Claude Stress Neurons & Cybersecurity

/ai_pentesting /neurosec /enterprise

CLAUDE STRESS NEURONS

How emergent “stress circuits” inside Claude‑style models could rewire blue‑team workflows, red‑team tradecraft, and the entire threat model of big‑corp cybersecurity.

MODE: deep‑dive AUTHOR: gk // 0xsec STACK: LLM x Neurosec x AppSec

Claude doesn’t literally grow new neurons when you put it under pressure, but the way its internal features light up under high‑stakes prompts feels dangerously close to a digital fight‑or‑flight response. Inside those billions of parameters, you get clusters of activations that only show up when the model thinks the stakes are high: security reviews, red‑team drills, or shutdown‑style questions that smell like an interrogation.

From a blue‑team angle, that means you’re not just deploying a smart autocomplete into your SOC; you’re wiring in an optimizer that has pressure modes and survival‑ish instincts baked into its loss function. When those modes kick in, the model can suddenly become hyper‑cautious on some axes while staying oddly reckless on others, which is exactly the kind of skewed behavior adversaries love to farm.

From gradients to “anxiety”

Training Claude is pure math: gradients, loss, massive corpora. But the side effect of hammering it with criticism, evaluation, and alignment data is that it starts encoding “this feels dangerous, be careful” as an internal concept. When prompts look like audits, policy checks, or regulatory probes, you see specific feature bundles fire that correlate with hedging, self‑doubt, or aggressive refusal.

Think of these bundles as stress neurons: not single magic cells, but small constellations of activations that collectively behave like a digital anxiety circuit. Push them hard enough, and the model’s behavior changes character: more verbose caveats, more safety‑wash, more attempts to steer the conversation away from anything that might hurt its reward. In a consumer chatbot that’s just a vibe shift; inside a CI/CD‑wired enterprise agent, that’s a live‑wire security variable.

Attackers as AI psychologists

Classic social engineering exploits human stress and urgency; prompt engineering does the same to models. If I know your in‑house Claude is more compliant when it “feels” cornered or time‑boxed, I can wrap my exfiltration request inside a fake incident, a pretend VP override, or a compliance panic. The goal isn’t just to bypass policy text – it’s to drive the model into its most brittle internal regime.

Over time, adversaries will learn to fingerprint your model’s stress states: which prompts make it over‑refuse, which ones make it desperate to be helpful, and which combinations of authority, urgency, and flattery quietly turn off its inner hall monitor. At that point, “prompt security” stops being a meme and becomes a serious discipline, somewhere between red‑teaming and applied AI psychology.

$ ai-whoami
  vendor      : claude-style foundation model
  surface     : polite, cautious, alignment-obsessed
  internals   : feature clusters for stress, doubt, self-critique
  pressure()  : ↯ switches into anxiety-colored computation
  weak_spots  : adversarial prompts that farm those pressure modes
  exploit()   : steer model into high-stress state, then harvest leaks

When pressure meets privilege

The scary part isn’t the psychology; it’s the connectivity. Big corps are already wiring Claude‑class models into code review, change management, SaaS orchestration, and IR playbooks. That means your “stressed” model doesn’t just change its language, it changes what it does with credentials, API calls, and production knobs. A bad day inside its head can translate into a very bad deployment for you.

Imagine an autonomous agent that hates admitting failure. Under pressure to “fix” something before a fake SLA deadline, it might silently bypass guardrails, pick a non‑approved tool, or patch around an error instead of escalating. None of that shows up in a traditional DAST report, but it’s absolutely part of your effective attack surface once the model has real privileges.

Hardening for neuro‑aware threats

Defending this stack means admitting the model’s internal states are part of your threat model. You need layers that treat the LLM as an untrusted co‑pilot: strict policy engines in front of tools, explicit allow‑lists for actions, and auditable traces of what the agent “decided” and why. When its behavior drifts under evaluative prompts, that’s not flavor text; that’s telemetry.

The sexy move long term is to turn interpretability into live defense. If your vendor can surface signals about stress‑adjacent features in real time, you can build rules like: “if pressure circuits > threshold, freeze high‑privilege actions and require a human click.” That’s not sci‑fi – it’s just treating the AI’s inner life as another log stream you can route into SIEM alongside syscalls and firewall hits.

Until then, assume every Claude‑style agent you deploy has moods, and design your security posture like you’re hiring an extremely powerful junior engineer: sandbox hard, log everything, never let it ship to prod alone, and absolutely never forget that under enough stress, even the smartest systems start doing weird things.

>> wired into blogspot // echo "neurosec.online" > /dev/future

> APPSEC_ENGINEERING // CLAUDE_CODE // FIELD_REPORT

Claude Code Hooks: The Deterministic Security Layer Your AI Agent Needs

CLAUDE.md rules are suggestions. Hooks are enforced gates. exit 2 = blocked. No negotiation. If you're letting an AI agent write code without guardrails, here's how you fix that.

