Assetnote blog is a gift that just keeps giving. This time, Shubs found a vulnerability that originated in a very simple mistake. In the if instruction, the AND operator was used instead of the OR operator. This simple mistake led to the RCE in the Dynamicweb...
#24
Solving a CTF task by ASCII-only JAR webshell
This writeup from Real World CTF 2022 from LiveOverflow’s team is absolutely mental. He shows the whole process of how solving a properly hard CTF task looks like, including problems and unsuccessful ideas. The exploit ends in creating a ASCII-only .jar file......
Web3 learning corner #2
First, I decided to rename the Blockchain learning corner to Web3 learning corner - the name seems more appropriate as I was not learning Blockchain itself but Blockchain-related technologies and Web3 is a widely-accepted way to describe it. With that sorted out,...
Nuclei Burp Plugin
I know a lot of hackers use nuclei. If you are using it, too, definitely check out the Nuclei Burp plugin that allows generating nuclei templates straight from Burp Suite. It’s not on the BApp store so you have to install it manually from .jar file....
Escaping shell arguments for command injection bugs
Command injection is usually a critical vulnerability. Even though it’s not very popular these days, it’s definitely still present and worth knowing. In this article, I will show you the potential vectors of attack and quirks I learned recently. We will consider a...
TOP 7 hacking technique 2021 – JSON interoperability bugs
Many vulnerabilities originate in inconsistencies in parsing input between different components of the same application. In simple words - sometimes parses make assumptions about how to parse a quirky value. In itself, it’s not a security bug. It becomes a serious...
Bypassing URL blocklists in Java
Java, like every language, has some quirks. One of them is that you can use url: before URLs to bypass potential filters. One of the replies to the tweet by Phith0n also mentions that leading spaces work, too. source tweet