In this post we’ll have a look at the nodejs deserialization attack/exploit in XVNA (eXtreme Vulnerable Node Application). Insecure deserialization is part of the OWASP Top 10 list that was published in 2017. We’ll use the setup detailed here (XVNA runs on port 80). As a web proxy, Burp or ZAP are highly recommended, but… Read Article →
Posts Tagged: exploit
As suggested by Intel in their Intel Analysis of Speculative Execution Side Channels whitepaper, the recommended mitigation for Spectre (CVE-2017-5753) is to use the LFENCE instruction (“LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes”). This will stop the bounds check bypass method that relies… Read Article →
This is a python script designed to automatically find XSS (cross-site scripting), directory traversal/LFI (local file inclusion) and open redirect vulnerabilities. It uses a predefined dictionary for XSS/LFI attacks that can easily be extended. The open redirect vulnerabilities are checked against malwrforensics.com The tool is released for testing purposes ONLY! How to use: Just point and… Read Article →
ByteFUZZ is a file format fuzzer that can do blind fuzzing, by replacing bytes from the original/seed file. Once the files are generated, it will call the target program with the fuzzed files as arguments and check to see if there is a crash. Let’s see it in action 🙂 If you want to just… Read Article →