Welcome back to the final blog in de series "How to hack a box"! In this blog we’ll cover the basics of Privilege Escalation and see it in practice on the Blocky box from Hack The Box.
Welcome back to the blog series about how to hack a box! In the past few blogs we’ve gone through a few steps which gives you an idea of how you can hack a box. We went from the Introduction, to Exploration, to Gaining Access. In this blog, we’ll cover the basics of Enumeration.
Welcome back to the blog series about how to hack a box! In this third post I’ll guide you through the second step: gaining access.
Welcome back to the blog series about how to hack a box! In the first blog I gave an introduction into the steps and prerequisites on How to hack a box. In this second post I’ll guide you through the first step, which is exploration. We will execute the steps on an actual box in Hack The Box, called Blocky.
Welcome to the blog series about how to hack a box! In this first post I’ll guide you through the global steps you can take to hack a box. The steps are universal, so you can use them on any target which you have permission for.
Now that it’s clear how to use an OAuth access_token in JWT to perform RBAC inside a REST service playing the role of resource server, it is time to see how to acquire such a token.
How many lines of code do you actually need to implement external Role Based Access Control (RBAC) using OAuth, JWT with the new Spring Security features? Lets find out!
Recently we updated one of our internal applications from Spring Boot 1.5 to 2.1, which includes an update of Spring Security. After the update the OAuth2 security started to fail in the backend, it stopped recognizing the authentication.
Modern applications development is a mix of custom code and many pieces of open source. The developer is normally very knowledgeable about their custom code but less familiar with the potential risk of the libraries/components they use. A study from Black Duck which covers more than 200 applications shows that 95% of the projects use open source libraries (see open source security analysis). Important side note is we only use a fraction of all the libraries imported into a project. Last couple of months some critical issues were found in Struts 2 which enabled attackers to perform a remote-code-execution through a malicious content-type. One way to track whether you are using vulnerable components is to use the OWASP Dependency-Check. This tool uses the National Vulnerability Database to search components for well known published vulnerabilities.