ECDH_SHA2_NISTP256 (KEX) Algorithm in SSH – Vulnerabilities?

My organization within my company uses this KEX Algorithm in our SSH Implementation.

Another organization within my company won’t connect to our servers as long as this algorithm is implemented as they claim it is “weak and vulnerable”. They referenced this article:https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7966.pdf which is interesting because nothing in there mentions it??

Could anyone help me understand the vulnerabilities of this KEX Algorithm? If it was diffie-hellman-group1-sha1 I’d understand, but ECDH_SHA2_NISTP256 I don’t. It uses NIST Curve P256 and also uses SHA2 – SHA256.

I’m very keen to understand what the problem with this algorithm is… thanks for the help!

Which web vulnerabilities should I test for when pentesting a static site?

I have a static-page website that I need to pentest. What I mean by this is that the site does not have a database, and it has no area to submit user input except for to a third party payment service that is managed entirely by them.

I have actually done web app pentesting before and found vulnerabilities such as XSS, CSRF, IDOR, and DoS. However, these were web apps where content was being reflected back to the page, and a user was “logged in.”

Off the top of my head, I can think of:

  1. Exposed/improperly protected admin panels
  2. Directory traversal
  3. Weak admin credentials on the host accounts/admin controls

Aside from those issues, I am having a difficult time coming up with other vulnerabilities to look for on a static site where user input is not collected or reflected, there is no notion of an “account”, and etc… The site does use PHP 7 on Apache, but the site is rather basic compared to many of the modern “web app” sites which utilize OAuth, social media login, reflect content back to the page, and so on.

Note: I did see Which security measures make sense for a static web site? but that post is more from a “blue team” standpoint, whereas I am asking for pentesting advice, not advice for how to secure the site.

Hardware vulnerabilities vs software threats

What are the key differences between them?

I find both of them would also be able to retrieve data from the host system and both also could cause harm. I do not understand why there are people who say hardware vulnerabilities post the greatest threat in the cybersecurity and vice versa.

For software, the threat would be ransomware. For hardware would be Meltdown and Spectre.

How to deal with a company that doesn’t fix (potential) security vulnerabilities in their web app?

About 2 weeks ago, I stumbled across a web application, that can be used by gyms to manage the information about their members. This includes data like the name, billing address, birth date, and medical history. The gym I am visiting (in Europe) is also using this application and so I took a closer look at the application. I didn’t dig very deep to avoid legal issues, but these are some of the “problems” I found:

  • The login allows infinite tries
  • The JSON response from the backend includes information whether the username or password was incorrect
  • The user password is stored in the local storage in plain text
  • There is an unrestricted file upload for profile pictures
  • An old PHP version is used
  • There are multiple backends that throw exceptions (this way I could find out which PHP framework they are using)
  • Session IDs can be overwritten (Session fixation)
  • It seems like there is no input validation. They are using React, so XSS is not as easy but still possible

All of these don’t seem like super-critical to me, unless someone really takes their time and tries to exploit these potential vulnerabilities. From what I can tell, there are least 20,000 customers stored in their database. Also it seems like all the customer data is stored in one big table for all the different gyms that are using this application.

The kind of data that is stored about the customers seems to be very personal and shouldn’t be in the wrong hands I guess. So I contacted this company anonymously and told them about my concerns. They responded to me a few days ago and said that they fixed everything – however I checked it and basically nothing changed in this web application (still the same vulnerabilities).

So here is my question: How should I proceed? Should I give them a second chance or contact some kind of data protection authority? And would you consider these problems/vulnerabilities critical? (like already said: I didn’t dig too deep, but even with my limited security knowledge I think I could get most of the user data into my hands within a few days)

Exploiting vulnerabilities in the C code

I’m preparing for an introductory information security examination in university and this is one of the examination questions on Secure Programming.

In such questions, I would usually catch for Buffer Overflow or Integer Overflow that lead to other consequences, but due to the context of the problem, I did not manage to find any vulnerabilities in this program.

Can someone help me out here with the questions? The answers are not provided by the school. Sorry in advance, the actual paper document is not formatted such that it allows copy over.

Here is the question.

Pic 1

Pic 2

What are the vulnerabilities of the autofill feature in iOS 11 and later?

iOS 11, 12, and later offer an autofill function from the iOS keyboard for specific apps enabled for the function. I have read Apple’s documentation and it appears that the passwords are stored in the app and then recalled to the keyboard UI where they can be selected to autofill the appropriate field in the displayed app form. I am not sure if this is true for browser login pages, too. Generally, autofill functions have contained vulnerabilities in the past. But, what are the vulnerabilities of Apple’s iOS autofill approach?