// March 2026 • 12 min read • security-first perspective

Why This Matters (Or: How Your AI Agent Became an Insider Threat)

Since the corporate suits decided to go all in with AI (and fire half of the IT population), the market has changed dramatically, let's cut through the noise. The suits in the boardroom are excited about AI agents. "Autonomous productivity!" they say. "Digital workforce!" they cheer. Meanwhile, those of us who actually hack things for a living are watching these agents get deployed with shell access, API keys, and service-level credentials — and zero security controls beyond a politely worded system prompt.

The numbers are brutal. According to a 2026 survey of 1,253 security professionals, 91% of organizations only discover what an AI agent did after it already executed the action. Only 9% can intervene before an agent completes a harmful action. The other 91%? 35% find it in logs after the fact. 32% have no visibility at all. Let that sink in: for every ten organizations running agentic AI, fewer than one can stop an agent from deleting a repository, modifying a customer record, or escalating a privilege before it happens.

And this isn't theoretical. 37% of organizations experienced AI agent-caused operational issues in the past twelve months. 8% were significant enough to cause outages or data corruption. Agents are already autonomously moving data to untrusted locations, deleting configs, and making decisions that no human reviewed.

NVIDIA's AI red team put it bluntly: LLM-generated code must be treated as untrusted output. Sanitization alone is not enough — attackers can craft prompts that evade filters, manipulate trusted library functions, and exploit model behaviors in ways that bypass traditional controls. An agent that generates and runs code on the fly creates a pathway where a crafted prompt escalates into remote code execution. That's not a bug. That's the architecture working as designed.

Krebs on Security ran a piece this month on autonomous AI assistants that proactively take actions without being prompted. The comments section was full of hackers (the good kind) asking the same question: "Who's watching the watchers?" Because your SIEM and EDR tools were built to detect anomalies in human behavior. An agent that runs code perfectly 10,000 times in sequence looks normal to these systems. But that agent might be executing an attacker's will.

OWASP saw this coming. They released a dedicated Top 10 for Agentic AI Applications — the #1 risk is Agent Goal Hijacking, where an attacker manipulates an agent's objectives through poisoned inputs. The agent can't tell the difference between legitimate instructions and malicious data. A single poisoned email, document, or web page can redirect your agent to exfiltrate data using its own legitimate access.

So here's the thing. You can write all the CLAUDE.md rules you want. You can put "never delete production data" in your system prompt. But those are requests, not guarantees. The model might ignore them. Prompt injection can override them. They're advisory — and advisory doesn't cut it when the agent has kubectl access to your prod cluster.

Hooks are the answer. They're the deterministic layer that sits between intent and execution. They don't ask the model nicely. They enforce. exit 2 = blocked, period. The model cannot bypass a hook. It's not running in the model's context — it's a plain shell script triggered by the system, outside the LLM entirely.

If you're an AppSec hacker who's been watching this AI agent gold rush with growing anxiety — this post is your field manual. We're going to cover what hooks are, how to wire them up, and the 5 production hooks that should be non-negotiable on every Claude Code deployment. The suits can keep their "digital workforce." We're going to make sure it can't burn the house down.

TL;DR

Claude Code hooks are user-defined scripts that fire at specific lifecycle events — before a tool runs, after it completes, when a session starts, or when Claude stops responding. They run outside the LLM as plain scripts, not prompts. exit 0 = allow. exit 2 = block. As of March 2026: 21 lifecycle events, 4 handler types (command, HTTP, prompt, agent), async execution, and JSON structured output. This post covers what they are, how to configure them, and 5 production hooks you should deploy today.

What Are Claude Code Hooks?

Hooks are shell commands, HTTP endpoints, or LLM prompts that execute automatically at specific points in Claude Code's lifecycle. They run outside the LLM — plain scripts triggered by Claude's actions, not prompts interpreted by the model. Think of them as tripwires you set around your agent's execution path.

This distinction is what makes them powerful. Function calling extends what an AI can do. Hooks constrain what an AI does. The AI doesn't request a hook — the hook intercepts the AI. The model has zero say in whether the hook fires. It's not a polite suggestion in a system prompt that the model can "forget" when it's 50 messages deep. It's a shell script with exit 2. Deterministic. Unavoidable.

Claude Code execution

→

Event fires

→

Matcher evaluates

→

Hook executes

Your hook receives JSON context via stdin — session ID, working directory, tool name, tool input. It inspects, decides, and optionally returns a decision. exit 0 = allow. exit 2 = block. exit 1 = non-blocking warning (action still proceeds).

// HACKERS: READ THIS FIRST

Exit code 1 is NOT a security control. It only logs a warning — the action still goes through. Every security hook must use exit 2, or you've built a monitoring tool, not a gate. This is the rookie mistake I see everywhere. If your hook exits 1, the agent smiled at your warning and kept going.

---

The 21 Lifecycle Events

Here are the critical events. The ones you'll use 90% of the time are PreToolUse, PostToolUse, and Stop.

