It’s not a common scenario but if during a pentesting you get access to some machine with a user that has sudo rights to execute openvas, you could escalate privileges to get root!

In this post I’m going to describe some OpenVAS workflows and then dive into this particular local privilege escalation.

A bit of background about OpenVAS workflows

OpenVAS is one of the most well-known vulnerability scanners. When you install OpenVAS you’ll get the openvas binary as outcome but it’s not a ready-to-call executable. You need two more components:

An Exploration of JSON Interoperability Vulnerabilities” by Jake Miller was published last week. It’s an interesting research about differences among JSON libraries that could lead to logic bugs and puts this kind of vulnerability into the map when you do threat analysis. In this post I’ll analyze the examples from the original post and try to mitigate the vulnerabilities from a secure development perspective.

We’re going to start analyzing the first lab “Validate-Proxy Pattern” from the original post. The code can be found here:

It’s a bit contrived example because it takes advantage of a malformed JSON dictionary with duplicate…

Some days ago I was watching 10 Things I Regret About Node.js and the introduction to Deno started with this slide about security.

By default a script should run without any network or file system write access

It makes sense and specially for the frontend realm where most of the time we’re developing code to be run in a browser and in a browser you don’t have i.e. file system write access.

In this post my target persona is going to be a frontend developer that develops code that will only run in the browser. It’s important to mention that…

Disclaimer: I discovered this vulnerability in February and it was fixed in May 2020 (version 5.10.2 and new branch 6.x) due to the change of the web driver from Zombie.js to puppeteer.

Initial research was done as part of my work at Dreamlab Technologies.

At work I had to vet different software detection solutions and one of them was Wappalyzer. …

This is the next post of this serie called “Web scraping considered dangerous”. You can read the previous post here and as an update, my pull request fixing FormRequest.from_response behaviour was merged!

This post is again based on scrapy (version 1.6.0) and I’ll show two techniques to leak files from the spider’s host, however it’s not that easy since the website must meet certain requirements to make this exploitation successful. Let’s go the facts!

Website’s structure premise

Websites return data in multiple data formats ( html, xml, json, csv, plaintext, etc) and to do the exploitation exposed in this post there’s a tight…

Disclaimer: scrapy 1.5.2 has been released on January 22th, to avoid being exploited you must disable telnet console (enabled by default) or upgrade up to 1.5.2 at least.

This year the focus of our research will be security in web scraping frameworks. Why? Because it’s important for us. As a little context, between 2012 and 2017, I’ve worked at the world leader Scrapinghub programming more than 500 spiders. At alertot we use web spiders to get fresh vulnerabilities from several sources, then it’s a core component in our stack.

We use scrapy daily and most of the vulnerabilities will be…

I’ve made some changes for clarity purposes. Originally it was published in 2014:

As some of you have noticed, the post frequency has been low in last years because I’ve been happily working full-time for more than two years at Scrapinghub, the company behind the popular scrapy framework. I’ve been working mostly on software projects so only in my spare time I dedicate time to do security research.

scrapy is a powerful client-side framework to do web scraping and it usually doesn’t involve server-side components, unless you run scrapyd to manage your scrapy spiders. …

El año pasado hubo en Chile una charla titulada “Chile Exposed: un puerto para gobernarlos a todos” haciendo referencia al anillo del Señor de los anillos. La charla trataba sobre acceso a recursos compartidos de diversas organizaciones en el puerto 445, por lo que me cuestioné si ese era realmente el anillo para gobernarlos a todos. Creo que hay un mejor postulante a One Ring, vamos en su búsqueda!

Vamos a viajar en el tiempo: Chile en 2014. ¿Qué software estaba instalado en la mayoría de los principales sitios nacionales? Respuesta rápida: el kit de pago de Transbank (KCC). El…

[This post is only available in Spanish because the target audience is in Chile]

En el último tiempo, han circulado diversos correos falsos en nombre del SII (Servicio de Impuesto Internos) en el marco de ataques de phishing y distribución de malware.

Analizando algunos de ellos, es notorio que se trata de correos falsos, dado que presentan:

  • Faltas de ortografía.
  • URLs en otros dominios.
  • IPs externas.
  • Descarga de ejecutables .exe .

Si no presentaran tales características, la probabilidad de infectar/engañar a la gente que recibe tales correos aumenta considerablemente. En este post revisaremos una vulnerabilidad de Cross-Site Scripting en el…

This weekend we participated in Metasploit Community CTF and got the 12th place out of 1000 registered teams (but according to organizers, 600 teams logged in). This time our team was small (chcx and me most of the time, deb_security last day) and we got the help from Miguel Mendez (@s1kr10s) from for an important task.

Here’s a little review of some of the challenges. There were two machines: a Windows and an Ubuntu machine, both with a lot of services. Let’s start with some challenges related to Ubuntu machine and then continue with Windows one.

King of diamonds

There was a…

Claudio Salazar

security & development

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store