EDITORIAL TEAM

Managing Editor

Bartłomiej Adach
bartek.adach@pentestmag.com

Proofreaders & Betatesters

Lee McKenzie, Olivier Caleff, Ali Abdollahi, Craig Thornton, Tom Updegrove,
Matthew Sabin, Da Co, Robert Fling, Aditya Srivastava, David von Vistauxx, ,
Christopher Pedersen, Joerg Scheiblhofer, Bernhard Waldecker

Special thanks to the Proofreaders & Betatesters who helped with this issue. Without their
assistance there would not be a PenTest Magazine.

Senior Consultant/Publisher

Paweł Marciniak

CEO

Joanna Kretowicz

joanna.kretowicz@pentestmag.com

DTP

Bartłomiej Adach

bartek.adach@pentestmag.com

COVER DESIGN

Hiep Nguyen Duc

PUBLISHER
Hakin9 Media Sp. z o.o.

02-676 Warszawa

ul. Postępu 17D 

Phone: 1 917 338 3631 
www.pentestmag.com

All trademarks, trade names, or logos mentioned or used are the property of their respective owners.

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or consequent data loss.

1
Dear PenTest Readers,
As we declared last month, the current issue maintains our main focus on the crucial and wide topic of   critical
infrastructure cybersecurity. This time we intend to be more specific, as our major subject of examination is Supervisory
Control And Data Acquisition - SCADA. Due to growing concerns about such systems’ vulnerabilities, we would like to
introduce you to a fascinating world of Operational Technology pentesting, industrial control systems, and programmable
logic controllers.

The perfect start is provided to you with the article written by Marlene Ladendorff, PhD, who is an eminent expert in the
field of OT cybersecurity. If you want to learn about penetration testing of SCADA architecture, its peculiarity and the
differences between the security of such environments and Enterprise IT systems, this article is the best possible option.
We are extremely happy and grateful that such an expert publishes in our magazine second time in a row.

Furthermore, we would like to draw your attention to an excellent article by Cevn Vibert, which presents the landscape of
the ICS in a superbly thorough manner. The article invites the reader for a fascinating journey through the big picture of
Industrial Control Systems, with very interesting scenarios included.

Eduardo Honorato, who also publishes his second article in a row, approaches the topic through the optics of risk
assessment and appropriate standards. His article is also focused on the undeniably vital context of automation. This is
another ‘must read’ of this issue.

Bruce Williams had a huge influence on us in the creation of these two issues related to critical infrastructure - he helped
us by publishing his third article on his concept of pentesting for protection, named “Janus Thinking”. The concept has
been introduced in our previous issue. Now, it is concluded with the third part on thinking about threats and assets. We
hope that this approach symbolized by the Roman god Janus will gain its well-deserved popularity in the business.

One of our reviewers, Aditya Srivastava, has written a practical article on enumeration of SCADA systems using an nmap
script. He also presents the scope of threat for the Internet facing PLCs. The piece is definitely worth reading. And
speaking of practical dimension of this edition, Girshel Chokhonelidze provides us with a lab on data exfiltration using
ICMP protocol. We are sure that this method will be very interesting to you and we are delighted to present it in this issue.

Moreover, we are pleased to mention that our magazine is an encouraging publishing platform for the young, ambitious
talents as well. This time we have an article by Mohamed Kameela Begum Majeeth and Dikshika Naresh on cluster bomb
storming and forestalling. Thus, if you have an interesting idea and you’re willing to publish - do not be intimidated,
contact us!

Finally, Marcell Gogan presents two of his well-written articles on the newest trends in the cyber security world. If you
wish to be up-to-date and relevant, you should definitely read his pieces on Edge Computing and Zero Login
Technologies.

We are also excited to introduce to you the outstanding professionals from InfySec. Experts from this company have just
recently started to cooperate with our magazine, and will be providing us with brilliant articles, labs, and tutorials on a
regular basis.

Enjoy the content!

PenTest Magazine’s Editorial Team.    

