The Story of an RCE on a Java Web Application
It was about two months ago (November 2021) I was invited to a private program. According to their program scope, I decided to hack them for a while. This post is about a vulnerability I’ve found in this company that led to RCE.
https://infosecwriteups.com/the-story-of-a-rce-on-a-java-web-application-2e400cddcd1e
It was about two months ago (November 2021) I was invited to a private program. According to their program scope, I decided to hack them for a while. This post is about a vulnerability I’ve found in this company that led to RCE.
https://infosecwriteups.com/the-story-of-a-rce-on-a-java-web-application-2e400cddcd1e
Medium
The Story of an RCE on a Java Web Application
It was about two months ago (November 2021) I was invited to a private program. According to their program scope, I decided to hack them…
Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package
On Thursday, December 9th, a 0-day exploit in the popular Java logging library log4j (version 2)
was discovered that results in Remote Code Execution (RCE), by logging a certain string.
Given how ubiquitous this library is, the impact of the exploit (full server control),
and how easy it is to exploit, the impact of this vulnerability is quite severe.
We're calling it
"Log4Shell" for short.
The 0-day was tweeted along with a POC posted on GitHub. It has now been published as CVE-2021-44228.
https://www.lunasec.io/docs/blog/log4j-zero-day/www.lunasec.io
Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaTrace
Given how ubiquitous log4j is, the impact of this vulnerability is quite severe. Learn how to fix Log4Shell, why it's bad, and what a working exploit requires in this post.
Forwarded from Cyber Threat Intelligence
BleepingComputer
Ukrainian military agencies, state-owned banks hit by DDoS attacks
The Ministry of Defense and the Armed Forces of Ukraine and two of the country's state-owned banks, Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank), are being hammered by Distributed Denial-of-Service (DDoS) attacks.
Forwarded from SHELL SHOCK
Udemy
Linux Bash Scripting
Start with Bash scripting and Automate Tasks
Forwarded from @Phantasm_Lab
APPSEC Cali 2018 - A Tour of API Underprotection
Author
https://youtu.be/lgAEJwgxe0Y
🕴 @Phantasm_Lab
Effective API protection is a growing concern, reflecting the popularity of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured Web APIs and techniques to strengthen your API security posture. You'll gain a clear understanding of user authorization via OAuth2, software authorization via static API keys and the critical interplay between them. Of particular concern are mobile API consumers whose code is statically published with secrets which are often poorly concealed. Practical advice with code examples will show how to improve mobile API security. TLS is necessary but insufficient to fully secure client-server communications. Certificate pinning is explained with code examples to show how to strengthen channel communications. Some advanced techniques will be discussed such as app hardening, white box cryptography and mobile app attestation. You should gain a good understanding of the underprotected API problem, with some immediately practical tips to improve your API security posture and a sense of emerging tools and technologies that enable a significant step change in API security.
Author
Skip Hovsmith is a Principal Engineer and VP Americas for CriticalBlue, working on securing API usage between mobile apps and backend services. Previously, Skip consulted with CriticalBlue customers on accelerating mobile and embedded software running on multicore and custom coprocessor platforms in video, networking, and security modules. Prior to CriticalBlue, Skip worked in formal verification, FPGA design, reconfigurable hw/sw systems, and VLSI and mixed-signal chip design. He enjoys working directly with customers and is a writer at Hacker Noon, focused on API security topics such as “They reverse engineered 16k apps; here’s what we’d fix”, and "Mobile API Security".
https://youtu.be/lgAEJwgxe0Y
🕴 @Phantasm_Lab
YouTube
APPSEC Cali 2018 - A Tour of API Underprotection
Abstract :
Effective API protection is a growing concern, reflecting the popularity of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured…
Effective API protection is a growing concern, reflecting the popularity of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured…
Forwarded from @Phantasm_Lab
Mobile Network Hacking, IP Edition
We explore which protection measures are missing from the mobile network and discuss how to best bring them over from the IT security domain into mobile networks.
https://www.youtube.com/watch?v=3XUo7UBn28o&list=PLH15HpR5qRsXiPOP3gxN6ultoj0rAR6Yn&index=3
We explore which protection measures are missing from the mobile network and discuss how to best bring them over from the IT security domain into mobile networks.
https://www.youtube.com/watch?v=3XUo7UBn28o&list=PLH15HpR5qRsXiPOP3gxN6ultoj0rAR6Yn&index=3
YouTube
Mobile Network Hacking, IP Edition
By Karsten Nohl, Luca Melette & Sina Yazdanmehr
We explore which protection measures are missing from the mobile network and discuss how to best bring them over from the IT security domain into mobile networks.
Full Abstract & Presentation Materials: …
We explore which protection measures are missing from the mobile network and discuss how to best bring them over from the IT security domain into mobile networks.
Full Abstract & Presentation Materials: …
$300 Google API key leaked to Public on Live Website
https://www.youtube.com/watch?v=ZUXUz22dCiQ
https://www.youtube.com/watch?v=ZUXUz22dCiQ
YouTube
$300 Google API key leaked to Public on Live Website | Bug Bounty | POC | Private Program Hacker one
#BugBounty #poc #Delhi #Shishir #thebbh
Follow me on Twitter :- https://twitter.com/OfficalTeamBBH
This video is Just for an Educational Purpose.
Welcome to my channel, on my channel I will upload a video about the Bounty bug that I found
I'm just a newbie…
Follow me on Twitter :- https://twitter.com/OfficalTeamBBH
This video is Just for an Educational Purpose.
Welcome to my channel, on my channel I will upload a video about the Bounty bug that I found
I'm just a newbie…