Marcin Piosek

Second book

2023-09-05T20:20:01+00:00

Together with several other authors, I had the opportunity to co-create the second book in my career, Wprowadzenie do bezpieczeństwa IT (also known as Introduction to IT Security). The book is written in Polish and covers a broad range of topics in the field of IT security.

It is intended for readers such as:

IT managers interested in IT security
Individuals working in IT who want to learn current security recommendations
Those taking their first steps in technical IT security
People responsible for implementing security measures in organizations
Pentesters who want to expand their knowledge in different areas of IT security

My chapter, titled Penetration Testing, has the following introduction:

The “Penetration Testing” chapter was created for those who wish to acquire or organize knowledge related to the essence and the process of conducting penetration tests from an organizational standpoint. In this chapter, I will outline the individual steps that need to be taken to define the scope of work, choose the appropriate methodology, and set requirements for the summary report. The information provided here should suffice for independently coordinating penetration tests from defining the scope to accepting the work.

The knowledge presented in this chapter is based on experience from over 550 penetration tests conducted in 2021 and 750 completed projects in 2022. In each case, I was the person responsible for defining the scope of work and assisting with problem-solving during their execution.

The goal of this text is not to convey knowledge about all possible techniques for conducting penetration tests, nor to discuss the career path of a pentester. Readers of this chapter do not need any experience other than what comes from working in the broadly defined IT industry.

Authors of the individual chapters are:

On Ethics in Hacking (Gynvael Coldwind)
What Every Administrator Should Know About Web Application Security (Michał Sajdak)
Android – System Security and Basic Penetration Testing of Mobile Applications (Marek Rzepecki)
iOS – System Security and Basic Penetration Testing of Mobile Applications (Marek Rzepecki)
Penetration Testing (Marcin Piosek)
Introduction to Cyber Threat Intelligence (Bartosz Jerzman)
Threat Modeling and Risk Analysis of Applications (Łukasz Basa, Wiktor Sędkowski)
Introduction to the MITRE ATT&CK® Framework (Wojciech Lesicki)
Cryptology at a Glance (Iwona Polak)
Introduction to the Security of Industrial Control Systems (ICS/OT) (Marcin Dudek)
Data Security at Rest – Encryption and Data Deletion (Krzysztof Wosiński)
OSINT – An Introduction (Tomasz Turba)
Physical Security – Asset Protection (Tomasz Dacka)
Modern Fuzzing (Marek Zmysłowski)
Email Message Authentication Mechanisms – SPF, DKIM, and DMARC (Grzegorz Trawiński)
Hashcat - Racing Against Time in a Balance of Forces and Resources (Konrad Jędrzejczyk)
Introduction to the Metasploit Tool (Piotr Ptaszek)
PowerShell in Offense (Paweł Maziarz)

More information:

Book

2019-11-29T15:20:01+00:00

Together with the Sekurak.pl team, we released a book titled Bezpieczenstwo aplikacji webowych (book page; PL only), in which I wrote several chapters, including:

Authentication, session management, and authorization
Advantages and disadvantages of OAuth 2.0 from a security perspective
The SameSite flag: how does it work, and what does it protect against?
Burp Suite Community Edition: an introduction to the HTTP proxy
The Path Traversal vulnerability
Command Injection and Code Injection vulnerabilities
Introduction to WebSocket security

Table of contents: download PDF.

Hunting for Webshells

2017-08-17T16:43:37+00:00

When you maintain many web applications on your server, sooner or later you may encounter a nasty surprise in the form of an unwanted addition to one of them. These additions are, of course, backdoors, and in the case of web applications the term “webshell” is used more often. Such a piece of code, uploaded to a server through an application vulnerability, allows unauthorized access to files on the server. In many cases, the attacker can also execute arbitrary commands on the compromised machine. The probability of such a situation rises dramatically when you maintain an application based on one of the popular CMSs, such as Joomla or WordPress. If you suspect that someone has gained unauthorized access to your server, how can you solve the problem, locate the threat, and remove it? This is explained in an article entitled “Webshells,” published in the Sekurak ZIN #4 and later on the sekurak.pl portal.

Hardening WordPress

2016-11-29T15:19:27+00:00

The most popular CMS, thousands of plugins and themes, and millions of users - this is WordPress. The question is whether, alongside the enormous number of features that WordPress offers right after installation, it also provides adequate security. Although today’s threats to WordPress mostly come from poor-quality plugins and themes, it is still a good idea to take a few steps to improve the overall security of a WordPress instance.

By reading the article “Hardening WordPress,” published in the “Programista” 11/2016 magazine, the reader can learn, among other things, how to stop WordPress from disclosing unnecessary information and what threats may result from user enumeration. In addition, the text explains step by step how to enable two-factor authentication using Google Authenticator, and how an attacker can move from a Cross-site Scripting vulnerability to Remote Code Execution by using the plugin and theme editor.

Update Jul 7, 2017: this article was published on sekurak.pl.

OAuth 2.0 Security

2016-10-26T16:39:37+00:00

While reading RFC6749, one may get the impression that it is a document describing general guidelines for building support for OAuth 2.0. This observation is consistent with the title, which includes the word “framework”. OAuth 2.0 is therefore not a collection of strict and precisely defined rules. Leaving some freedom in how RFC6749 is interpreted creates more room for implementation mistakes. That is why the need arose for an article that would comprehensively explain what the second version of the OAuth standard is and what threats are associated with it. To meet the needs of people responsible for implementing and testing OAuth 2.0-based solutions, I prepared an article published in the “Programista” 10/2016 journal.

Before discussing the framework itself, the reader gets a brief refresher on the meaning of the most important terms. This includes, among other things, a precise explanation of the differences between “authentication” and “authorization”.

This article covers the following topics:

The rules governing OAuth 2.0
The advantages of using this authorization method
What OAuth is not, including issues related to using OAuth for authentication
Methods that can be used to obtain a token
Which token acquisition method should be chosen for a given usage scenario
Common security mistakes in OAuth 2.0, along with practical examples
OAuth in the mobile app environment (including PKCE and the threats stemming from the use of WebView)

The article concludes with a long list of questions that should be asked during threat modeling for applications using OAuth 2.0.

Update Feb 13, 2017: this article was published on sekurak.pl.

Introduction to WebSocket Security

2016-09-18T04:39:37+00:00

The development of web applications has made it increasingly necessary to implement solutions that allow asynchronous data exchange between the client and the server. One of the proposed approaches was the use of the “long polling” technique; later, AJAX appeared in web browsers. These approaches seemed sufficient, but there was still room for improvement. This was particularly evident because there were no methods for truly asynchronous communication in which, once a connection had been established, either side could decide when to send a data packet. To meet this need, the WebSocket protocol was created.

As with most new technologies, WebSocket comes with specific security risks. To draw attention to them, I prepared a text that was published in the “Programista” 9/2016 magazine. In it, the reader can learn, among other things:

How does WebSocket work?
What is the security of data transferred using this protocol?
What are the risks associated with using WebSocket (bypass authentication, bypass authorization, Same Origin Policy issues, injections, server resource exhaustion, and more).
How to test applications using WebSocket with OWASP Zaproxy.

At the end of the article, the reader will find a list of questions that should be asked during the security review of an application based on WebSocket.

Update Feb 2, 2017: This article was published on sekurak.pl.