2
Contents
Pen Testing SCADA Architecture
4
Marlene Ladendorff, PhD

Industrial Cyber Physical Security Enhancement

Cevn Vibert 8

How to Assess Energy Infrastructure Cybersecurity

Eduardo Honorato 21

Enumerating SCADA Systems

Aditya Srivastava 28

The Art of Staying Ahead of Trouble

Janus Thinking (pentesting for protection)
Bruce Williams 33

Data Exfiltration Lab

Girshel Chokhonelidze 42

Top 4 Reason 4 Moving Your Cloud Application To The Edge

Marcell Gogan 51

Cluster Bomb Storming and Forestalling 


Using Logic Based CAPTCHA
Mohamed Kameela Begum Majeeth, Dikshika Naresh 55
Exploiting The Entity: XXE (XML External
Entity Injection)
Anand M 61

Zero Login Technologies

Is Biometrics Safer Than Passwords?
Marcell Gogan 73
 Pen Testing SCADA Architecture

Pen Testing SCADA Architecture

Marlene Ladendorff, PhD

Marlene is a subject matter expert in cybersecurity for critical
infrastructure, specializing in OT cybersecurity. Her main focus

is nuclear power plants and the energy sector.Marlene recently spent
12 months working in the United Arab Emirates for Emirates Nuclear
Energy Corporation in the cybersecurity department at the Barakah
nuclear power plant construction site. Marlene is an international
speaker on cybersecurity and teaches master’s level university courses
in IT and OT security. Her PhD dissertation was titled “The Effect

of North American Electric Reliability Corporation Critical Infrastructure
Protection Standards on Bulk Electric System Reliability.”

Significant differences exist between Enterprise IT and OT SCADA system

architecture and functionality. IT systems are upgraded on a much more frequent
basis than SCADA systems but the lifetime of SCADA systems is substantially longer
than their IT counterparts. Penetration testing for IT systems can be performed on
active networks while SCADA penetration testing should be limited to test bed or
development systems and executed in a passive manner to not disrupt operations.
All personnel involved or potentially affected by a penetration test should be included
in a review of the test, an activity that some industries refer to as a pre-job brief.

Pen Testing SCADA Architecture in Critical Infrastructure Operational Technology

Environments

Critical infrastructure entities utilize Information Technology (IT) systems and networks to manage the business
side of the organization. Operational Technology (OT) systems and networks are employed to manage and
control the operational side of the entity. Many similarities exist between IT and OT configurations, but the
differences can be significant and must be taken into consideration when planning and executing penetration
tests. Pen testing practices that are appropriate for IT architecture are not necessarily safe to employ on
Supervisory Control And Data Acquisition (SCADA) equipment on OT networks.

SCADA systems are a subset of Industrial Control Systems (ICS)1. ICS (and, by default, SCADA) differ in
function from IT systems and, therefore, require special considerations when applying cybersecurity controls
and testing to them.Before committing to performing penetration tests on SCADA equipment, a solid
understanding of the dissimilarities between IT and OT architecture could mean the difference between a pen
test that offers meaningful data for securing SCADA systems or a pen test that crashes OT systems or the
entire OT network. Table 1 includes some, but not necessarily all, differences between enterprise IT and OT
SCADA systems.

4
 Industrial Cyber Physical Security Enhancement

Industrial Cyber Physical Security

Enhancement

Cevn Vibert
An Industrial Cyber Physical Security Advisor, Speaker, Solution Architect,
Systems Manager, Consultant with over 20 years in Industry, managing
solutions and teams in a wide range of markets and industries. Cevn
Vibert is well known in the Security, Cyber, Automation and Industrial
Information Industries. Cevn is an Accredited Systems Architect and
Chartered IT Professional. Cevn recently created and managed the Critical
Infrastructure Protection (CIP) Facility and the TRUST Security Explorer
Facility for Thales UK. Previously he has worked on projects with EDF,
Sellafield, National Grid, BP, KOC, Network Rail, Thames Water, Dwr
Cymru, Welsh Water, London Underground, Jordans Ryvita, Shell, Ford
and many more.

