Second book

Together with several other authors, I had the opportunity to co-create second book in my career, “Wprowadzenie do bezpieczeństwa IT” (also known as “Introduction to IT Security”). The book is written in Polish and covers a broad range of topics in the field of IT security. It is targeted at audiences such as:

1) IT managers interested in IT security
2) Individuals from the IT field wanting to learn current security recommendations
3) Those taking their first steps in the area of technical IT security
4) People responsible for implementing security measures in organizations
5) Pentesters wanting to expand their knowledge in different areas related to IT security

My chapter, titled “Penetration Testing” has the following introduction:

The “Penetration Testing” chapter was created for those who wish to acquire or organize knowledge related to the essence and the process of conducting penetration tests from an organizational standpoint. In this chapter, I will outline the individual steps that need to be taken to define the scope of work, choose the appropriate methodology, and set requirements for the summary report. The information provided here should suffice for independently coordinating penetration tests from defining the scope to accepting the work.

The knowledge presented in this chapter is based on experience from over 550 penetration tests conducted in 2021 and 750 completed projects in 2022. In each case, I was the person responsible for defining the scope of work and assisting with problem-solving during their execution.

The goal of this text is not to convey knowledge about all possible techniques for conducting penetration tests, nor to discuss the career path of a pentester. Readers of this chapter do not need any experience other than what comes from working in the broadly defined IT industry.

Authors of the individual chapters are:

  1. On Ethics in Hacking (Gynvael Coldwind)
  2. What Every Administrator Should Know About Web Application Security (Michał Sajdak)
  3. Android – System Security and Basic Penetration Testing of Mobile Applications (Marek Rzepecki)
  4. iOS – System Security and Basic Penetration Testing of Mobile Applications (Marek Rzepecki)
  5. Penetration Testing (Marcin Piosek)
  6. Introduction to Cyber Threat Intelligence (Bartosz Jerzman)
  7. Threat Modeling and Risk Analysis of Applications (Łukasz Basa, Wiktor Sędkowski)
  8. Introduction to the MITRE ATT&CK® Framework (Wojciech Lesicki)
  9. Cryptology at a Glance (Iwona Polak)
  10. Introduction to the Security of Industrial Control Systems (ICS/OT) (Marcin Dudek)
  11. Data Security at Rest – Encryption and Data Deletion (Krzysztof Wosiński)
  12. OSINT – An Introduction (Tomasz Turba)
  13. Physical Security – Asset Protection (Tomasz Dacka)
  14. Modern Fuzzing (Marek Zmysłowski)
  15. Email Message Authentication Mechanisms – SPF, DKIM, and DMARC (Grzegorz Trawiński)
  16. Hashcat - Racing Against Time in a Balance of Forces and Resources (Konrad Jędrzejczyk)
  17. Introduction to the Metasploit Tool (Piotr Ptaszek)
  18. PowerShell in Offense (Paweł Maziarz)

For more information about the book you can:

  • visit https://wydawnictwo.securitum.pl/ksiazka-wprowadzenie-do-bezpieczenstwa-it-tom-1,
  • download mediakit from https://cdn.sekurak.pl/ksiazka2/mediakit-ksiazka-wdbit.pdf.
  • Book

    Together with the Sekurak.pl team, we have released a book called “Bezpieczenstwo aplikacji webowych” (Web application security; https://sklep.securitum.pl/ksiazka-bezpieczenstwo-aplikacji-webowych; PL only) in which I wrote several chapters, such as:

    1) Authentication, session management and authorization
    2) Advantages and disadvantages of OAuth 2.0 from a security perspective
    3) SameSite flag - how does it work and what does it provide protection against?
    4) Burp Suite Community Edition - introduction to HTTP proxy
    5) Path Traversal vulnerability
    6) Command Injection and Code Injection vulnerabilities
    7) Introduction to WebSocket security

    Table of content: Bezpieczenstwo-aplikacji-webowych-Spis-tresci.pdf

    Hunting for Webshells

    When you maintain a lot of web applications on your server, sooner or later you may encounter a nasty surprise in the form of an unwanted add-on included in an application. These add-ons are of course backdoors, and in the case of web applications, the term “webshell” is used more often. Such a code fragment, uploaded to a server through a vulnerability in an application, allows for unauthorized access to files on the server. The attacker can also usually execute any commands on the compromised server. The probability of such a situation rises dramatically when you maintain an application based on one of popular CMSs – Joomla or WordPress. If you suspect that someone has obtained unauthorized access to your server, how can you solve the problem, locate the threat and remove it? This is explained it in an article entitled “Webshells”, published in the Sekurak ZIN #4 and later on the sekurak.pl portal.

