Open source recon tool automates some of the more time-consuming pen testing tasks

James Walker 11 August 2022 at 15:35 UTC

Open source recon tool automates some of the more time-consuming pen testing tasks

Black Hat USA attendees were given a firsthand look at the new and improved ReNgine, which includes several new features for penetration testers and red teamers.

ReNgine is a highly customizable open source reconnaissance framework that works with other utilities to scan domains, list endpoints, and search directories.

Security professionals can use the tool to create a pipeline that pulls together more complex queries from scan engines and present the results in a single window.

**BACKGROUND** ReNgine: Open source recon tool automates intel-gathering process for pen testers

With 4,500 stars on GitHub, ReNgine has continued to grow in popularity over recent months – thanks in no small part to the steady addition of new features to assist pen testers with their daily tasks.

The tool’s developer is Yogesh Ojha, a security pro working on web and mobile applications. His goal is to automate some of the more time-consuming research operations, as well as bringing open source hacking tools together.

“There are several open source recon tools in the market,” Ojha told _The Daily Swig_. “What sets ReNgine apart from the other tools is the easy-to-use web interface, ability to customize the scan engines according to the targets, the UI/UX, and easy integration on VPS with minimal setup.”

**New features**

Launched in time for Black Hat USA, and showcased during the Arsenal sessions on Wednesday (August 10), ReNgine version 1.3.0 includes several new features.

First up is a unique subscan feature that allows users to scan any target subdomains further.

“Once subdomain scanning is done, you can choose one or multiple subdomains and send for further port scans, vulnerability scans, or any scans available,” Ojha explained.

“The added benefit of the subscan feature is that, for larger targets like google.com you need not wait for the entire scan to complete. One can simply perform a subdomain scan and perform further sub scans on those subdomains.”

Read about more of the latest hacking tools

ReNgine 1.3.0 also comes bundled with a highly customizable PDF report feature, which allows users to choose the type, look, and feel of the report.

Meanwhile, a new toolbox feature for ReNgine allows pen testers to integrate tools like WHOIS lookup and WAF Detector without the need to add a URL/domain as targets. More toolboxes are on the way.

Among the various UI/UX improvements in ReNgine 1.1, column filtering “was one of the most asked for features”, Ojha said.

“Column filtering allows users to focus on what’s important in the subdomains, endpoints, and vulnerability result table section. This allows users to hide and unhide certain columns.”

Ojha added: “In a nutshell, the newer upgrade of ReNgine makes it more than just a recon tool. The latest update aims to fix the gap in the traditional recon tools and probably a much better alternative for some of the commercial recon and vulnerability assessment tools.

**YOU MIGHT ALSO LIKE** Latest web hacking tools – Q3 2022

ReNgine upgrade: New subscan feature, PDF reports, expanded toolbox showcased at Black Hat USA

AWSGoat and AzureGoat tools showcased in Las Vegas this week

AWSGoat and AzureGoat tools showcased in Las Vegas this week

Security pros from INE enjoyed a double billing at Black Hat USA yesterday (August 10) as they showcased penetration testing tools AWSGoat and AzureGoat.

Amazon Web Services (AWS) and Microsoft Azure are two of the biggest names in cloud infrastructure, along with Google Cloud Platform (GCP).

With the cloud still a relatively new phenomenon, many developers are not fully aware of the threat landscape and can inadvertently deploy vulnerable cloud infrastructure.

Sometimes a simple misconfiguration or web app vulnerability is all an attacker needs to completely compromise an organization’s environment.

**Preemptive attacks**

Showcased during the Black Hat Arsenal sessions in Las Vegas this week, AWSGoat and AzureGoat are aimed at providing security enthusiasts and pen testers with an easy-to-deploy vulnerable infrastructure.

Here, they can learn how to enumerate cloud applications, identify vulnerabilities, and chain various attacks to compromise the AWS or Azure account.

The vulnerable-by-design infrastructure showcases the dangers of the OWASP Top 10 web application security threats.

AWSGoat also features misconfigurations based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS.

**Read more of the latest news from Black Hat USA**

While the developers of AWSGoat said there were “numerous tools and vulnerable applications” available for AWS, this is not the case with Azure.

“AzureGoat is our attempt to shorten the gap,” the team from IT and security training firm INE said. “There are far fewer options available to the community.”