Experienced with Industrial IT, Industrial IOT, Command and Control C2

Systems, Control Rooms, System of Systems, CCTV, Cyber, Access
Control, Situational Awareness, Robust and Resilient Architectures, PLCs,
SCADA, HSMs, Encryption, Industrial Networks, Knowledge Databases,
and Reporting Solutions.
Global Director Industrial Cyber Security.
Throughout his career, he has produced many papers, references,
editorials and industry speaking and panel chairing engagements.
CITP MIET MIMC MBCS MISA MISSA MCSA
CERT210W MISACA MIoD Vibert Solutions
Active member of InstMC, IET, BCS, ISA, ISACA, IoD and other
Limited.
institutions, Cevn is continually improving communities with information
sharing and collaboration strategies.
Southampton. UK.
cevn@VibertSolutions.com+44(0)7909
Years of experience within the security threat environment has reinforced
the necessity for converged Integrated Holistic Security to manage both
current and emerging threats. Situational Awareness solutions are key to
providing effective and timely response to incidents at Mission Critical
facilities. Cevn advises and presents to CxOs, Boards, Management or
shop-floor teams on many security and industrial information subjects and
strategies.

Industrial Cyber Security is now deeply into a form of arms race. Defenders are
needing more defence tools and monitoring wizardry to detect and prevent attacks,
but only if they can afford the resource time and expertise costs. They are usually
seriously hampered by lack of budget and resources. Automation and Security
Vendors are building more and more complex systems to help the defenders, but
only if the defenders can afford the prices.

5
 How to Assess Energy Infrastructure Cybersecurity

How to Assess Energy Infrastructure

Cybersecurity
Eduardo Honorato
Munio Security, ICS Cybersecurity Director

Eduardo is a subject matter expert on cybersecurity solutions applied to

industrial control systems. He has over 20 years of industry experience

with process automation, high availability architectures, industrial networks
and application software. Eduardo has executed many cybersecurity risk

and vulnerability assessment projects for industries and energy plants for

the NIST framework, NECP CIP and ISA 62443 standards. He has expertise
and experience developing and designing holistic cybersecurity programs for
industrial control systems leveraging proven IT technologies and industry
best practices. He has experience working closely with various stakeholders
within an organization to develop detailed implementation protocols,
procedures, guidelines and help manage the lifecycle of a cybersecurity
program. He is currently ISA (International Society of Automation) Director

of Cybersecurity in Brazil.

As the report says, the dynamics of the energy industry could be creating an
imminent cyber storm. As a first step, we need to understand how these companies
use technology in the automation of their work and how we can improve safety.

Introduction

Nowadays the world is full of threats of high potential and impact, since we have many news stories of hacks
and crimes related to cyber. Although most of the news is attacks on commercial companies, banks and other
types of businesses, energy infrastructure can be a very easy target for other governments, criminals and
terrorist groups.

One point to understand is how the generation and delivery of energy works. Electricity is generated in power
plants and goes through a complex system, sometimes called a grid, electrical substations, transformers, and
power lines that connect electricity producers and consumers. Most local area networks are interconnected for
commercial and reliability purposes, forming larger, more reliable networks that enhance coordination and
planning of the electricity supply. Below is an image that best illustrates this explanation.

6
 Enumerating SCADA Systems

Enumerating SCADA Systems

Aditya Srivastava
Currently Research Associate at Smokescreen Technologies (One of
the leading companies which provide deception technology). Aditya
holds Bachelor’s of Technology in Computer Science Engineering 

with specialization in Cybersecurity and Forensics  by IBM and has
recently graduated. Aditya has a keen interest in Cybersecurity, Internet
of Things(IoT), and Artificial Intelligence, aims to his my passion

and solve problems in the world regarding cybersecurity issues, so that
he can help and contribute towards a safer future.

e-mail address : sriv.aditya22@gmail.com

Smokescreen Technology’s website: smokescreen.io

The concern with Internet facing PLCs is that they can be targeted by adversaries to
breach the perimeter and come inside the network so that they can try to achieve
persistence and start scanning devices over the network, move laterally across and
get the stuff done that they intend to do, like bringing down the plant or creating a
natural disaster.

