Beurtschipper – WindowsTechs.com

Are deserialization attacks possible when unmarshalling user input to non-vulnerable types using the JAXB unmarshaller?

Posted on January 10, 2024 by Beurtschipper

Are deserialization attacks possible when unmarshalling user input to non-vulnerable types using the JAXB unmarshaller?
We all know that deserializing user input to arbitrary types in Java leaves an application open to deserialization atta… Continue reading Are deserialization attacks possible when unmarshalling user input to non-vulnerable types using the JAXB unmarshaller?→

Information disclosure via ktpass tool

Posted on November 16, 2020 by Beurtschipper

The Microsoft ktpass tool can be used to generate a .keytab file that contains a secret key. I’d like to understand the output of the tool.
An example output can be found here. I’m interested in the following part:
keylength 16 (0xdd74540c… Continue reading Information disclosure via ktpass tool→

Do I still need CSRF protection when SameSite is set to Lax?

Posted on July 8, 2020 by Beurtschipper

During a security assessment I noticed that Firefox automatically set the SameSite value of a session cookie to Lax. According to the Mozilla specs, this is the case for ‘modern browsers’.
The SameSite attribute set to Lax seems to protect… Continue reading Do I still need CSRF protection when SameSite is set to Lax?→