The user will be able to deploy AzureGoat on their Azure account using a pre-created Docker image and scripts. Once deployed, the AzureGoat can be used for target practice and be conveniently deleted later.

All the code and deployment scripts for both AWSGoat and AzureGoat have been made open source.

**RECOMMENDED** #BHUSA: Former CISA director Chris Krebs warns clouds of cyberwar are circling Taiwan

Black Hat USA: Deliberately vulnerable AWS, Azure cloud infrastructure is a pen tester’s playground

Open source utility exposes payloads without running vulnerable Java code

Open source utility exposes payloads without running vulnerable Java code

A Log4Shell de-obfuscation tool that promises simple, rapid payload analysis without the risk of “critical side effects” has been showcased at Black Hat USA.

The open source ‘Ox4Shell’ utility was demonstrated on the Arsenal track in Las Vegas yesterday (August 10) by Daniel Abeles and Ron Vider of AppSec testing platform Oxeye.

**‘True intent’**

Abeles believes the tool offers a potent combination of benefits lacking among other de-obfuscators of the critical vulnerability in Apache Log4j, the Java logging utility so widely distributed that the ‘Log4Shell’ flaw (CVE-2021-44228) affects hundreds of millions of devices.

“I worked on a web application firewall \[WAF\] myself for several years, so I can personally relate to the struggle of understanding the true intent of obfuscated payloads and the challenge it poses to security teams,” he told The Daily Swig said in advance of his presentation.

RELATED ‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns

The researchers couldn’t find any other tools that were as easy to use as Ox4Shell – a simple Python script – but didn’t require the user to run any vulnerable code in the process.

“We emulated most of the transformations a parallel Java code would do, without the risk of running vulnerable Java code,” Abeles said. “This is especially important when integrating such tools in a production pipeline (e.g. WAF rules), to ensure no critical side effects.”

**Maximizing accuracy**

With obfuscated payloads “intimidating for most security engineers” and “time-consuming and tedious” for even the most experienced, Oxeye set out “to provide the security community a lean, simple way to de-obfuscate Log4Shell payloads.”

Abeles said the needs of AppSec engineers informed the tool’s specification, while the scarcity “of public obfuscated payloads to test Ox4Shell against” prompted them to “team up with several application security teams to gather a wide variety of payloads, so we can ensure minimum false negatives and false positives rate”.

Catch up on the latest Log4Shell news and analysis

This process culminated with Ox4Shell’s release in January 2022, a month after Log4Shell surfaced.

The tool counters threat actors’ attempts to circumvent WAF rules and complicate exploit analysis, by decoding obfuscated payloads, including base64 commands, “into an intuitive and readable form” – thus revealing their “true functionality” and “dramatically” reducing security teams’ analysis time.

**Mock data**

Oxeye says Ox4Shell enables defenders to comply with lookup functions that attackers can abuse via Log4Shell to identify targeted machines by feeding them mock data that they can control.

A mock.json file is used to insert common values into lookup functions. “For example, if the payload contains the value , we can replace it with a custom mock value,” reads the Ox4Shell GitHub page.

This ‘lookup mocking’ means users can “replace certain data lookups with mocked data, so the final result would look more realistic and well suited to the specific organization using it”, Abeles told The Daily Swig.

A recent US government report warned that vulnerable Log4j instances could persist for “a decade or longer”. With Ox4Shell set to remain useful for some time to come, Oxeye is planning to expand the tool’s capabilities to mock even more lookup functions based on community feedback.

TBC article TBC

Black Hat USA: Log4j de-obfuscator Ox4Shell ‘dramatically’ reduces analysis time

Attack on Taiwan seemingly a case of ‘when’ not ‘if’ Chris Krebs, the former director of the US Cybersecurity and Infrastructure Security Agency (CISA), says the infosec industry is “bearish in the sh

Attack on Taiwan seemingly a case of ‘when’ not ‘if’

Chris Krebs, the former director of the US Cybersecurity and Infrastructure Security Agency (CISA), says the infosec industry is “bearish in the short term, bullish in the long term” on the prospects for US national cyber-resilience.

The ex-director, now a founding partner of Krebs Stamos Group, told an audience at Black Hat USA that a likely Chinese attack on Taiwan meant organizations had to act now on making their digital infrastructure and supply chain resilient during the opening day of the annual conference, this year held both physically and virtually.