Introduction

In the last decade, we have seen that cybersecurity has become a matter of concern for everyone, be it an
organization, critical infrastructure or individual. Advances in technology have made more systems connect to
the internet, which has opened doors for adversaries to target them in the wild. Many SCADA systems have
been connected to the internet as well as real-time-data and remote-access needs have increased enormously,
and so has the number of connections into the control and automation systems. This has been further
enhanced by introduction of the Industrial Internet of Things (IIoT) and its components into both the control and
process layers (Level 0 and Level 1) of the Purdue model of industrial control system [1], as these often require
an Internet connection to distribute sensor, process and controls data in real time or near real time [2].

However, sometimes the internet access or cloud access is provided for the control layers by bypassing the
firewall defense established at the perimeter of area zone of Purdue model of industrial control systems [1], and
therefore cyber resilience is needed for these devices as well.

7
 The Art of Staying Ahead of Trouble

The Art of Staying Ahead of Trouble

Janus Thinking (pentesting for protection)

Bruce Williams
Bruce is a systems/telecommunications engineer with a
Masters in Engineering Science from Sydney University
Australia. He also has Diplomae in Adult Training and
Sustainability. He spent 20 years as Assistant Director for
the Australian Department of Industry helping start-up
companies in IT. He then switched to training and has spent
20 years training adult learners in business and IT at TAFE
Sydney and Southern Cross University on the Gold Coast.

The protection of computer assets is complex. This way of having a face scanning
the assets with their vulnerabilities helps with teaching. There are two skills
convergent thinking (narrowing down the options) and divergent thinking (expanding
the possibilities). A good analyst shifts between the two. The drill down from the first
figure to the assets with their vulnerabilities is often hard. The first step was to see
which assets where in the middle and in particular which ones were critical. If you
can do it for critical you can do it for major and minor, later on.

Introduction

In my efforts to teach cybersecurity I have developed Janus to teach how to look at the problems. The following
takes the standard and explains vulnerabilities. It breaks vulnerabilities into four groups and then looks at a
common pentest toolkit (Kali) to see if the vulnerabilities are visible to an attacker. When the pentest report is
written up the critical vulnerabilities get flagged and hopefully fixed. So pentesting is critical in seeing

8
 Data Exfiltration Lab

Data Exfiltration Lab

Girshel Chokhonelidze

CISSP, Researcher, Assistant Professor - CyberSecurity

Red Cell Division - CSFI US

Chief IT Auditor at State Audit Office of Georgia

Data exfiltration/data extrusion/data theft definitions are used to describe the

unauthorized transfer of data from a computer or other device. Data exfiltration can
be conducted manually, by an individual with physical access to a Device, but it can
also be an automated process conducted through malicious programming over a
network.

Covert channel – Data Exfiltration with ICMP echo packet (PING)

While data exfiltration can be achieved using various techniques, it’s most commonly performed by cyber
criminals over the Internet or a network. These attacks are typically targeted, with the primary intent being to
gain access to a network or machine to locate and copy specific data.

Data exfiltration techniques:

• Physical

• Malware/Spyware

• Email

• Protocol Abuse

• File types

• Airgaps

Now, I want to show you one interesting way of Data Exfiltration Covert Channel - using ICMP (Ping) protocol
to send and receive some data/files.

The  Internet Control Message Protocol  (ICMP) is a supporting  protocol  in the  Internet protocol suite. It is

9
 Top 4 Reasons For Moving Your Cloud Application To The Edge

Top 4 Reasons For Moving Your Cloud

Application To The Edge
Marcell Gogan
Marcell Gogan is a specialist within digital security solution business
design and development, virtualization and cloud  computing R&D
projects, establishment and management of software research
direction. He also loves  writing about data management and
cybersecurity. 

The need for faster data processing is one of the main reasons why computing
moves to the network edge. There are millions of devices running cloud-based
applications and generating extremely large amounts of data that needs to be stored
and processed somewhere. Uploading all that data to the cloud, sending it to a
centralized data center, processing the requests coming from end-users, and then
sending the results back takes too much time and consumes too much network
resources. Edge architectures allow processing data closer to its source, thus
improving the efficiency of time-sensitive data processing.

