Notes

I have found a non-documented parameter called headers which allows me to set custom headers on the given batch requests.

Unfortunately, it seems like the Host headers you can specify in these batch requests also behave the same way if you are not sending batch requests, but directly setting the Host header to these domains when sending requests to the server hosting this batching service.

It feels like these requests are not leaving the machine itself, and are just hitting different “virtual hosts” that are available on this IP. I wasn’t able to access internalfb.com infrastructure via this batch endpoint, it seems to be on a different infrastructure. Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs

Today I’d like to share a quick analysis initiated during a threat hunting process. The first observable was found during hunting process over OSINT sources, the entire infrastructure was still up and running during the analyses as well as malicious payload were downloadable.

My first observable was a zipped text file compressing a simple update.js script. The script was created to avoid automatic analysis tools since the dimension (>9MB) really makes hard to beautify or remove unwanted/funny or added trash code every which happens to be everywhere. Is Hagga Threat Actor (ab)using FSociety framework ?

I am tired of the blind leading the blind.

E-mail has emerged as one of the most important applications on Internet for communication of messages, delivery of documents and carrying out of transactions and is used not only from computers but many other electronic gadgets like mobile phones.

Emails are now being used for all sorts of communication including providing confidentiality, authentication, non-repudiation and data integrity. As email usage increased, attackers and hackers began to use emails for malicious activities. Spam emails are a major source of concern within the Internet community. Emails are more vulnerable to be intercepted and might be used by hackers to learn of secret communication. Emails frequently contain malicious viruses, threats and scams that can result in the loss of data, confidential information and even identity theft. Techniques In Email Forensic Analysis

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app. Appshark

Client Side Path Traversal attacks arises when a web application loads some content using XmlHTTPRequests (XHR for short) and the user have control over some section of the path where to load the resource. This may lead to achieve many kind of Client Side issues such as XSS, CSSi, etc if not correctly sanitized.

The impact depends of each application because each one threat that user controllable inputs in the javascript in a different way and with a different purpose. That’s why the context of each parameter really matters. Practical Client Side Path Traversal Attacks

I found a vulnerability affecting seemingly all Google Pixel phones where if you gave me any locked Pixel device, I could give it back to you unlocked. The bug just got fixed in the November 5, 2022 security update.

The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device. The vulnerability is tracked as CVE-2022-20465 and it might affect other Android vendors as well. Accidental $70k Google Pixel Lock Screen Bypass

This blog posts serie discusses various means adversaries employ to deliver their malicious code using macro-enabled Office documents. We outline staged vs. stageless considerations and relevant VBA implementations to then delve into problem of concealing attacker’s intents in OpenXML structures. This article explores currently known and understood strategies, whereas in second part I’ll release my novel (at least as far as I’m concerned) technique for uniformly hiding malware in Word, Excel and PowerPoint in a storage that isn’t covered by open-source maldoc analysis tooling. Backdooring Office Structures. Part 1: The Oldschool

Viagra a form of erection fraud.

You can drift a while,
Until you find yourself
And the path that brings you joy.

Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet. Exploring ZIP Mark-of-the-Web Bypass Vulnerability (CVE-2022-41049)

AntiScan.Me has always been my choice to check how my implant fares against different AV software/companies. The main reason is they never distribute the scan results (well, at least that’s what they claim) compared to VirusTotal.

Checking the detection (evasion) rate of my implant helps improve my maldev skills. It also forces me to learn and research different evasion techniques which I find challenging and fun. But recently, I got stuck trying to get a 0/26 detection rate. Here’s an image showing the detection rate of the implant that I have written. Lessons Learned from Cloning Windows Binaries and Code Signing Implants

In order to find phishing payloads, one needs to understand how executable filetypes on Windows are handled, finding which ones can be delivered to mail clients, thus users, without being caught by mail defences in between and without requesting multiple validation steps from that user for execution once clicked on.

Other filetypes are also relevant for phishing even if they are not executable per-se, they are also mentionned in this article.

I am pretty sure all presented filetypes have been documented before but the method used below may be applicable for future Microsoft systems or constrained Windows environments to understand why certain filetypes are blocked. Divin’n’phishin with executable filetypes on Windows

JSubFinder is a tool writtin in golang to search webpages & javascript for hidden subdomains and secrets in the given URL. Developed with BugBounty hunters in mind JSubFinder takes advantage of Go’s amazing performance allowing it to utilize large data sets & be easily chained with other tools. jsubfinder

How many people are aware of the new mobile banking “Trojan Virus -SOVA” that enables hackers to access legitimate logged-in sessions from customers without needing to know the banking credentials? It used to concentrate on nations like the US, Russia, and Spain, but in July 2022 it added numerous more nations, including India.

A brand-new type of banking trojan known as the SOVA virus was found in September 2021. This trojan was revealed at a hacking forum.SOVA – A New Android Banking Trojan

I’m starting to realise that I not hate myself and I never hated myself, what I hate is the world we live in, the people who leeched every bit of fun and joy out of it by way of greed, selfishness, stupidity, abuse and pigheadedness.

List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. My arsenal of AWS security tools

The MT300N-V2 portable router is affected by an OS Command Injection vulnerability that allows authenticated attackers to run arbitrary commands on the affected system as the application’s user. This vulnerability exists within the local web interface and remote cloud interface. This vulnerability stems from improper validation of input passed through the ping (ping_addr) and traceroute (trace_addr) parameters. The vulnerability affects a few GL.iNET product’s firmware >3.2.12. GL.iNET GL-MT300N-V2 Router Vulnerabilities and Hardware Teardown