Krebs addressed attendees on the conference’s 25th edition as the opening keynote speaker.

**Taiwan in dire straits**

Earlier, Black Hat founder Jeff Moss introduced the talk by reflecting on how Russia’s invasion of Ukraine had awakened the infosec community to its power to help the government defend human rights and tackle “mis, dis, and mal information”.

Krebs, who served under President Donald Trump, said organizations, too, had an obligation to have principles and red lines in place before further geopolitical conflagrations erupted – for both ethical and self-interested motives.

Catch up with the latest cyber warfare news

US officials had indeed told him that they were "pretty confident" that the Taiwan tensions are "going to come to a head" at some point, as Krebs warned that organizations should “manage risk yesterday”, game out how it might affect their supply chain and IT operations, and physically segment their networks in Taiwan starting “now”.

**Workforce shortage**

Krebs noted that he found it “confounding” that the cybersecurity workforce continues to face workforce shortages. After all, the cybersecurity career was fun, lucrative, durable, fascinating, and – given that national security was at stake – meaningful, he said.

One key to addressing growing cyber-threats is providing more opportunities for young people to experience coding and to instil “critical thinking skills”, suggested Krebs.

Chris Krebs at Black Hat USA: US Department of Defense has “incredible purchasing power – they must use it”

On a more positive note, he took hope from an increasingly tech-native workforce.

Another reason for cheer was found in the boardroom, with “a CEO that sees cyber risk as business risk is rare, but that is changing post-Colonial \[Pipeline ransomware attack\].”

**Unthinkable complexity**

The workforce gap is fuelled by, as Krebs described (PDF) it to a US congressional committee, society’s “pathological need to connect everything to the internet”, resulting in a ballooning attack surface.

The targets are increasingly complex too, to the point where even experts struggle to understand what Neuromancer author William Gibson prophetically called “the unthinkable complexity” of cyberspace.

Citizens, infosec professionals, and organizations alike must reckon with the fact that every country in the world – not just China, Russia, Iran, and North Korea – is seeing the internet as the “fifth domain”, through which they can surveil, destroy, and disrupt, observed Krebs.

Meanwhile, ransomware groups are capable of exploits that were sole preserve of nation states only few years ago, and that following NotPetya, the 2015 Ukraine power grid attack, and the SolarWInds hack, more novel, innovative attacks would inevitably arise, he warned. “We’ve fetishized the APT threat while cybercriminals have eaten our lunch,” said Krebs.

Krebs set out his prescriptions for how the cybersecurity industry and government should get ahead of the coming threats. Government, for instance, should leverage its role as consumer, enforcer, defender, and enabler. As a consumer, to take one example, he said: “The US Department of Defence the largest customer of big tech firms” with “incredible purchasing power – they have to use it.”

As for his former employer, CISA, he insisted that it is, and must continue to be, apolitical.

RECOMMENDED The best Black Hat and DEF CON talks of all time

Black Hat USA: Ex-CISA director Chris Krebs urges orgs to bolster infrastructure amid Taiwan tensions

Attack on Taiwan seemingly a case of ‘when’ not ‘if’ Chris Krebs, the former director of the US Cybersecurity and Infrastructure Security Agency (CISA), is “bearish in the short term, bullish in the l

Attack on Taiwan seemingly a case of ‘when’ not ‘if’

Chris Krebs, the former director of the US Cybersecurity and Infrastructure Security Agency (CISA), is “bearish in the short term, bullish in the long term” on the prospects for US national cybersecurity.

The ex-director, now a founding partner of Krebs Stamos Group, told an audience at Black Hat USA that a likely Chinese attack on Taiwan meant organizations had to act now on securing their supply chain resilience during the opening day of the annual conference, this year held both physically and virtually.

Krebs addressed attendees on the conference’s 25th edition as the opening keynote speaker.

**Taiwan in dire straits**

Earlier, Black Hat founder Jeff Moss introduced the talk by reflecting on how Russia’s invasion of Ukraine had awakened the infosec community to its power to help the government defend human rights and tackle “mis, dis, and mal information”.

Krebs, who served under President Donald Trump, said organizations, too, had an obligation to have principles and red lines in place before further geopolitical conflagrations – for both ethical and self-interested motives.