Introduction

Despite the undoubted popularity of the cloud technologies, the idea of distributed computing makes people
wonder whether they should move their computational load to the network edge. Storing huge amounts of data
in a public cloud proved itself to be rather safe and cost-efficient enough. However, the use of the cloud for
processing data creates additional challenges for developers, such as increased latency.

When it comes to an IoT application or a SaaS platform development, latency becomes one of the main
challenges. Luckily, edge computing technologies may be able to solve this issue by taking some of the
computational load off of the centralized cloud.

In this article, we talk about the main differences between cloud and edge computing and take a closer look at
the top reasons for moving your cloud application to the edge of the network.

10
 Cluster Bomb Storming on Web Application and Forestalling using
Logic Based CAPTCHA

Cluster Bomb Storming on Web Application

and Forestalling using Logic Based CAPTCHA
Mohamed Kameela Begum Majeeth
3rd year, B.Sc Computer Science

Trained Ethical Hacker and Hacking Forensic Investigator .

Developing  skills to become a pentester.

Dikshika Naresh
3rd year, B.Sc Computer Science

Developing skills in  secure

programming 

This paper presents an approach for disabling cluster bomb attack on the student’s
Intranet in a reputed collegewebsite, therefore safeguarding Students Privacy and
from excess unwanted network traffic. This approach also enhances the security of
the intranet from computer bot and automated attacks. We propose the usage of
Logic Based CAPTCHA, a completely automated public test that would differentiate
humans and computer bots apart by making the user answer simple questions.They
are effective in stopping automated abuse, including Cluster bomb attack.

KEYWORDS:

Dictionary attack, Burp suite , brute force attack, Logic Based CAPTCHA, cluster bomb

11
 Exploiting The Entity: XXE (XML External Entity Injection)

Exploiting The Entity: XXE (XML External

Entity Injection)
Anand M
Email: anand@infysec.com

Company: www.infysec.com

In the recent year, major tech giants like Google, Facebook, Magento, Shopify, Uber,
Twitter, Microsoft have undergone XML External Entity attacks on their major
application. One such vulnerability that has been around for many years is XML
external entity injection or XXE. For example, this vulnerability can be used to read
arbitrary files from the server, including sensitive files such as the application
configuration files. XXE attack helped the hackers to gain the read-only access on
Google’s production servers itself. So far major vulnerabilities like SQL injection and
Command injection have been playing a major role on the web application attacks.
But XXE is also a major critical bug which helps the attacker to gain access to the
server itself. OWASP Top Ten standards also added the XXL as one of the critical
vulnerabilities lists. This vulnerability is an important one to understand because it
exists by default for many popular XML parsers. To best explain and demonstrate the
exploitation of XXE, we must first start with the basics of XML. So Let’s dig in deeper.

12
 Exploiting The Entity: XXE (XML External Entity Injection)

INTRODUCTION

What is XML?

XML STANDS FOR EXTENSIBLE MARKUP LANGUAGE

• XML is a markup language similar to HTML

• XML was designed to store and transport data

• XML was designed to be self-descriptive

• XML is a W3C Recommendation

XML Tree Structure

Extensible Markup Language (XML) is a feature rich and widely used information exchange format and
standard. The standard allows for defining the structure of the XML using a Document Type Declaration, or
DTD. The DTD provides a mechanism for defining entities whose values can be substituted into the XML
document contents. This is helpful when the entity value is used multiple times.

13
 Exploiting The Entity: XXE (XML External Entity Injection)

Here is a sample XML structure

It's all about entities

XML specification [1] describes several types of so-called entities (we know many of them: entities are usually
used for conducting attacks on XML, named XML eXternal Entity, XXE):

• Predefined entities

• Internal entities

• External entities

• Internal parameter entities

• External parameter entities

So far, the third type of entities has been most frequently attacked (except for DoS): using various files of a file
system as a source of an external entity, it was possible (not always) to read files of the file system via data
output in XML or error output. Besides it was possible to conduct DoS attacks, brute force the content of a
parsed entity, read files via a Document Type Declaration (DTD), which if error output was enabled allowed
displaying the content of the read file.

XML 1.0 standard defines the structure of an XML document. The standard defines a concept referred to as an
entity, which is a storage unit of some type.