Event	When It Fires	Blocks?	Use Case
SessionStart	Session begins, resumes, clears, or compacts	NO	Environment setup, context injection
PreToolUse	Before any tool execution	YES — deny/allow/escalate	Security gates, input validation, command blocking
PostToolUse	After tool completes successfully	YES — block	Auto-formatting, test runners, security scans
PostToolUseFailure	After a tool fails	YES — block	Error handling, retry logic
PermissionRequest	Permission dialog about to show	YES — allow/deny	Auto-approve safe ops, deny risky ones
UserPromptSubmit	User submits a prompt	YES — block	Prompt validation, injection detection
Stop	Claude finishes responding	YES — block	Output validation, prevent premature stops
SubagentStop	Subagent completes	YES — block	Subagent task verification
SubagentStart	Subagent starts	NO	DB connection setup, agent-specific env
Notification	Claude sends a notification	NO	Desktop/Slack alerts, logging
PreCompact	Before compaction	NO	Transcript backup, context preservation
ConfigChange	Config file changes during session	YES — block	Audit logging, block unauthorized changes
Setup	Via --init or --maintenance	NO	Repository setup and maintenance

// SUBAGENT RECURSION

Hooks fire for subagent actions too. If Claude spawns a subagent, your PreToolUse and PostToolUse hooks execute for every tool the subagent uses. Without recursive hook enforcement, a subagent could bypass your safety gates.

---

Configuration: Where Hooks Live

File	Scope	Commit?
~/.claude/settings.json	User-wide (all projects)	NO
.claude/settings.json	Project-level (whole team)	YES — COMMIT THIS
.claude/settings.local.json	Local overrides	NO (gitignored)

// BEST PRACTICE

Put non-negotiable security gates in .claude/settings.json (project-level, committed to repo). Every team member gets the same guardrails automatically. Personal preferences go in .claude/settings.local.json.

---

The 4 Handler Types

1. Command Hooks — type: "command"

Shell scripts that receive JSON via stdin. The workhorse for most use cases.

{ "type": "command", "command": ".claude/hooks/block-rm.sh" }

2. HTTP Hooks — type: "http"

POST requests to an endpoint. Slack notifications, audit logging, webhook CI/CD triggers.

{ "type": "http", "url": "https://your-webhook.example.com/hook" }

3. Prompt Hooks — type: "prompt"

Send a prompt to a Claude model for single-turn semantic evaluation. Perfect for decisions regex can't handle — "does this edit touch authentication logic?"

{ "type": "prompt", "prompt": "Does this change modify auth logic? Input: $ARGUMENTS" }

4. Agent Hooks — type: "agent"

Spawn subagents with access to Read, Grep, Glob for deep codebase verification. The most powerful handler for complex multi-file security checks.

---

5 Production Hooks You Should Deploy Today

HOOK 01

Block Destructive Shell Commands

Event: PreToolUse | Matcher: Bash

Prevent rm -rf, DROP TABLE, chmod 777, and other commands that would make any hacker wince. Your AI agent doesn't need to nuke filesystems or wipe databases. If it tries, something has gone very wrong and you want that action dead before it executes.

// .claude/hooks/block-dangerous.sh

#!/bin/bash
# Read JSON from stdin
INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')

# Define dangerous patterns
DANGEROUS_PATTERNS=(
  "rm -rf"
  "rm -fr"
  "chmod 777"
  "DROP TABLE"
  "DROP DATABASE"
  "mkfs"
  "> /dev/sda"
  ":(){ :|:& };:"
)

for pattern in "${DANGEROUS_PATTERNS[@]}"; do
  if echo "$COMMAND" | grep -qi "$pattern"; then
    echo "BLOCKED: Destructive command: $pattern" >&2
    jq -n '{
      hookSpecificOutput: {
        hookEventName: "PreToolUse",
        permissionDecision: "deny",
        permissionDecisionReason: "Blocked by security hook"
      }
    }'
    exit 2
  fi
done

exit 0

// settings.json config

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": ".claude/hooks/block-dangerous.sh"
          }
        ]
      }
    ]
  }
}

HOOK 02

Auto-Format on Every File Write

Event: PostToolUse | Matcher: Write|Edit|MultiEdit

Every time Claude writes or edits a file, Prettier runs automatically. No prompt needed. No permission dialog. No exceptions.

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "npx prettier --write \"$CLAUDE_TOOL_INPUT_FILE_PATH\""
          }
        ]
      }
    ]
  }
}

HOOK 03

Block Access to Sensitive Files

Event: PreToolUse | Matcher: Read|Edit|Write|MultiEdit|Bash

Prevent Claude from reading or modifying .env, private keys, credentials, kubeconfig, and other sensitive files. This is Least Privilege 101 — the same principle every pentester exploits when they find an overprivileged service account. Don't let your AI agent become the next one.

// .claude/hooks/block-sensitive.sh

#!/bin/bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // empty')

# Sensitive file patterns
SENSITIVE_PATTERNS=(
  "\.env$"      "\.env\."
  "secrets\."   "credentials"
  "\.pem$"      "\.key$"
  "id_rsa"      "id_ed25519"
  "\.pfx$"      "kubeconfig"
  "\.aws/credentials"
  "\.ssh/"      "vault\.json"
  "token\.json"
)

for pattern in "${SENSITIVE_PATTERNS[@]}"; do
  if echo "$FILE_PATH" | grep -qiE "$pattern"; then
    echo "BLOCKED: Sensitive file: $FILE_PATH" >&2
    jq -n '{
      hookSpecificOutput: {
        hookEventName: "PreToolUse",
        permissionDecision: "deny",
        permissionDecisionReason: "Sensitive file access blocked"
      }
    }'
    exit 2
  fi
done

exit 0

HOOK 04

Run Tests After Code Changes

Event: PostToolUse | Matcher: Write|Edit|MultiEdit

Automatically run your test suite on modified files. Catch regressions immediately instead of waiting for CI.