Catch up with the latest cyber warfare news

US officials had indeed told him that a Chinese attack on Taiwan was highly likely at some point, as Krebs warned that organizations should “manage risk yesterday” and physically segment their networks in Taiwan starting “now”.

**Workforce shortage**

Krebs noted that he found it “confounding” that the cybersecurity workforce continues to face workforce shortages. After all, the cybersecurity career was fun, lucrative, durable, fascinating, and, given that national security was at stake, meaningful, he said.

One key to addressing growing cyber-threats is providing more opportunities for young people to experience coding and to instil “critical thinking skills”, he said.

Thankfully, Krebs took hope from an increasingly tech-native workforce.

Another reason for cheer was that though “a CEO that sees cyber risk as business risk is rare, that is changing post Colonial \[Pipeline ransomware attack\].”

**Unthinkable complexity**

The workforce gap is fuelled by, as Krebs described it to a US congressional committee, society’s “pathological need to connect everything to the internet”, resulting in a ballooning attack surface.

The targets are increasingly complex too, to the point where even experts struggle to understand what Neuromancer author William Gibson prophetically called “the unthinkable complexity of cyberspace”.

Every country in the world – not just China, Russian, Iran, and North Korea – is seeing the internet as the “fifth domain”.

Meanwhile, ransomware groups are capable of exploits that were sole preserve of nation states only few years ago, and that following NotPetya and SolarWInds more novel, innovative attack techniques were inevitable, he warned.

The government should help the country prepare for the unforeseeable threats of tomorrow in its role as consumer, enforcer, defender, and enabler. As a consumer for instance, he said: “The US Department of Defence the largest customer of big tech firms” with “incredible purchasing power – they have to use it.”

He also said CISA is, and must continue to be, apolitical.

RECOMMENDED The best Black Hat and DEF CON talks of all time

Black Hat USA: Former CISA director Chris Krebs warns clouds of cyberwar are circling Taiwan

Vulnerable path is reachable just once a day, but patches still need to be implemented as a matter of priority

James Walker 10 August 2022 at 12:52 UTC

Vulnerable path is reachable just once a day, but patches still need to be implemented as a matter of priority

A high-impact vulnerability in small business routers from Cisco could allow “patient and suitably positioned attackers” to obtain unauthenticated remote code execution on affected devices.

The flaw was discovered by researchers at Onekey (formerly IoT Inspector), who found that improper input validation in the Cisco RV160, RV260, RV340, and RV345 series of routers could allow a remote attacker to execute arbitrary commands on the system.

“By sending a specially-crafted input to the web filter database update feature, an attacker could exploit this vulnerability to execute arbitrary commands on the underlying operating system with root privileges,” the team said in a technical blog post this week.

**Perfect timing**

Tracked as CVE-2022-20827 and with a CVSS score of 9.0, the Cisco router vulnerability relates to a flaw in the BrightCloud web filtering feature that comes bundled with the devices.

The researchers discovered the vulnerability when hunting for bugs to craft exploit chains for the Pwn2Own 2021 live hacking event.

**RELATED** Vulnerability in DrayTek routers leaves thousands of SMEs open to exploitation

“Sadly, the vulnerable path is only reachable once a day, so it did not match the Pwn2Own rules,” they said.

Despite the timing constraints, Onekey said businesses should still implement the fixes as soon as possible. “We know real world attackers can be patient and won’t hesitate to wait on you, so patch your routers,” they said.

**Bug ‘dependency’ confusion**

In an accompanying security advisory, Cisco released a list of vulnerable router firmware versions and relevant patch guidance.

Incidentally, the advisory states that CVE-222-20827 is “dependent” on another flaw, CVE-2022-20841.

Read more of the latest infosec research news

However, despite noting similarities in the exploits, Onekey researcher Quentin Kaiser told _The Daily Swig_ that one CVE was not reliant on the other.

“I don’t see the ‘dependency’ between those two vulnerabilities,” Kaiser said. “They’re similar in that they’re both exploiting a lack of protection against man-in-the-middle attacks, but they target different components.”

We have asked Cisco for clarification on this point. This article will be updated if we hear back.