There are different types of entities, but the one we're focusing on is externally referenced. External entities are
valuable to attackers because they can access local or remote content via declared system identifiers which
are a more critical attack on the web application.

14
 Exploiting The Entity: XXE (XML External Entity Injection)

So, let’s see how it works?

The way it works is simple, a SYSTEM identifier is declared. The identifier references the local file "/etc/
passwd" which discloses all users of the machine. The result of the entity 'xxe' (which includes the results of /
etc/passwd) is included within the application's failed login response.

• For IIS servers:

XXE Attacks

There are two primary types of XML injection:

• XXE attacks which include output within the server's response.

• Blind XXE - Attacks which process an entity, but do not include the results within the output. We must
instead entice the application server to 'send us' the response.

Attacking XML Parsers

Upon receiving user-supplied requests, application servers parse the provided data and process it to perform
some action. Examples include:

• Authentication

• Transferring money

• Updating a profile

Unfortunately, however, XML parsers are often times misconfigured and enable the processing of external XML
entities when they did not intend to. In addition, no sort of input validation occurs, resulting in the ability to
reference any content referenced by an entity. This misconfiguration can result in the ability to access local
system resources.

Let’s see a demonstration of how the XXE attack happens on the real-world application.

15
 Exploiting The Entity: XXE (XML External Entity Injection)

Proof of concept

Let’s see how XXE injection vulnerability effects on a real-time web application. This vulnerability will
allow us to access to the password of the root user and help to privilege escalate on the main system,
so, let’s begin!

• Step 1: Port scanning the application IP address

Port Scanning process is done the network IP address using nmap for enumeration process.

Command:Use Nmap -A <IP address> - in my case, I will run the command – nmap -A 10.10.10.78

Ports Enumerated

In the above image, we can see that the Ports 21,22,80 has been enumerated with useful information. Port 21
FTP has an anonymous FTP Login, which is a useful piece of information were we can log in without using the
password, grab the text.txt file for any useful information.

• Step2: Logging to FTP with anonymous

16
 Exploiting The Entity: XXE (XML External Entity Injection)

After logging into the ftp using anonymous login, we can clearly see a test.txt file which will have a valid
information, using get command to download the file,

We clearly see that the test.txt file has XML data inside it, XML data contain as subnet information. Then open
the target IP over web browser. By opening the Ip address we could clearly see the Apache2 Ubuntu Default
port 80 web Page.

For a moment, we couldn’t see any valid information on the pages, due to it’s an Apache default specification
page, it doesn’t have any pages apart from spec pages or links, so we need to try another method get any
access to critical information of the system.

17
 Exploiting The Entity: XXE (XML External Entity Injection)

• Step3: Directory brute force using DirBuster

When I found nothing on port 80, then thought of using Dirbuster so, I was able to enumerate certain pages on
the web directory brute force attack on the application. So, found a page called /hosts.php.

18
 Exploiting The Entity: XXE (XML External Entity Injection)

• Step4: Intercepting using Burp suite

Accessing the hosts.php file in the web browser, found a valid information “There are 4294967294 possible
hosts for” about the host's system connected with the server as shown in the above image.So, searched in
google for 4294967294 hosts which were related to 255.255.255.254 as found in the above test.txt file.

It means that test.txt file can be used in the request to procced with a possibility of XXE attack on the server of
the web application.

So, let’s capture the request and sent the intercepted data into the repeater.

So, let’s try the XML from the test.txt file which we got from the FTP login. Add the XML content to the repeater
and wait for a response to show the result.

We clearly see that XXE payload added to the XML from the test.txt, where it gets executed and luckily, we
found that the application is vulnerable to XEE injection.

• Step 5: Exploiting XXE payload on the application

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

19
 Exploiting The Entity: XXE (XML External Entity Injection)

<!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM "file:////etc/passwd" >]>

<details>

<subnet_mask>&xxe;</subnet_mask>

<test></test>

</details>

Now we can simply exploit it to fetch the /etc/passwd file with help of following XXE script and then check its
response.

The above image shows that we were able to access the etc/passwd files from the ubuntu server. This clearly
shows a successful attack and also enumerated two local usernames.