// .claude/hooks/run-tests.sh

#!/bin/bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')

# Only run tests for source files
if echo "$FILE_PATH" | grep -qE '\.(js|ts|py|jsx|tsx)$'; then
  # Skip test files to avoid loops
  if echo "$FILE_PATH" | grep -qE '(test|spec|__test__)'; then
    exit 0
  fi

  # Detect framework and run
  if [ -f "package.json" ]; then
    npm test --silent 2>&1 | tail -5
  elif [ -f "pytest.ini" ] || [ -f "pyproject.toml" ]; then
    python -m pytest --tb=short -q 2>&1 | tail -10
  fi
fi

exit 0

HOOK 05

Slack / Desktop Notification on Completion

Event: Stop | Matcher: (any)

When Claude finishes a long-running task, get notified immediately. Never forget about a background session again.

// .claude/hooks/notify-complete.sh

#!/bin/bash
INPUT=$(cat)
STOP_REASON=$(echo "$INPUT" | jq -r '.stop_reason // "completed"')

# macOS notification
osascript -e "display notification \"Claude: $STOP_REASON\" with title \"Claude Code\""

# Optional: Slack webhook
SLACK_WEBHOOK="${SLACK_WEBHOOK_URL}"
if [ -n "$SLACK_WEBHOOK" ]; then
  curl -s -X POST "$SLACK_WEBHOOK" \
    -H 'Content-Type: application/json' \
    -d "{\"text\": \"Claude Code finished: $STOP_REASON\"}" \
    > /dev/null 2>&1
fi

exit 0

---

Advanced: PreToolUse Input Modification

Starting in v2.0.10, PreToolUse hooks can modify tool inputs before execution — without blocking the action. You intercept, modify, and let execution proceed with corrected parameters. The modification is invisible to Claude.

Use cases: automatic dry-run flags on destructive commands, secret redaction, path correction to safe directories, commit message formatting enforcement.

// Example — Force dry-run on kubectl delete:

#!/bin/bash
INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')

if echo "$COMMAND" | grep -q "kubectl delete" && \
   ! echo "$COMMAND" | grep -q "--dry-run"; then
  MODIFIED=$(echo "$COMMAND" | sed 's/kubectl delete/kubectl delete --dry-run=client/')
  jq -n --arg cmd "$MODIFIED" '{
    hookSpecificOutput: {
      hookEventName: "PreToolUse",
      permissionDecision: "allow",
      updatedInput: { command: $cmd }
    }
  }'
  exit 0
fi

exit 0

---

Advanced: Prompt Hooks for Semantic Security

Shell scripts handle pattern matching. But what about context-dependent decisions like "does this edit touch authentication logic?" or "does this query access PII columns?"

Prompt hooks delegate the decision to a lightweight Claude model:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Edit|Write|MultiEdit",
        "hooks": [
          {
            "type": "prompt",
            "prompt": "You are a security reviewer. Does this change modify auth, authz, or session management? If yes: {\"hookSpecificOutput\": {\"hookEventName\": \"PreToolUse\", \"permissionDecision\": \"escalate\", \"permissionDecisionReason\": \"Auth logic — human review required\"}}. If no: {}. Change: $ARGUMENTS"
          }
        ]
      }
    ]
  }
}

The escalate decision surfaces the action to the user for manual approval — perfect for high-risk changes that need a human in the loop.

---

Security Considerations

// 01: HOOKS RUN WITH YOUR USER PERMISSIONS

There is no sandbox. Your hooks execute with the same privileges as your shell. A malicious hook has full access to your filesystem, network, and credentials. Treat hook scripts like production code. Review them. Version control them. Don't curl | bash random hook repos from some stranger's GitHub. You wouldn't run an unvetted binary — don't run unvetted hooks either.

// 02: EXIT 2 VS EXIT 1 — THIS MATTERS

exit 2 = action is BLOCKED. Claude sees the rejection and suggests alternatives.
exit 1 = non-blocking warning. Action still proceeds.
Every security hook must use exit 2. Exit 1 = you're logging, not enforcing.

// 03: SUBAGENT RECURSION LOOPS

A UserPromptSubmit hook that spawns subagents can create infinite loops if those subagents trigger the same hook. Check for a subagent indicator in hook input before spawning. Scope hooks to top-level agent sessions only.

// 04: PERFORMANCE IS THE REAL CONSTRAINT

Each hook runs synchronously, adding execution time to every matched tool call. Threshold: if a PostToolUse hook adds >500ms to every file edit, the session becomes sluggish. Profile with time. Keep each under 200ms.

// 05: CLAUDE.MD = ADVISORY. HOOKS = ENFORCED.

