Home
💻 | Blog
Cancel

SuiteCRM - Phar Deserialization to Code Execution

This is a copy of a blog which i recently published on Snyk: https://snyk.io/blog/suitecrm-phar-deserialization-vulnerability-to-code-execution/ Introduction uiteCRM is a free and open source Cus...

May 10, 2021 web application security

Fuzzing with Go-Fuzz

Fuzzing can often be a very useful technical for finding bugs. Go-fuzz is a coverage-guided fuzzing solution for testing of Go packages. go-fuzz. This blog post will walk you through how to use it ...

May 4, 2021 fuzzing

ADempiere Unsafe Deserialization to Code Execution

Introduction Deserializing user-controlled object streams at runtime can allow attackers to execute arbitrary code on the server, abuse application logic, and/or lead to denial of service Java se...

Apr 15, 2021 web application security

OpenCATS PHP Object Injection to Arbitrary File Write

Introduction OpenCATS is an application tracking system that is written in PHP. More about OpenCATS can be seen here: https://www.opencats.org/. OpenCATS is vulnerable to PHP Object injection, by ...

Jan 17, 2021 web application security

PHP Object Injection Exploitation Notes

Notes I’ve written and Collected about PHP Deserialization Introduction serialize and unserialize Serialization functions are commonly used within software to store data to a file, a memory buff...

Jan 9, 2021 web application security

Code Security Advent Calendar 2020 Answers

SonarSource is a company focused on code quality and static analysis. This year, SonarSource, along with RIPS Technologies will be tweeting code challenges from real world vulnerabilities on their ...

Dec 29, 2020 ctf

Writing AngularJS Security Semantic Rules using Semgrep

AngularJS Security is something I have looked into in the past. In 2016, I conducted a workshop on AngularJS Security in MWR’s MWRICON which highlighted some common security issues and how they cou...

Sep 3, 2020 software security, static analysis

Demystifying HTTP request smuggling

This is a cross post of the blog post written here:https://snyk.io/blog/demystifying-http-request-smuggling/. Often at my role as a Security Analyst within Snyk, I study trends within the dependenc...

Jul 1, 2020 software security

Webhacking.kr Solutions

This blog post contains a walk-through of https://webhacking.kr/ wargames which was recommended to me by a friend. Level 1 The following can be seen in level 1. The source code of the backend ...

Apr 4, 2020 ctf

Patching Zip Traversal within pclzip

Recently I went hunting for Zip traversal vulnerabilities within the PHP ecosystem. While looking at well known PHP ZIP dependencies, I noticed that, both pclzip and zipper were vulnerable to trave...

Mar 2, 2020 software security