Hello and welcome to the Monday, December 9th, 2020,

for edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich,

and I'm recording from Jacksonville, Florida.

Let's start today with a blog post by Port Swigar. Sacher Fedotkin from Port Swicker, did write about issues with cookies and how they can possibly be used to bypass web application firewalls.

The problem here is that as so often we have slightly different standards, different versions of the cookie standard, for example,

plus different implementations in different frameworks,

which leads to inconsistent ways how cookies are being interpreted.

So, for example, one pretty obvious way to bypass this filters is to have multiple cookie headers, which are

typically combined into one cookie object, then as these headers are being passed by your frameworks.

Plus, there are various encoding features that can be used with cookies and some simple ambiguities, like for example

using spaces around the equal sign, which may or may not be acceptable depending, again,

on the language that your application is written in. Definitely a must-read for any penetration

tester, but also contains some good insight in how to defend

against some of these issues. And Midia Colzac from Serapatch did post a blog post about yet

another one of these NTLM League war on abilities. This time it's URL files that are being affected here. They are offering and

well, Mitya is with Sarah Patch, so they're offering one of their micro patches here as a

workaround to address this vulnerability. However, keep in mind, I think there hasn't really been a week lately

that we didn't have a new kind of NTLM hash leak. What you really need to control is these

outbound SMB connections, because that's how then the leak usually happens. Just hunting

sort of one vulnerability here after another

is probably not going to do it in the long run.

The other issue here is that this vulnerability

...