— Technology news for digital commerce decision-makers
SquareX exposes SWG flaws at DEF CON, urges browser security
IT Brief Asia—Technology news for CIOs & IT decision-makers
SquareX exposes SWG flaws at DEF CON, urges browser security
SecurityBrief Asia— Technology news for CISOs & cybersecurity decision-makers
SquareX exposes SWG flaws at DEF CON, urges browser security
IT Brief Asia— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief Asia— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
ChannelLife Australia— Industry insider news for technology resellers
SquareX to reveal major browser vulnerabilities at DEF CON 32
IT Brief Australia— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief Australia— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
ChannelLife New Zealand— Industry insider news for technology resellers
SquareX to reveal major browser vulnerabilities at DEF CON 32
IT Brief New Zealand— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief New Zealand— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
ChannelLife UK— Industry insider news for technology resellers
SquareX to reveal major browser vulnerabilities at DEF CON 32
IT Brief UK— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief UK— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
ChannelLife India— Industry insider news for technology resellers
SquareX to reveal major browser vulnerabilities at DEF CON 32
IT Brief India— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief India— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
Secure Web Gateway Vulnerabilities Exposed: SquareX’s Research Stirs the Industry was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Secure Web Gateway Vulnerabilities Exposed: SquareX’s Research Stirs the Industry appeared first on Security Boulevard.
Engineering @ SquareX
Secure Web Gateway Vulnerabilities Exposed: SquareX’s Research Stirs the Industry
4 months 2 weeks ago
Vivek Ramachandran, Founder & CEO of SquareX, at DEF CON Main Stage.At DEF CON 32 this year, Squar
CVE-2015-7252 | ZTE ZXHN H108N R1A prior ZTE.bhs.ZXHNH108NR1A.k_PE cgi-bin/webproc errorpage cross site scripting (EDB-38773 / BID-77421)
4 months 2 weeks ago
A vulnerability, which was classified as problematic, has been found in ZTE ZXHN H108N R1A. Affected by this issue is some unknown functionality of the file cgi-bin/webproc. The manipulation of the argument errorpage leads to cross site scripting.
This vulnerability is handled as CVE-2015-7252. The attack may be launched remotely. Furthermore, there is an exploit available.
It is recommended to upgrade the affected component.
vuldb.com
お知らせ:制御システムセキュリティカンファレンス2025講演募集(Call for Presentation)
4 months 2 weeks ago
ISC Stormcast For Monday, August 26th, 2024 https://isc.sans.edu/podcastdetail/9112, (Mon, Aug 26th)
4 months 2 weeks ago
French Police Arrest Telegram CEO and Owner
4 months 2 weeks ago
Pavel Durov Reportedly Detained For Complicity Over Criminal Use
French media reported Saturday the detention outside Paris of Pavel Durov, CEO and owner of social media network Telegram, reportedly for failing to take steps to curb criminal activity on the platform. The Russian Embassy in France said it has demanded an explanation from the French government.
French media reported Saturday the detention outside Paris of Pavel Durov, CEO and owner of social media network Telegram, reportedly for failing to take steps to curb criminal activity on the platform. The Russian Embassy in France said it has demanded an explanation from the French government.
ADSpider: monitor Active Directory changes in real time
4 months 2 weeks ago
ADSpider Tool for monitoring Active Directory changes in real-time without getting all objects. Instead, it uses replication metadata and Update Sequence Number (USN) to filter the current properties of objects. How to use git...
The post ADSpider: monitor Active Directory changes in real time appeared first on Penetration Testing Tools.
ddos
创始人被捕后Telegram称遵守欧盟法律 但平台和所有者不应对滥用行为负责
4 months 2 weeks ago
CVE-2024-8152 | SourceCodester QR Code Bookmark System 1.0 Parameter add-bookmark.php name/url cross site scripting
4 months 2 weeks ago
A vulnerability was found in SourceCodester QR Code Bookmark System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /endpoint/add-bookmark.php of the component Parameter Handler. The manipulation of the argument name/url leads to cross site scripting.
This vulnerability was named CVE-2024-8152. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2024-8153 | SourceCodester QR Code Bookmark System 1.0 delete-bookmark.php bookmark cross site scripting
4 months 2 weeks ago
A vulnerability was found in SourceCodester QR Code Bookmark System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /endpoint/delete-bookmark.php. The manipulation of the argument bookmark leads to cross site scripting.
The identification of this vulnerability is CVE-2024-8153. The attack may be initiated remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2024-8154 | SourceCodester QR Code Bookmark System 1.0 Parameter update-bookmark.php tbl_bookmark_id/name/url cross site scripting
4 months 2 weeks ago
A vulnerability classified as problematic has been found in SourceCodester QR Code Bookmark System 1.0. Affected is an unknown function of the file /endpoint/update-bookmark.php of the component Parameter Handler. The manipulation of the argument tbl_bookmark_id/name/url leads to cross site scripting.
This vulnerability is traded as CVE-2024-8154. It is possible to launch the attack remotely. Furthermore, there is an exploit available.
vuldb.com