Preventing Username Enumeration
Published: 01 December 2022 Last Updated: 23 December 2022
First of all, what is username enumeration? It is when a web application has a feature that allows a user to supply a username and the application will disclose (not necessarily intentionally) if the username is valid or not. This is closely related to Username Disclosure, except in the latter the application is including valid usernames in server responses in some way, which allows an attacker to determine a username is valid without having to specify it first themselves. Both of these are an issue and both should be addressed.
Read More...HTTP Security Headers: X-Frame-Options
Published: 21 February 2022 Last Updated: 03 November 2022
The X-Frame-Options header can be used to specify whether a web browser should be allowed to render the target page in a frame (such as a frame, iframe, embed, or an object tag). This can be used to prevent attacks such as ClickJacking.
Read More...HTTP Security Headers: Cache-Control
Published: 21 February 2022 Last Updated: 03 November 2022
The Cache-Control HTTP server response header specifies whether the server response can be cached by the web browser and any interim devices such as web proxies. Generally, if the content of the page includes confidential information, then it should not be cached, as if confidential information is cached on user's device, and that device is a public device, or shared with other users then the information may be compromised by another user with access to the device.
Read More...[Webinar] Your Security Awareness Training Sucks
Published: 13 December 2021 Last Updated: 03 November 2022
Akimbo hosted a Webinar to cover hints and tips about running more effective Security Awareness Training. We're sharing the recording for those that couldn't make it on the day!
Read More...Strong Passwords: The Problem with Rotation
Published: 10 June 2021 Last Updated: 09 November 2022
Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as Password1, Password2, Password3, or patterns such as Summer2021, Autumn2021, Winter2021.
Read More...Strong Passwords: The Problem with Complexity
Published: 07 June 2021 Last Updated: 04 November 2022
Weak passwords are those which are predictable and can be easily guessed. To ensure that users do not select weak passwords organisations may look to enforce password complexity. Complexity refers to the requirement to use a mixed character set. For example, on Active Directory accounts complexity requires three of the four: uppercase, lowercase, numbers, and symbols. However it is still possible to select weak passwords with complexity enabled, such as Welcome!, Summer2020, or Password123456.
Read More...Implementing Sub-resource Integrity
Published: 31 May 2021 Last Updated: 03 November 2022
Hosting web application content such as dynamic scripts and stylesheets on third parties such as Content Delivery Networks (CDNs) can allow for significant improvements to site performance and can reduce bandwidth costs. However, scripts included within a web application will execute within the user's browser with the same privileges as the currently logged in user. Therefore if a script is included from an external domain, that domain is trusted with the confidentiality and integrity of data stored within the application.
Read More...Implementing Certification Authority Authorization (CAA)
Published: 14 April 2021 Last Updated: 03 November 2022
Certification Authority Authorization (CAA) is a used to specify which Certificate Authorities may issue certificates for the domain. Whilst lack of CAA does not constitute a vulnerability itself, it may be used to harden the transport layer security of an application by reducing the risk of certificates being mis-issued. Additionally, it can be used to notify the application owner when a mis-issue is detected and prevented through CAA.
Read More...Securing Wi-Fi Networks
Published: 23 January 2021 Last Updated: 03 November 2022
We recently discussed how to break WPA2 keys very quickly using cloud computing. We've also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP).
In this article we'll look at hardening Enterprise wireless networks from these attacks.
The most secure option is to utilise mutual authentication (where both the server and the client authenticate to each other) using digital certificate based authentication, such as offered by EAP-TLS. However, there can be more administrative overhead involved in the deployment of these networks and therefore PEAP may be offer a balance of security and overhead.
To be clear, we recommend the use of EAP-TLS wherever possible - but if you must use PEAP, we offer the following hardening steps:
Read More...Preventing Windows Accounts Being Bruteforced
Published: 23 January 2021 Last Updated: 04 November 2022
In a previous article we discussed how bruteforcing Windows accounts is often easier than people expect. In this post - we'll cover some steps to harden these accounts.
The Observation Window
When configuring an account lockout threshold on a Domain another setting is suggested, the observation window. This setting effectively reduces the protection of the account lockout by setting a timer. For example, a lockout threshold of 5 and an observation window of 30 minutes has the impact of meaning that if an attacker attempts 5 incorrect passwords within 30 minutes the account will lock - but four passwords would not cause it to lock.
Therefore, an attacker could attempt 4 passwords every 30 minutes - or 192 per account per day, without locking any accounts.
Read More...Strong Passwords: Three Random Words
Published: 23 January 2021 Last Updated: 04 November 2022
When performing security tests, we very often come across weak passwords. We often see dictionary words with suffixes such as Welcome1, Password123, or Lockdown2020. We also see "leet" substitutions, such as P@55w0rd, 3l3ph@nt, or L0ckd0wn. We've previously shown how quickly password cracking can be performed. With passwords like the above they would be cracked easily. Simple protections such as "Password complexity" don't solve the problem on their own, for example complexity enforces the requirement for three of the following: uppercase, lowercase, numbers, and symbols - which all of the weak options above meet.
Read More...Fixing SQL Injection
Published: 22 January 2021 Last Updated: 03 November 2022
SQL Injection is a vulnerability that occurs where user supplied input is insecurely concatenated into an SQL query. We showed how easy can be to detect in our Finding SQL Injection article, and we’ve run through exploitation in many posts such as our post on Exploiting Error-based SQL Injection.
However, in this post, we’re looking at fixing it. The fix is quite a simple code change. As the issue described is user input insecurely concatenated into a query, the remediation for SQL injection is fairly simple: don’t build queries through string concatenation. Instead, it’s more secure to use “Prepared Statements”, often called “Parameterized Queries”. All modern languages support this type of query either directly or through a framework; here we will supply a PHP example to show the difference.
Read More...Fixing LLMNR and NetBIOS-NS Spoofing
Published: 21 January 2021 Last Updated: 03 November 2022
In our article LLMNR and NetBIOS-NS Spoofing with Responder we stepped you through how to exploit a very common issue on Windows networks. In this one, we’re going to cover how to fix it.
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.
Read More...Fixing Cross-site Scripting (XSS)
Published: 25 October 2020 Last Updated: 03 November 2022
This issue comes about where user supplied input is included within server responses without filtration or encoding.
One very effective method of preventing this attack is to use an allow-list (sometimes called a whitelist) which will allow only known good content. For example, if your expected input is an integer and the user supplies anything other than an integer you can simply reject that input – and perhaps supply a message to inform the user what the issue is, without including the original payload.
Read More...Fixing DOM-Based XSS
Published: 25 October 2020 Last Updated: 03 November 2022
Whilst Reflected and Stored XSS can generally be addressed through server-side user input encoding (such as through the PHP htmlentities() function) or with browser protections such as Content-Security-Policy – this is not sufficient for DOM-XSS.
Where a dangerous function is used, user input into that function should be limited through user input filtering. An allow-list approach of restricting user input to only known-good input should be used. For example, limiting input to the smallest number of characters possible (such as alphanumerics only) and checking the expected data type (such as limiting input to integers only). This is in contrast to a block-list of known-bad inputs being blocked, which is often less effective due to the large degree of flexibility that JavaScript allows. For a good example of this flexibility, consider something like JScrewIt.
Read More...HTTP Security Headers: Content-Security-Policy
Published: 19 October 2020 Last Updated: 03 November 2022
Content Security Policy (CSP) allows the application to restrict the location of resources to an allow-list of preapproved locations, including where scripts can be loaded from and when the application may be framed. This can therefore mitigate reflected and stored cross-site scripting attacks as well as issues such as Clickjacking.
Read More...