**RECOMMENDED** Microsoft Edge deepens defenses against malicious websites with enhanced security mod

Cisco router flaw gives patient attackers full access to small business networks

Browser adds defense in depth to prevent abuse of unpatched vulnerabilities

Browser adds defense in depth to prevent abuse of unpatched vulnerabilities

Microsoft has introduced an optional feature to its Edge browser that applies more stringent security controls when users visit unfamiliar websites.

Enhanced security mode mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation, while activating additional operating system protections for the browser such as arbitrary code guard and hardware-enforced stack protection, according to Microsoft.

It said these changes provide “defense in depth” by making it harder for malicious sites to leverage unpatched vulnerabilities in order to write to executable code into memory.

RELATED Chromium site isolation bypass allows wide range of attacks on browsers

Microsoft said the provision of a “rich browsing experience using powerful technologies like JavaScript” heightens the risks of visiting malicious sites. “With enhanced security mode, Microsoft Edge helps reduce the risk of an attack by automatically applying more conservative security settings on unfamiliar sites and adapts over time as you continue to browse,” said Redmond.

**First of its kind**

Rival browsers Chrome and Firefox currently lack equivalent features, although can be configured to disable features such as JIT.

As for Safari, Apple recently announced a new security feature aimed at defending users at potential risk of highly targeted cyber-attacks that also disables JIT and other complex web technologies, unless the user excludes a trusted site. Called Lockdown Mode, this feature is designed to protect journalists, politicians, and human rights activists from spyware.

Catch up with the latest browser security news

The Microsoft Edge security team published analysis of the results of its experimentations with the new feature in August 2021 and February 2022.

The feature was rolled out in Microsoft Edge version 104, which was released August 5.

**Three levels of security**

The new feature, which is turned off by default, can be enabled as one of three modes.

In its ‘basic’ – and recommended – configuration, the feature applies “added security protection to the less visited sites”, but “preserves the user experience for the most popular sites on the web”, explained Microsoft.

Basic mode does not adapt according to user behavior. By contrast, ‘balanced’ mode “builds on user’s behavior on a particular device, and Microsoft’s understanding of risk across the web to give sites that users are most likely to use and trust full access to the web platform, while limiting what new and unfamiliar sites can do”.

Finally, the ‘strict’ setting applies enhanced safeguards universally against all sites. It isn’t recommended for most end users because of the additional configuration required for users “to complete their normal tasks”.

In all three modes, users can create exceptions for trusted websites, with enterprise admins able to create ‘allow’ and ‘deny’ lists.

Sites that use WebAssembly (WASM), a binary instruction format for stack-based virtual machines, are not currently supported by the feature. Sites that need WASM can be added to the exception site list.

An ‘added security’ banner appears in the URL navigation bar when enhanced security mode is activated for a particular site.

RECOMMENDED XSS in Gmail’s AMP For Email earns researcher $5,000

Microsoft Edge deepens defenses against malicious websites with enhanced security mode

Bug fixed within 24 hours and $5,000 bug bounty awarded

Bug fixed within 24 hours and $5,000 bug bounty awarded

A vulnerability in Reddit allowed attackers to perform moderator actions or elevate regular users to mod status without the appropriate permissions.

The flaw could have allowed for all kinds of mischief, as Reddit mods are privileged to perform actions such as pin or remove posts, ban other users, and edit subreddit information.

Read more of the latest hacking news

As detailed in a recent HackerOne report, a bug hunter with the handle ‘high\_ping\_ninja’ found that Reddit failed to check if the user was a moderator of a particular subreddit when they attempted to access the mod logs via GraphQL.

“You can change the parameter to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.

**Same-day fix**

The insecure direct object reference (IDOR) bug was reported on August 3 and fixed on the same day.

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes.

The researcher was awarded a $5,000 bug bounty for the find.

**DON’T MISS** Pwn stars: The best Black Hat and DEF CON talks of all time

Simple IDOR vulnerability in Reddit allowed mischief-makers to perform mod actions

Pwn stars

Hacker Summer Camp is only days away, so in order to whet your appetite, The Daily Swig has compiled a list of some of the best talks of years past.

Over the years there’s been thrills, spills, and (of course) ‘sploits, as the top researchers in the security world have descended on Las Vegas for Black Hat USA and DEF CON – a security double bill that’s hard to beat.

This year’s Black Hat – which is again taking place as a hybrid event – and DEF CON offerings are sure to add to the already impressive roster of ground-breaking talks from years gone by.

