Uploading Files? You Might Be Sharing More than You Realize

Introduction I recently uploaded a file to a Nextcloud instance. After the upload, I saw that the file timestamp in Nextcloud is already some months old. But I just uploaded it, right? I double checked and saw that it matches the one on my local file system. How is this possible? Is a web application really able to read the last modification timestamp of the file? Apparently. I was not aware of this. In this post, I explain how this works and why you might care about this. ...

01.12.2024 路 5 min 路 Emanuel Duss

Wireshark Trick: Sniffing Browser TLS Traffic

Introduction Wireshark 4.2.0 added a new functionality [1] that can be used to directly launch a web browser with the SSLKEYLOGFILE environment variable set, in order to easily sniff and decrypt TLS traffic from a started application. Howto This new feature can be found in the Tools menu and then under TLS Keylog Launcher (1). You can specify to which file where the SSLKEYLOGFILE variable should point to (2) in order to save the key material. Then, a command can be provided in the command line input field (3), which is then started with the SSLKEYLOGFILE variable set. If an application supports the SSLKEYLOGFILE mechanism [3], the TLS keys are the automatically stored in the configured file and Wireshark is able to decrypt the content (4) and show it in cleartext (5). ...

17.11.2023 路 1 min 路 Emanuel Duss

Download Burp Suite BApps

Introduction When you don鈥檛 have Internet connection during a web application pentest and you still want to install some BApps in the Burp Suite, you have to download them manually from the BApp Store. If you use a lot extensions, this can be a tedious task. It鈥檚 possible to download all BApps using a little script to simplify this task. Script The following script can be used to download all Burp Suite BApps from the BApp Store: ...

15.09.2023 路 2 min 路 Emanuel Duss

Zwingender monatlicher Login bei DynDNS.org automatisieren (Auto Login Script)

Einf眉hrung Seit kurzer Zeit muss man sich, damit man seinen Hostnamen nicht verliert, jeden Monat im Account von DynDNS.org einloggen. Mit einem einfachen Skript und einem Crontab Eintrag l盲sst sich das automatisieren. Automatisch einloggen Folgendes Skript automatisiert das Login im Account von DynDNS.org. Man muss nur noch den Usernamen und das Passwort eintragen. #!/usr/bin/env bash # # dyndnslogin - Automate login to prevent account expiration # ######################################################################## # DynDNS Settings (default-value, overwrite with $1 and $2) # If you have special chars in your password, you need to urlencode: # python -c "from urllib.parse import quote; # print(quote('your password', safe=''))" DEFAULT_USERNAME="username" DEFAULT_PASSWORD="password" # Import settings from /etc/ddclient.conf if available DDCONF="/etc/ddclient.conf" if [ -r "$DDCONF" ] && grep -q "^server=members.dyndns.org" "$DDCONF" then DEFAULT_USERNAME="`awk -F= '/^login=/{ print $2 }' $DDCONF`" DEFAULT_PASSWORD="`awk -F= '/^password=/{ print $2 }' $DDCONF`" fi USERNAME=${1:-$DEFAULT_USERNAME} PASSWORD=${2:-$DEFAULT_PASSWORD} PROGNAME=dyndnslogin COOKIE=`mktemp --tmpdir="/tmp" -t ${PROGNAME}_cookie_XXXXX` OUTPUT=`mktemp --tmpdir="/tmp" -t ${PROGNAME}_output_XXXXX` USERAGENT="Mozilla/5.0" MULTIFORM=`curl -s -A $USERAGENT -c $COOKIE https://account.dyn.com \ | awk -F\' '/multiform/{ print $6 }'` curl -s --location -A "$USERAGENT" -b $COOKIE -c $COOKIE -o $OUTPUT \ --data-urlencode "username=$USERNAME&password=$PASSWORD&iov_id=&submit=Log+in&multiform=$MULTIFORM" \ https://account.dyn.com/ if grep -i -E "(Welcome|Hi).*$USERNAME" $OUTPUT > /dev/null 2>&1 then echo Login successful else echo Login failed FAILED="true" fi rm $COOKIE rm $OUTPUT if [ "$FAILED" = "true" ] then exit 1 fi Nach dem Ausf眉hren erh盲lt man die R眉ckmeldung, ob das Login funktioniert hat oder nicht. ...

23.05.2013 路 2 min 路 Emanuel Duss
×