WordPress HTML5 MP3 Player with Playlist plugin XSS and SQL Injection Vulnerabilities

SecPod Research Team member (Thanga Prakash) has found Multiple Cross-site Scripting Vulnerabilities and SQL injection vulnerability in WordPress HTML5 MP3…

Continue ReadingWordPress HTML5 MP3 Player with Playlist plugin XSS and SQL Injection Vulnerabilities

ManageEngine Firewall Analyzer 8.3 Reflected Cross-site Scripting Vulnerability

SecPod Research Team member (Thanga Prakash) has found Multiple Reflected Cross-site Scripting Vulnerabilities in ManageEngine Firewall Analyzer. The vulnerability is…

Continue ReadingManageEngine Firewall Analyzer 8.3 Reflected Cross-site Scripting Vulnerability

Steganography

Steganography is an art of hiding a message, image, or file within another message, image, or file.

Most images are used to hide the data. The flexibility of using images means that information can be hidden in a variety of ways. It can be scattered all over the image or inserted straight inside.

If data is inserted straight inside. we can find it easily using the below technique,

    • – Open that image with any

Hex Editor

    • (

like HexEdit, HxD on windows

    • ) or use vim with hex mode.

 

    • (

using :%!xxd command on Linux

    ).
    • – An image starts with “

FF D8

    • ” two bytes and ends with EOI (End Of Image) marker “

FF D9

    “.
    • – If any data is inserted straight in to an image you can see your data after the

EOI (End Of Image) marker

    .

Here is an example to insert data straight inside the image without any tool on windows:

    1. Create a test file with some data to hide. ( Here i used “hidden data.txt” )
    2. Take an image to which you need to hide. ( Here i used “original.jpg” )
    3. In Command prompt use the below command to hide the content.

copy /b original.jpg + "hidden data.txt" "hidden image.jpg"

windows-copy-cmd

A new image will be created with your data hidden. You can open and view that image normally.

But, to view the hidden content open that image in any Hex editor as mentioned above and see the hidden data at the end after the EOI marker.

Hex view

Later, a quick obfuscation layer is added (Password or key) to hide the visibility of the data in the HEX format. To view the original message we need that key or password.

Here is an example to insert data inside the image using Outguess tool:
outguess is one of the tool that allows the insertion of hidden information into
the redundant bits of data sources.

Data Hiding : outguess -k "secretkey" -d hidden.txt image.jpg out.jpg

    – hidden.txt – Contains text or data to hide
    – image.jpg – Image used to hide data
    – out.jpg – Output Image with Hidden data

outguess-hide

Data Retrieval : outguess -k "secretkey" -r out.jpg hidden.txt

(more…)

Continue ReadingSteganography