    Hardening WordPress

    The most popular CMS, thousands of plugins and templates, millions of users - this is WordPress. The question arises whether, along with the enormous number of functionalities that WordPress has to offer the user right after installation, it also provides adequate security? Although the current source of threats to WordPress lies in poor quality plugins and templates, it’s a good idea to take a few steps to improve the overall security level of one’s WordPress instance.

    Reading the article “Hardening WordPress” published in the “Programista” 11/2016 magazine, the reader may learn, among other things, how to stop WordPress from disclosing redundant information or what threats might ensue from the option of user enumeration. In addition, the text provides a step-by-step explanation as to how to enable two-factor authentication using Google Authenticator, and how to proceed from Cross-site Scripting vulnerability to Remote Code Execution using the plugin and templates editor.

    Update Jul 7, 2017: this article was published on sekurak.pl.

    OAuth 2.0 Security

    During the reading of RFC6749, one may have the impression that we are dealing with a document which is a description of the general instructions, the implementation of which allows to build the OAuth 2.0 support system. Such an observation is in accordance with the title of this document, in which the word “framework” appears. The OAuth 2.0 standard is therefore not a collection of strict and precisely defined rules. Leaving some freedom in the intrepreation of the RFC6749 instructions directly corresponds to a bigger amount of places in which the persons responsible for the implementation of the said standard may make mistakes. That is why the demand for an article arose - an article which will comprehensively explain what exactly this second version of the OAuth standard is and what its potential threats are. In order to satisfy the needs of the persons responsible for the implementation and testing of the OAuth 2.0 supporting solutions, I have decided to prepare an article which was published in the “Programista” 10/2016 journal.

    Before proceeding to discussing the framework itself, the reader will go through a little revision on the knowledge of the meaning of the most important terms. We are speaking here, inter alia, about the presise explanation of the differences between “authentication” and “authorization”.

    This article handles the following issues:

    • The rules of OAuth 2.0 operation,
    • What advantages we achieve applying this method of authorization,
    • What OAuth is not, that is matters related to the application of OAuth for authentication,
    • Methods which we can use for obtaining a token,
    • Which method of obtaining a token we should choose for a given usage scenario,
    • What security errors we can make using OAuth 2.0 - a list of vulnerabilities along with practical examples,
    • OAuth in the mobile app environment (inter alia PKCE and the threats stemming from the usage of WebView).

    The culmination of the text is in the form of a long list of questions which should be asked during threat modeling of applications using OAuth 2.0.

    Update Feb 13, 2017: this article was published on sekurak.pl.

    Introduction to WebSocket Security

    The development of WWW applications has made it increasingly necessary to implement solutions that allow asynchronous data exchange between the client and the web server. One of the proposed solutions was the use of the “long polling” technique; later on, AJAX came into the world of web browsers. The applied approaches seemed sufficient, but there was still place for improvement of the techniques used. This was particularly justifiable by the fact that there was a lack of methods for truly asynchronous communication where, once a connection was established, any party to the communication could decide at which point it would like to send a data packet. To meet this need, the WebSocket protocol was created.

    As with most new technologies, there are specific security risks associated with WebSocket. In order to direct attention to them, I had prepared the text that was published in the “Programista” 9/2016 magazine. The reader may learn from him, among other things:

    • How does WebSocket work?
    • What is the security of data transferred using this protocol?
    • What are the risks associated with using WebSocket (bypass authentication, bypass authorization, Same Origin Policy issues, injections, server resource exhaustion, and more).
    • How to test applications using WebSocket with OWASP Zaproxy.

    At the end of this article the reader will find a list of questions that should be asked during the security review of the application based on WebSocket.

    Update Feb 2, 2017: This article was published on sekurak.pl.