Now that Covid-related restrictions have largely been lifted, the 2022 edition promises to be something of a grand reopening of arguably the single most important event in the infosec calendar.

Without further ado (and in no particular order) here are our top picks from past Black Hat and DEF CON events…

**Panic in the Cisco**

Michael Lunn’s 2005 talk on the security shortcomings of Cisco’s networking technology was important not only because of the potential impact of his discovery, but because it served as an example of an attempt to suppress security research.

Lunn resigned from his employment with Internet Security Systems in order to deliver a talk on a critical vulnerability in router technology from Cisco.

The security researcher demonstrated an exploit – which opened the door to a range of attacks from eavesdropping to disabling the compromised device – while withholding any details. Cisco issued a security fix to its firmware prior to the talk, but not many organizations had applied it by the time it rolled around.

Cisco initially gave the go-ahead for the talk but had second thoughts with the event imminent. ISS agreed to a request from the networking giant, but Lunn disagreed. This prompted his decision to resign in order to present his findings.

**Cache from chaos**

Dan Kaminsky’s reveal of a cache poisoning flaw affecting the software of multiple DNS vendors back in 2008 remains a landmark event in networking security.

The security researcher worked with DNS vendors for months to fix the critical vulnerability before laying the problem bare during Black Hat 2008.

It remains a testament to the late security researcher, who sadly passed away in April 2021, prompting an outpouring of tributes to a true infosec great characterized by “kindness, boundless energy, and positivity”.

**Hitting the Jackpot**

Barnaby Jack’s live hack demo on an ATM set the benchmark for spectacular hacks and cutting-edge security research. Jackpotting – as the attack later became known – involved a targeted assault on the software running on ATMs.

The end result involved injecting malware into the operating system of cash dispensing machines, causing them to dish out bank notes fraudulently. Either exploitable vulnerabilities in an ATM’s remote management system or unauthorised physical access to a machine (perhaps facilitated by a corrupt insider) might be used to carry out an attack.

Prior to Jack’s research, embedded systems such as ATMs were widely (but incorrectly) thought to be beyond the scope of potential hack attacks. The research paved the road to follow-up studies into the security of medical devices such as pacemakers and insulin pumps.

**Up in the air**

Interest in the security of air traffic control systems took off with Andrei Costin’s presentation on the issue during Black Hat 2012. Costin’s talk focused on security aspects of ADS-B (Automatic Dependent Surveillance-Broadcast), a satellite-based aircraft tracking technology, and other flight technologies.

The presentation looked at ADS-B (in)security from a practical perspective, presenting the “feasibility and techniques of how potential attackers could play with generated/injected air traffic, and as such potentially opening new attack surface” into air traffic control systems.

**Don’t look up**

Shifting the focus from airborne planes to satellites in orbit, a well-received 2014 talk by Ruben Santamarta reviewed the security of satellite communication terminals.

IOActive found that all the devices they accessed were potentially open to abuse. The vulnerabilities uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, or weak encryption algorithms.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products,” IOActive warned at the time. “In certain cases, no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.”

**Policy forum**

Black Hat and DEF CON have never been the forum for technical discussions and hacking demos alone. Policy issues are often in play too, as evidenced by talks from the likes of Dan Geer and Jennifer Granick.

Geer, CISO for In-Q-Tel, a not-for-profit venture capitalist firm that looks for tech that supports the US intelligence community, spoke about cyberspace as a domain for conflict between nations and on power politics in 2014.

Granick, director of civil liberties at the Stanford Center for Internet and Society, looked forward to the next phases of the development of the internet in 2015.

More recently Parisa Tabriz, director of engineering at Google, used her 2018 Black Hat keynote to give a practical perspective on secure development. And last year Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), outlined how hackers, the government, and the private sector can work together to confront cyber threats.

**Kettle reinvents HTTP request smuggling**

PortSwigger’s James Kettle reinvented the long-neglected topic of request smuggling with his presentation on HTTP desync attacks at DEF CON in 2019.

Kettle showed how it was possible to manipulate web requests in order to poison web caches. The hack allowed Kettle to compromise PayPal’s login page, among other targets, and claim $70K in bug bounties.

The hack relied in exploiting flaws in how web systems pass web-based requests between front end and back end system, as explained in a Daily Swig article published at the time of the talk.

