Let's say we have a user authenticated into an application such as the LayerBB forum package pictured below.  If the software is vulnerable to Cross Site Request Forgery (CSRF), we could trick the user into clicking a link that would perform some function in that application.  For example -- if the authenticated user is an administrator to LayerBB, we could direct the user to our page which would create a new user within that application.  

Prior to tricking our victim into clicking the link, we first need some information.  If we create a user within LayerBB:

Read more: Cross Site Request Forgery

I'm visiting a Linux users group tomorrow and part of their focus is the Raspberry Pi.  I've been working on my Pi recon device which I've called:  "consPire" but it's only half ready because I keep coming up with more ideas for what I want it to do.  Rather than bring a half baked project, I thought about other uses for the Pi.  One thing that came to mind, that's fairly simple to build, is a proxy server.  There are a number of uses for a proxy but at the very least, it's another layer between your browser and the Internet... so why not??

Scrounging around my desk, I found an extra MicroSD card and with balenaEtcher, I burned a Raspbian image to the card.  I used the lite version of Raspbian which lacks the GUI but it's a Pi and the GUI is S L O W.  Once the OS was installed and running, using raspi-config, I added SSH.  With SSH installed, I logged into the Pi and  I did everything else remotely.

Read more: Pi Proxy

I'm sure I've gone over various forms of Cross Site Scripting (XSS) in previous posts but sometimes I gloss over XSS because it's a vulnerability I discover along the way to a root.  But make no mistake, while XSS could seem benign, it is not.  The Browser Exploitation Framework (BeEF), while partially functional at this point, is still plenty dangerous and proof of that.  For this post though, I won't use BeEF because I've already done so in another post around here somewhere.  Today I will take a more manual approach -- exploiting an XSS vulnerability in LayerBB version 1.1.2

With a regular user account, we login to the forum:

Read more: Session Hijacking

First off, let me say that this was a very cool box.  The description says "easy / intermediate" but I really think that depends on your set of skills.  I could see how someone could get stuck at a certain point and I think if that's the case, I can point you to something else I've written which should help clarify what you're dealing with and how to get past the obstacle.  I don't want to spoil too much at this point so let's just start off like we normally do.

We kick off with an Nmap scan:

Read more: Vulnhub MinU: 1 Walkthrough

I can't remember when I first heard about this new Sandbox feature but when I did, I got excited.  There are a number of times when we all get a suspicious attachment and we're not quite sure if we want to open it or delete it.  If we all had a safe place to take a look, we would.  On the surface, the Sandbox feature sounded like that's what we would be getting with the 1903 update. 

I'll be honest, after seeing it, it should be called the "litter box" feature and you can use your imagination for my reasoning.  

1903 was released and I wasn't really paying attention because my computer updates frequently, reboots frequently, and I just assumed it was already present.  It wasn't but if you need to download it manually, here's the link:

Read more: Windows 10 Sandbox First Impressions

I'm playing around the other day and I find what looks to be a server which is vulnerable to Local File Inclusion (LFI).  I used to work for a company a long time ago and when something would break, I would declare:  "Bad code".  LFI is bad coding or perhaps I should say that it's a short sighted developer who doesn't anticipate the harm that can be caused by calling a file directly with something like:  http://example.com/index.php?file=SOMEFILENAME

Seems harmless enough until someone comes along and decides to change the url to:  http://example.com/index.php?file=/etc/passwd 

Now all of the sudden -- it doesn't seem all that harmless.  So that pretty much gets you up to speed and I assume that if you were searching for WAF Bypass, you already know this and probably more.  So as I said, I'm playing around and I discover:

Read more: WAF Bypass