Pure Hacking blogs

Introduction to Hash DoS Attacks

Josh Zlatin — Tue, 03 Jan 2012 09:16:33 +0000

Someone asked me about the Hash DoS attack recently disclosed at CCC, so I thought I would give a high level explanation of it here in case it benefits others as well. Hash tables are often used in programming languages to map data keys and values together. A comparable real world example could be a phone book which maps a person's name (the key) to their phone number (the value).

Virtual Patching Session Fixation

Josh Zlatin — Thu, 01 Dec 2011 15:50:10 +0000

On a recent engagement we gained unrestricted administrative access to a certain proprietary web application by exploiting a Session Fixation flaw. According to the WASC Threat Classification v2, Session Fixation is an attack technique that forces a user's session ID to an explicit value.

Speeding Up Lua Script Execution in ModSecurity

Josh Zlatin — Tue, 15 Nov 2011 16:01:51 +0000

Often when implementing customised ModSecurity solutions we need to extend the built-in functionality via Lua scripting. One of the disadvantages to this approach is the added latency penalty paid for not using the native rules language. When web site performance is critical for business continuity, every additional millesecond counts. The current trunk code fixes a long-standing limitation where ModSecurity needed to create a new VM for each request, which added latency every time a Lua script was executed.

Remove Lost iPhone Backup Password

Ty Miller — Sat, 15 Oct 2011 09:34:40 +0000

Lets say that at some point you decided to adhere to security best practices and set a password on your iPhone backups so that they are encrypted. A year or two later you have upgraded your iPhone to a new version and you want to transfer all of your data across to the new phone. You attempt to restore from your backup and, doh, you need to remember the password you set. You try every password you could have set but none of them work.

Finding the level of risk you are comfortable with

Rob McAdam — Tue, 26 Jul 2011 23:40:05 +0000

Security Vendor Management

Rob McAdam — Mon, 25 Jul 2011 23:25:57 +0000

The Principles of Other People's Data

Rob McAdam — Mon, 25 Jul 2011 00:16:39 +0000

Building dependable enterprise applications

Sandeep Nain — Tue, 28 Jun 2011 06:47:42 +0000

Coming from a family of civil engineers, I always knew that it is a rigorous process to ensure that a building is safe and secure for its occupants. But, its the first time I got a chance to see the complete construction lifecycle when they started building a multi-story business complex next to the building I live in.

Skype Bug Full Disclosure

Gordon Maddern — Tue, 24 May 2011 01:32:01 +0000

Skype has patched and released the fix for the Skype bug we found so we can discuss the details of the bug.

Skype 0day vulnerabilitiy discovered by Pure Hacking

Gordon Maddern — Fri, 06 May 2011 04:26:39 +0000

About a month ago I was chatting on skype to a colleague about a payload for one of our clients. Completely by accident, my payload executed in my colleagues skype client.

I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. So I decided to test another mac and sent the payload to my girlfriend. She wasn't too happy with me as it also left the her skype unusable for several days.