**A new era in SSRF**

Noted web security researcher Orange Tsai used a 2017 Black Hat talk to outline an exploit technique variant that might be harnessed to bypass server-side request forgery (SSRF) protections.

The technique relied on fuzzing to unearth previously undiscovered vulnerabilities in the libraries of programming languages including Python, PHP, Perl, Ruby, Java, JavaScript, Wget, and cURL.

The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Flaws in web applications such as WordPress, vBulletin, MyBB, and GitHub have also been uncovered using the same approach, the security researcher told Black Hat USA attended in 2017.

**Hasta la Vista**

Polish security researcher Joanna Rutkowska became well known in the security community following her demonstration of an attack against Windows Vista’s kernel protection mechanism at Black Hat USA 2006.

During the same presentation, she also demonstrated a technique called ‘Blue Pill’ that involved hacking the operation of a virtual machine to plant stealthy malware.

**Gone in 40ms**

Hacking took to the roads in 2015 after security researchers Charlie Millar and Chris Valasek demonstrated how to launch a remote cyber-attack against an unaltered factory vehicle.

The security researchers hacked into a Jeep Cherokee through a mobile connection to its entertainment system via a technique that allowed them to send messages on the CAN bus to critical electronic control units. This, in turn, allowed them to control the braking, steering, and acceleration of the car.

That’s our round-up of the best-ever talks at Hacker Summer Camp – but what are your picks?

Have we failed to mention any unmissable talks? What are your favourite hacks? Let us know on Twitter at @DailySwig.

You can also watch more talks from previous Hacker Summer Camps on YouTube, ranked by numbers of views, via the DEF CON and Black Hat archives.  

YOU MAY ALSO LIKE ParseThru: HTTP parameter smuggling flaw uncovered in several Go applications

The best Black Hat and DEF CON talks of all time

Researcher bypasses email filter with inspired style tag trickery

Adam Bannister 05 August 2022 at 15:59 UTC

Researcher bypasses email filter with inspired style tag trickery

A cross-site scripting (XSS) vulnerability in AMP for Email, Gmail’s dynamic email feature, has netted a security researcher a $5,000 bug bounty payout.

AMP for Email brings AMP functionality to rich, interactive emails. AMP itself is an open source HTML framework used to optimize websites for web browsing on mobile.

Adi Cohen, who unearthed the security flaw, said he had no problem finding a vector that triggered an XSS within the AMP playground, but found bypassing Gmail’s XSS filter a much tougher assignment.

**Rendering contexts**

The “easiest way to circumvent an XSS filter is by tricking it into a different rendering context than what the browser will actually use to render a given piece of code”, observed Cohen in a blog post.

Since AMP for Email forbids the likes of templates, SVG, math, and CSS, he instead targeted stylesheets as a potential path to an XSS payload with multiple rendering contexts.

RELATED XSS vulnerabilities in Google Cloud, Google Play could lead to account hijacks

This required a discrepancy between how the stylesheet is rendered by the filter and browser, either by “tricking the filter into believing a fake style tag is real”, or “the exact opposite”.

Cohen’s initial vector worked in the sandbox because AMP “leaves the CSS context as soon as it encounters the string ‘’ even if it doesn’t have a closing bracket () or at least a whitespace after it”.

He was then able to “trick the filter into believing we’re back in HTML context, while the browser obviously ignores entirely and stays well within the realm of CSS”.

**</styl> over substance**

But “what looked like a promising vector in AMP, seemed way less interesting after Gmail ran its magic on it,” said Cohen.

A breakthrough came when he harnessed a CSS selector, which ensured the payload was returned unchanged by Gmail – “no escaping or other mutations”.

However, the malicious payload prompted an error after the AMP sandbox encountered ‘’, so Cohen tried , but Gmail’s filter was wise to its resemblance to .

What worked instead was testing a benign payload with an encoded selector – because Gmail decoded it, he could use the selector to inject a closing style tag.

Cohen reported the issue to Google on March 27, 2021, and noticed on July 7 that it had been fixed.

As previously reported by The Daily Swig, Google addressed an unrelated, notable XSS in AMP For Email back in 2019, after security researcher Michał Bentkowski leveraged id attributes in tags to enable ‘DOM clobbering’ attacks.

RELATED Authentication bypass bug in Nextauth.js could allow email account takeover

Source

PortSwigger