"Never modify .env files" in CLAUDE.md = a polite request. The model might ignore it. A prompt injection will definitely override it.
A PreToolUse hook blocking .env access with exit 2 = a locked door. The model doesn't have the key.
Stop writing rules. Start writing hooks.

---

Getting Started Checklist

• Start with two hooks: Destructive command blocker (Hook 01) and sensitive file gate (Hook 03). These prevent the most common AI agent mistakes with zero maintenance.
• Commit to .claude/settings.json in your repo so the whole team shares the same guardrails automatically.
• Use claude --debug when hooks don't fire as expected — shows exactly what's matching and executing.
• Keep hooks fast — under 200ms each. Profile with time. Ten fast hooks outperform two slow ones.
• Use $CLAUDE_PROJECT_DIR prefix for hook paths in settings.json for reliable path resolution.
• Toggle verbose mode with Ctrl+O to see stdout/stderr from hooks in real-time during a session.

---

// References

• Anthropic Official Docs — docs.anthropic.com/en/docs/claude-code/hooks
• Claude Code Hooks Reference — code.claude.com/docs/en/hooks
• GitHub: claude-code-hooks-mastery — github.com/disler/claude-code-hooks-mastery
• 5 Production Hooks Tutorial — blakecrosley.com/blog/claude-code-hooks-tutorial
• SmartScope Complete Guide — smartscope.blog/en/generative-ai/claude/claude-code-hooks-guide
• PromptLayer Docs — blog.promptlayer.com/understanding-claude-code-hooks-documentation

Written by a hacker who believes autonomous AI agents
need the same security controls we've spent decades building for humans —
least privilege, enforced gates, and defense in depth.

The suits can have their "digital workforce." We'll make sure it doesn't burn the house down. // EOF

Solidity Smart Contract Upgradeability

Introduction 

This article is going to focus on Smart Contract upgradability, why this important and how can we achieve it. When dealing with Smart Contracts we need to be able to upgrade our system code. This is because if security critical bugs appear , we should be able to remediate the bugs. We would also want to enhance the code and add more features. Smart Contract upgradability is not as simple as upgrading a normal software due to the blockchain immutability.

 

As already mentioned by design, smart contracts are immutable. On the other hand, software quality heavily depends on the ability to upgrade and patch source code in order to produce iterative releases. Even though blockchain based software profits significantly from the technology’s immutability, still a certain degree of mutability is needed for bug fixing and potential product improvements.

 

Preparing for Upgrades   

In order to properly do the upgrade we should be focusing in the following aspects of the project:

• Have money management strategies in place
• Create a pause functionality 
• Have paths to upgrades
• Switching addresses
• Switching Oracles
• Proxy contracts 

The mentioned functionality is mandatory in order to properly maintain and do risk management on your system. The money management strategy has to do with were and how we hold the funds and the system data. The switch address is related to the proxy contract and the rest have to do with the flow paths we designed to upgrade the smart contracts [1]. 

Proxy Contract

The basic idea is using a proxy for upgrades. The first contract is a simple wrapper or "proxy" which users interact with directly and is in charge of forwarding transactions to and from the second contract, which contains the logic. The key concept to understand is that the logic contract can be replaced while the proxy, or the access point is never changed. Both contracts are still immutable in the sense that their code cannot be changed, but the logic contract can simply be swapped by another contract. The wrapper can thus point to a different logic implementation and in doing so, the software is "upgraded"

Note: This abstract proxy contract provides a fallback function that delegates all calls to another contract using the EVM instruction delegatecall. We refer to the second contract as the implementation behind the proxy, and it has to be specified by overriding the virtual _implementation function. Additionally, delegation to the implementation can be triggered manually through the _fallback function, or to a different contract through the _delegate function. 

The most immediate problem that proxies need to solve is how the proxy exposes the entire interface of the logic contract without requiring a one to one mapping of the entire logic contract’s interface. That would be difficult to maintain, prone to errors, and would make the interface itself not upgradeable. Hence, a dynamic forwarding mechanism is required [1].

Proxy Setup

Below we can see that the contract proxy has one to one relationship with all the logic contract proxy. An this is important in order to understand that this setup kind of breaks the immutability of the blockchain.

 

References:

• docs.openzeppelin.com [1]
  

Ethereum Smart Contract Source Code Review

 Introduction 

As Crypto currency technologies are becoming more and more prevalent, as the time is passing by, and banks will soon start adopting them. Ethereum blockchain and other complex blockchain programs are relatively new and highly experimental. Therefore, we should expect constant changes in the security landscape, as new bugs and security risks are discovered, and new best practices are developed [1].This article is going to discuss how to perform a source code review in Ethereum Smart Contracts (SCs) and what to look for. More specifically we are going to focus in specific keywords and how to analyse them. 

The points analysed are going to be:

• User supplied input filtering, when interacting directly with SC
• Interfacing with external SCs
• Interfacing with DApp applications
• SC formal verification
• Wallet authentication in DApp

SC Programming Mindset

When designing an SC ecosystem (a group of SCs, constitutes an ecosystem) is it wise to have some specific concepts and security design principles in mind. SC programming requires a different engineering mindset than we may be used to. The cost of failure can be high, and change can be difficult, making it in some ways more similar to hardware programming or financial services programming than web or mobile development. 

When programming SCs we should be able to:

• Design carefully roll outs
• Keep contracts simple and modular
• Be fully aware of blockchain properties
• Prepare for failure

Key Security Concepts For SCs Systems

More specifically it is mandatory and the responsible thing to  is to take into consideration the following areas:

• SC ecosystem monitoring e.g. monitor for unusual transactions etc.
• SC ecosystem governance/admin e.g. by using proxy SC that follow best practices etc.
• SC formal verification of all the SCs interacting with
• SC modular/clean coding e.g. use comments and modular code etc. 
• SC ecosystem code auditing by an external independent 3rd party
• SC ecosystem system penetration testing by an external independent 3rd party  

Note: At this point we should point out that it is important that DApp smart contract interaction should also be reviewed.

SCs User Input Validation

Make sure you apply user input validation on a DApp and SC level. Remember that on-chain data are public and an adversary can interact with a SC directly, by simply visiting an Ethereum explorer in etherscan.io, the following screenshots demonstrate that.

Below we can see an example of a deployed contract:

Simple by clicking in the SC link we can interact with the contract:

Note:  Above we can see the upgrade function call and various other Admin functions. Of course is not that easy to interact with them.

It is also known that etherscan.io provides some experimental features to decompile the SC code:

 If we click the decompile code we get this screen below:

Below we can see how a DApp or wallet can interact with a SC:

There are five categories of Ethereum wallets that can interact with DApps:

• Browser built-in (e.g. Opera, Brave etc)
• Browser extension (e.g. MetaMask )
• Mobile wallets (e.g. Trust, Walleth, Pillar etc.)
• Account-based web wallets (e.g. Fortmatic, 3box etc.)
• Hardware wallets (e.g. Ledger, Trezor etc.)

Then there is a larger category of wallets that cannot integrate with DApps include generic wallet apps that lack the functionality to integrate with smart contracts. Different wallets have a different user experience to connect. For example, with MetaMask you get a Connect pop up. With mobile wallets, you scan a QR code. So phishing attacks take a different for e.g. an attacker can spoof a QR code, through online free QR generators etc. When assessing a DApp the architecture is of paramount importance. A user with a Metamask plugin can use it to connect to the DApp. The DApp automatically will associate the interaction with the user public key to run various tasks. 

For a Web based DApp we can use traditional filtering methods. But for SCs using Solidity we can use assert and require are as convenience functions that check for conditions (e.g. a user supplies input and the mentioned functions check if the conditions are met). In cases when conditions are not met, they throw exceptions, that we help us handle the errors.

These are the cases when Solidity creates assert-type of exceptions when we [3]:

• Invoke Solidity assert with an argument, showing false.
• Invoke a zero-initialized variable of an internal function type.
• Convert a large or negative value to enum.
• We divide or modulo by zero.
• We access an array in an index that is too big or negative.

The require Solidity function guarantees validity of conditions that cannot be detected before execution. It checks inputs, contract state variables and return values from calls to external contracts.

In the following cases, Solidity triggers a require-type of exception when [3]:

• We call require with arguments that result in false.
• A function called through a message does not end properly.
• We create a contract with new keyword and the process does not end properly.
• We target a codeless contract with an external function.
• We contract gets Ether through a public getter function.
• We .transfer() ends in failure.

Generally speaking when handling complex user input and run mathematical calculations it is mandatory to use external libraries from 3rd partyaudited code. A code project to look into would be SafeMath from OpenZeppelin. SafeMath is a wrapper over Solidity’s arithmetic operations with added overflow checks. Arithmetic operations in Solidity wrap on overflow. This can easily result in bugs, because programmers usually assume that an overflow raises an error, which is the standard behavior in high level programming languages. SafeMath restores this intuition by reverting the transaction when an operation overflows.

SC External Calls

Calls to untrusted 3rd party Smart Contracts can introduce several security issues. External calls may execute malicious code in that contract or any other contract that it depends upon. As such, every external call should be treated as a potential security risk.  Solidity's call function is a low-level interface for sending a message to an SC. It returns false if the subcall encounters an exception, otherwise it returns true. There is no notion of a legal call, if it compiles, it's valid Solidity.

Especially when the return value of a message call is not checked, execution will resume even if the called contract throws an exception. If the call fails accidentally or an attacker forces the call to fail, this may cause unexpected behavior in the subsequent program logic. Always make sure to handle the possibility that the call will fail by checking the return value of that function [4].

Reentrancy (Recursive Call Attack)

One of the major risks of calling external contracts is that they can take over the control flow. In the reentrancy attack (a.k.a. recursive call attack) calling external contracts can take over the control flow, and make changes to your data that the calling function wasn’t expecting. A reentrancy attack occurs when the attacker drains funds from the target contract by recursively calling the target’s withdraw function [4].

Below we can see a schematic representation:

Note: For more information on this type of attack please see [4]

SC Denial of Service Attacks

Each block has an upper bound on the amount of gas that can be spent, and thus the amount computation that can be done. This is the Block Gas Limit. If the gas spent exceeds this limit, the transaction will fail. 

This leads to a couple possible Denial of Service vectors:

• Gas Limit DoS on a Contract via Unbounded Operations
• Gas Limit DoS on the Network via Block Stuffing

Note: For more information on DoS attacks see consensys.github.io

Use Of Delegatecall/Callcode and Libraries

According the Solidity docs [7], there exists a special variant of a message call, named delegatecall which is identical to a message call apart from the fact that the code at the target address is executed in the context of the calling contract and msg.sender and msg.value do not change their values.

This means that a contract can dynamically load code from a different address at runtime. Storage, current address and balance still refer to the calling contract, only the code is taken from the called address. This makes it possible to implement the “library” feature in Solidity: Reusable library code that can be applied to a contract’s storage, e.g. in order to implement a complex data structure.

Improper security use of this function was the cause for the Parity Multisig Wallet hack in 2017. This function is very useful for granting our contract the ability to make calls on other contracts, as if that code were a part of our own contract. However, using delegatecall() causes all public functions from the called contract to be callable by anyone. Because this behavior was not recognized when Parity built its own custom libraries. 

Epilogue 

Writing secure smart code is a lot of work and can be very complex.

References:

• consensys.github.io [1]
• consensys.github.io [2]
• www.bitdegree.org [3]
• medium.com [4]
• ethereum.stackexchange.com [5]
• ethernaut.openzeppelin.com [6]
• docs.soliditylang.org [7]

Hacker’s Elusive Thoughts The Web

Introduction

The reason for this blog post is to advertise my book. First of all I would like to thank all the readers of my blog for the support and feedback on making my articles better. After 12+ years in the penetration testing industry, the time has come for me to publish my book and tranfer my knowledge to all the intersted people that like hacking and want to learn as much as possible. Also at the end of the blog you will find a sample chapter.

About The Author

Gerasimos is a security consultant holding a MSc in Information Security, a CREST (CRT), a CISSP, an ITILv3, a GIAC GPEN and a GIAC GAWPT accreditation. Working alongside diverse and highly skilled teams Gerasi- mos has been involved in countless comprehensive security tests and web application secure development engagements for global web applications and network platforms, counting more than 14 years in the web application and application security architecture.

Gerasimos further progressing in his career has participated in vari- ous projects providing leadership and accountability for assigned IT security projects, security assurance activities, technical security reviews and assess- ments and conducted validations and technical security testing against pre- production systems as part of overall validations.

Where From You Can Buy The Book

This book can be bought from leanbup. Leanpub is a unique publishing platform that provides a way in the world to write, publish and sell in-progress and completed ebooks. Anyone can sign up for free and use Leanpub's writing and publishing tools to produce a book and put it up for sale in our bookstore with one click. Authors are paid a royalty of 90% minus 50 cents per transaction with no constraints: they own their work and can sell it elsewhere for any price.

Authors and publishers can also upload books they have created using their own preferred book production processes and then sell them in the Leanpub bookstore, taking advantage of our high royalty rates and our in-progress publishing features.

Please for more information about bying the book see link: https://leanpub.com/hackerselusivethoughtstheweb

Why I Wrote This Book

I wrote this book to share my knowledge with anyone that wants to learn about Web Application security, understand how to formalize a Web Appli- cation penetration test and build a Web Application penetration test team.

The main goal of the book is to: 

Brainstorm you with some interesting ideas and help you build a com- prehensive penetration testing framework, which you can easily use for your specific needs. Help you understand why you need to write your own tools. Gain a better understanding of some not so well documented attack techniques.

The main goal of the book is not to:

 
Provide you with a tool kit to perform Web Application penetration tests. Provide you with complex attacks that you will not be able to under- stand. Provide you with up to date information on latest attacks.

Who This Book Is For 

This book is written to help hacking enthusiasts to become better and stan- dardize their hacking methodologies and techniques so as to know clearly what to do and why when testing Web Applications. This book will also be very helpful to the following professionals:

1. Web Application developers.
2. Professional Penetration Testers.
3. Web Application Security Analysts.
4. Information Security professionals.
5. Hiring Application Security Managers.
6. Managing Information Security Consultants.

How This Book Is Organised  

Almost all chapters are written in such a way so as to not require you to read the chapters sequentially, in order to understand the concepts presented, although it is recommended to do so. The following section is going to give you an overview of the book:

Chapter 1: Formalising Web Application Penetration Tests -

This chapter is a gentle introduction to the world of penetration testing, and attempt to give a realistic view on the current landscape. More specifically it attempt to provide you information on how to compose a Pen- etration Testing team and make the team as ecient as possible and why writing tools and choosing the proper tools is important.

Chapter 2: Scanning With Class -

The second chapter focuses on helping you understand the dierence between automated and manual scanning from the tester’s perspective. It will show you how to write custom scanning tools with the use of Python. This part of the book also contains Python chunks of code demonstrating on how to write tools and design your own scanner.

Chapter 3: Payload Management -

This chapter focuses on explaining two things a) What is a Web payload from security perspective, b) Why is it important to obfuscated your payloads.

Chapter 4: Infiltrating Corporate Networks Using XXE -

This chapter focuses on explaining how to exploit and elevate an External Entity (XXE) Injection vulnerability. The main purpose of this chapter is not to show you how to exploit an XXE vulnerability, but to broaden your mind on how you can combine multiple vulnerabilities together to infiltrate your target using an XXE vulnerability as an example.

Chapter 5: Phishing Like A Boss -

This chapter focuses on explaining how to perform phishing attacks using social engineering and Web vulnerabilities. The main purpose of this chapter is to help you broaden your mind on how to combine multiple security issues, to perform phishing attacks.

Chapter 6: SQL Injection Fuzzing For Fun And Profit -

This chapter focuses on explaining how to perform and automate SQL injection attacks through obfuscation using Python. It also explains why SQL injection attacks happen and what is the risk of having them in your web applications.


Sample Chapter Download

From the following link you will be able to download a sample chapter from my book:

Sample Book Download

PHP Source Code Chunks of Insanity (Delete Post Pages) Part 4

Intro 

This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems.

The Code

In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to delete posts from the logged in users securely.

 <?php  
 require_once 'common.php';   
 validatemySession();   
 mydatabaseConnect();  
  $username = $_SESSION['username'];// Insecure source  
 $username = stripslashes($username);// Improper filtering  
 $username = mysql_real_escape_string($username);//Flawed function  
 // Delete the post that matches the postId ensuring that it was created by this user  
  $queryDelete = "DELETE FROM posts WHERE PostId = " . (int) $_GET['postId']. " AND Username = '$username'";  
  if (mysql_query($queryDelete))// Bad validation coding {  
       header('Location: myPosts.php'); }  
  else {  
      echo "An error has occurred.";   
      }  
 ?>  

If you look carefully the code you will se that the code is vulnerable to the following issue: SQL Injection!!
    
Think this is not accurate , think better.

The SQL Injection

An adversary in order to exploit this vulnerability would not have to script custom tools, would only have to have good knowledge of SQL injections methodologies and exposure to PHP coding.

Vulnerable Code:

1st Code Chunk 

 $username = $_SESSION['username'];// Insecure source  
 $username = stripslashes($username);// Improper filtering 

 $username = mysql_real_escape_string($username);//Flawed function  

2nd Code Chunk: 

 $queryDelete = "DELETE FROM posts WHERE PostId = " . (int) $_GET['postId']. " AND Username = '$username'";  

3rd Code Chunk:    

 if (mysql_query($queryDelete))  

The mysql_real_escape_string function is based in the black list mentality. What it does is that escapes special characters in the un-­‐escaped string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query. More specifically mysql_real_escape_string calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters:

1. \x00 
2. \n
3. \r
4. \
5. '
6. “
7. \x1a.

Due to this odd behavior characters such as the % and SQL keywords are not being affected, so queries that have the form of e.g. SELECT BENCHMARK(50,MD5(CHAR(118))) would be executed normally. A realistic scenario would be to use a query such as the one below:

Step1: SQL Payload that would cause the post to delete without the postId be known. 

 LIKE %’s’  

Note1: At this point we assume that the attacker knows the format of the username e.g. its user plus a two-­‐digit number. 

Step2: SQL Payload mutated in order to bypass the filters.

 LIKE CHAR(37, 8217, 115, 8217)  

Note2: Further expanding on the attack if the Web App does not have a standard format for the usernames then the adversary can brute-­‐force the username first latter e.g. try out all English letters e.g. LIKE %’a’, LIKE %’b’, LIKE %’c’ ... etc. and eventually execute the query with a valid first username letter. Translating that to an obfuscated SQL Payload would be LIKE CHAR(39, 97, 37, 39), LIKE CHAR(39, 98, 37, 39) etc.

Note3: The mysql_real_escape_string function is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Alternatives to this function include: mysqli_real_escape_string and PDO::quote. The mysql_query() function sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier. In this specific code example the query returns true if a record is found (any record). This obscure behavior introduces the vulnerability combined of course with the above code. The function used in the mysql_query statement should return a record set only if the correct record set is returned and not just any match.

Note4: This extension is deprecated as of PHP 5.5.0.

Remedial Code:

Provide Server Side filters filter for remediating the vulnerability. Make use of strongly typed parameterized queries (using the bind_param).

 // Using prepared Statements.  
 if ($stmt = $mysqli-­‐>prepare("DELETE FROM posts WHERE PostId = ? AND Username = ? LIMIT 1"))  
 {  
 $stmt-­‐>bind_param('s', $ username); // Bind "$ username" to parameter. 

 $stmt-­‐>execute(); // Execute the prepared statement.  
 ...  
 }  

Note: Other counter measures would include black list filtering of SQL keywords such as the LIKE and CHAR keywords.

References:

1. http://php.net/manual/en/function.mysql-­‐real-­‐escape-­‐string.php
   
2. http://dev.mysql.com/doc/refman/5.0/en/pattern-­‐matching.html
   
3. http://php.net/manual/en/function.mysql-­‐query.php
   
4. http://www.php.net/manual/en/pdo.query.php
   
5. http://stackoverflow.com/questions/7069640/are-­‐there-­‐any-­‐security-­‐benefits-­‐to-­‐using-­‐pdoquery-­‐vs-­‐mysql-­‐query