Gone in 30 seconds – a HID cable story tale

Following what I mentioned in my previous post, I went to my electronics bin and gathered a Logitech Wireless mouse (M185) and a USB cable. On the mouse, I took the receiver – a Logitech Unifying Receiver CU0010 (nRF24L family): And cut one of the sides of a random USB cable: Split the wires: Removed… Continue reading Gone in 30 seconds – a HID cable story tale

Make HID great again

Since ever I’ve been using HID devices on red-team assessments at Char49 – specially using Rubber Ducky and latelly with Cactus WHID. I wanted to play a little more so I’ve picked one of my favourite tools from my arsenal which is the tiny Digispark. This ATTINY85 with 8kb flash memory – became part of… Continue reading Make HID great again

My notes on Hacking BLE – list of resources

In the last few weeks I went for a drive into the Bluetooth Low Energy (aka BLE) topic. There are many articles on the web on “how to hack BLE” and stuff like that, so this is just a compilation of the things I wrote on my notepad and my decision of sharing it with… Continue reading My notes on Hacking BLE – list of resources

Meter HTML5 XSS filter bypass

I was playing around with some new HTML5 features and noticed a funny one. Meter gives you a cool progress bar on-the-fly – https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meter Immediately I thought about using it to bypass some WRONG blacklist tags XSS filter and add a event to it: [code]<meter onmouseover="alert(1)"[/code] You can check it on https://jsfiddle.net/btksfbbx/ Nowadays this doesn’t… Continue reading Meter HTML5 XSS filter bypass

Why some vendors ignore RFD attacks?

Since I published my Reflected File Download Cheat Sheet I’m getting lot’s of private messages and emails from security researchers and bounty hunters telling that most companies ignore RFD attacks. So I decided to clear things up and answer three most popular questions. First a little introduction. In my opinion they’re three ways of implementing… Continue reading Why some vendors ignore RFD attacks?

XSS on a input hidden field

…where you have the input sanitized for ‘<> chars. I come across a web application on a bounty program where the returnurl was placed in the following HTML: [code language=”html”]<input type="hidden" name="returnurl" value="[USER INJECT]" />[/code] The security filter removed <>’ chars but kept the double quote active and reflected. What’s the first thing that comes… Continue reading XSS on a input hidden field

Should bug hunters provide real personal data on bug appreciation programs?

That’s a question that sometimes comes in mind of many “hunters”. Personally in most cases, when I participate on these programs, I use fake information – one of the first reasons is to immediately test the input fields 🙂 Programs that required you to add your credit card info, phone number, bank info, … in… Continue reading Should bug hunters provide real personal data on bug appreciation programs?

Tiny XSS exploitation

A well-known website had a limit of 32 chars on the user name field that was reflected in the public profile area. That field allowed XSS exploitation: [code lang=”html”]d<img src=x onerror=prompt(1)>[/code] Simple right? But sometimes you need to provide a better vector where the affected company can see more than a prompt with a number.… Continue reading Tiny XSS exploitation