OAST (Out-of-band Security Testing) tools are designed for ethical security researchers to perform network interactions beyond traditional testing scopes, which can be misused by attackers to exfiltrate data or pivot within a victim’s network.
PortSwigger provides burpcollaborator.net and oastify.com as default OAST domains, while Project Discovery uses interact.sh and various alternatives.
Adobe-dcapi-web is a malicious npm package that masquerades as an Adobe API library, which targets developers by using artificially high version numbers to trick them into installing it.
For the purpose of determining the user’s location, the package retrieves the user’s public IP address and, if it becomes aware of a Russian locale, it terminates execution.
It then checks the operating system and uses platform-specific methods to collect system information, including username, hostname, public IP, current date/time, and kernel version, by exfiltrating the collected data to a server controlled by the attacker.
A malicious package with the name “monoliht” was uploaded by the attacker, where this package is misleadingly similar to the legitimate library known as “monolith.”
The package collects the victim’s hostname, username, and current working directory and sends them to the attacker’s server via multiple URLs, which makes it harder to block the attack by using multiple domains for exfiltration.
The RubyGems package chauuuyhhn, nosvemosssadfsd, and holaaaaaafasdf by threat actor “Tu Nombre” uses DNS exfiltration to gather sensitive information from victims.
According to the Socket, through the use of malicious code, the victim’s external IP address, hostname, username, working directory, and folder name are all retrieved.
It sanitizes the data and constructs a DNS query that includes this information and sends it to the attacker’s server on port 53, which allows the attacker to gather reconnaissance data stealthily, as DNS traffic is often overlooked by intrusion detection systems.
Dana Epp, a prominent figure in application security, emphasizes the dual nature of Out-of-Band (OOB) testing. While ethical researchers leverage OOB techniques to proactively identify and mitigate critical vulnerabilities, threat actors exploit these same methods for malicious purposes.
Attackers utilize OOB channels to stealthily discover and exploit vulnerabilities, gaining unauthorized access to systems and maintaining persistent control, which necessitates a proactive defense strategy that anticipates and mitigates the risks associated with OOB testing while simultaneously embracing its legitimate use for enhancing application security.