20
 Exploiting The Entity: XXE (XML External Entity Injection)

• Step 6: Digging deeper to get more information to gain access

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [ 

<!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM "file:////home/florian/.ssh/id_rsa" >]>

<details>

    <subnet_mask>&xxe;</subnet_mask>

    <test></test>

</details>

By running the above XXE payload, we can get the id_rsa through XEE script which is mentioned above.

21
 Exploiting The Entity: XXE (XML External Entity Injection)

Finally, we got the ssh private key successfully, copy the key and save it as a text file. Then give permission
600 to the saved key(id-RSA) and then try to connect with SSH as we knew the port 22 is open in the Victim’s
network which was enumerated during port scanning.

Wow! Finally got into the system using SSH private key from the XXE payload, we gained a complete access to
the server.

The impact of this vulnerability shows that it is very dangerous, as it allows the attacker to gain the complete
and take privilege over the system and perform denial of service attack on the server, etc.

22
 Exploiting The Entity: XXE (XML External Entity Injection)

Recommendation

• XML parsers are vulnerable to XML external entity injection attack (XXE) by default. The best solution would
be to configure the XML processor to use a local static DTD.

• Disallow any declared DTD included in the XML document.

• If external Entities aren’t required then disable them completely.

• Sanitization process should be done for all users input.

• Encode the user input in such a way that entities cannot be defined through user input.

• Use less complex data formats such as JSON and avoiding serialization of sensitive data.

• Patch or upgrade all XML processors and libraries in use by the application or on the operating system.

• Use a dependency checker. Update the SOAP to SOAP 1.2 or higher.

• Implement the positive whitelisting server-side input validation, filtering or sanitization to prevent hostile data
within XML documents, header or nodes.

• Verify the XML or XSL file upload function for validation process.

Conclusion

XXE is not a new vulnerability but an existing one that has gained more popularity in recent years on a web
application. A successful XXE injection attack could result in massive damages on both security and business
functionalities. Few better ways to control XXE attacks include. Depending upon the misconfiguration lead to
this major XXE attack on the application. Developers who develop the application should have more concern
on the security side, so that application, the server can be protected to maximum extend. If these controls are
not possible on the application, consider using virtual patching, API security gateways, Web Application
Firewalls (WAF), or Interactive Application Security Testing (IAST) tools to detect, monitor, and block XXE
attacks to prevent from the attackers.

References

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

http://www.ws-attacks.org/XML_External_Entity_DOS

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

23
 Zero Login Technologies: Is Biometrics Safer Than Passwords?

Zero Login Technologies: Is Biometrics Safer

Than Passwords?
Marcell Gogan
Marcell Gogan is a specialist within digital security solution business
design and development, virtualization and cloud  computing R&D
projects, establishment and management of software research direction.
He also loves writing about data management and cybersecurity. 

This new authentication method acts as an alternative to the traditional two-factor

authentication where you need to first enter a password and then prove the fact of
possessing a particular device remembered by the system. With technologies similar
to the one invented by TypingDNA, you are no longer dependent on particular
devices for verifying your identity – your unique behavior patterns will do the job.

Introduction

In the last three years, the world saw numerous data breaches resulting in millions of compromised accounts:
Equifax, Yahoo, MyFitnessPal. Traditional passwords aren’t safe enough and their use isn’t that comfortable for
users.

Understanding the lack of security behind traditional passwords, people started to look for an alternative
solution. One of these solutions is an innovative approach to the authentication process – zero login.

But what are zero login techniques, how are they used these days, and what are their main pros and cons of
biometrics vs traditional methods of authorization? Keep on reading to get answers to all these questions.

Zero login: a new authentication technology

Zero login is a common term for innovative authentication techniques allowing for a fast, easy, and highly
secure method of user identification. This term refers to the idea of our devices and applications being smart
enough to “recognize” a particular user without requiring any passwords or codes.

Traditional passwords are just a most commonly used part of the so-called knowledge-based authentication
process. The main idea behind this process is that a particular user possesses a very particular knowledge. It
may be a password, a Social Security number, or your mother’s maiden name. Unfortunately, knowledge-based

24