I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Today Iβm raising money to send underrepresented folks to @defcon.bsky.social + other technical cons/training next year! Yes, youβll get a tax write off β€οΈ
Hear our Scholar Stories for the impact of WISP: www.wisporg.com/scholars
Hereβs the donation link! wisporg.app.neoncrm.com/forms/donation
Scene from "The Hobbit" movie with Elrond and Bilbo talking with meme text saying "it is said: go not to the principal engineers for counsel, for they will say both no and yes"
What I had read in multiple places seemed to indicate that it did not do that, but now I'm not so sure
Imported my previous posts from twitter. App should show a small indicator to note that it isn't new
speech and writing are just serialization for human thoughts #showerthoughts
summary of how apps tended to mitigate a reported deserialization vulnerability
summary of how gadgets tended to be introduced into a library
paper here https://arxiv.org/pdf/2208.08173.pdf
Some very cool research and analysis in this paper, but remember kids: don't assume that fixing/removing/blocking gadget classes is going to protect you if you're still deserializing objects from untrusted data https://twitter.com/TheRegister/status/1561805738699259905
Though tbf, anything trying to be an API is only as good as it's documentation, contracts, and change control
Also, your internal app logs are not an API https://twitter.com/rakyll/status/1562239578865405952
More fun bespoke Oracle product java deserialization gadget chains and blacklist bypasses https://twitter.com/peterjson/status/1539920744129634305
Fun fact: @gebl's URLDNS java deserialization gadget in ysoserial relies on exactly this obscure (and absurd) behavior to trigger a DNS lookup https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java#L27 https://twitter.com/ncweaver/status/1470453024870912000
This seems likely to be fruitful against a lot of apps out there. https://twitter.com/iangcarroll/status/1455580303578124291
Handy detailed TLS protocol reference https://tls.ulfheim.net/
https://twitter.com/josephfcox/status/1448711092201472006
Great analogy, and applicable to the whole tech industry https://twitter.com/kwestin/status/1445965144979218435
Good survey of Ruby ecosystem deserialization vulnerabilities https://twitter.com/zenn_dev/status/1442089822156296193
In my previous life as a lead sweng, our project's maven pom.xml literally listed my role as "code archaeologist" https://twitter.com/rakyll/status/1441832225595527169
Artistic rendition of code reuse attacks a la ROP and deserialization https://twitter.com/Rainmaker1973/status/1402664288104292353
Older post focusing on intra-service auth is also great https://web.archive.org/web/20200507173734/https://latacora.micro.blog/a-childs-garden/
Great overview and pros/cons of various types of auth tokens https://twitter.com/tqbf/status/1430278923653468168
That's the sound of 100k developers firing up Linux VMs https://twitter.com/QuinnyPig/status/1432720164169076755
I don't always do work on weekends, but when I do...
More excellent WebLogic deserializaion gadget blocklist bypass work from @matthias_kaiser. I've lost count on all these. https://twitter.com/matthias_kaiser/status/1417837065060950021
PSA: folks should be aware that AWS Infinidash allows full read access by default so make sure you lock yours down with a fine-grained IAM policy
This would make a great April fool's day prank next year https://twitter.com/FooBartn/status/1411349844292247553
And if you want to play more, just run this docker-compose project locally and netcat to the entrance at port 4444
https://gist.github.com/frohoff/3a387ede3364f4ee2733fbffe7d297d0
For anyone who didn't finish the Deathball challenge series at @LayerOneCTF and was curious, here's the map of our pseudo-randomly generated network REPL container labyrinth:
