Rails 6 leaked secret token
If an attacker can obtain the value of secret_key_base in rails 6, can he achieve RCE through that, similar to https://www.exploit-db.com/exploits/27527 (applicable to rails 2-4)?
Category Archives: deserialization
Is Marshal.load safe for Marsha.dumped data
I want to serialize and deserialize models that contain user input. Marshal is a serialization library built into Ruby.
By design, ::load can deserialize almost any class loaded into the Ruby process. In many cases this can lead to remote… Continue reading Is Marshal.load safe for Marsha.dumped data
How does "./" affects signature generation for files, in a PHP based web application?
I am solving a lab related to serialization vulnerabilities. It deals with retrieving files based on the signature. The theory of the lab states as quoted, "Adding ./ will still give you the same file but the application will generate… Continue reading How does "./" affects signature generation for files, in a PHP based web application?
Insecure deserialization [closed]
While I was performing a security test on a website, I saw a serialized cookie encoded in base64, So I decoded it and found the following:
a:7:{s:1:"s";s:32:"cd36a1728d441787e3938eca00a26495";s:1:"c";s:32:&quo… Continue reading Insecure deserialization [closed]
How to decode ysoserial .net payload
Is there any way to decode ysoserial .net payload?
For instance
I’m creating payload with:
ysoserial.exe -f BinaryFormatter -o base64 -c "ping test.com" -g WindowsIdentity
Is there any convenient way to reverse the payload to un… Continue reading How to decode ysoserial .net payload
Is Java native serialization safe if objects contains fields that are under attacker control?
I’m currently setting up a Java application that should cache objects in Redis. One of the options to serialize/deserialize the objects is the Java Native serialization.
I know that object deserialization is often a way in for attackers, s… Continue reading Is Java native serialization safe if objects contains fields that are under attacker control?
Unserialize URI with PHP and nginx to gain RCE
I stumbled upon this abomination in the code base of a project I’m working on and wondered if it constitutes a security issue.
$requestUri = explode(‘?’, $_SERVER[‘REQUEST_URI’]);
$requestUri = explode(‘/’, $requestUri[0]);
array_shift($r… Continue reading Unserialize URI with PHP and nginx to gain RCE
Put APIs to Work wth this ArduinoJson Walkthrough
One of the things this community is famous for is the degree to which people will pitch in to fill an obvious need. Look at the vast array of libraries …read more Continue reading Put APIs to Work wth this ArduinoJson Walkthrough
JSON.Net insecure deserialization
I have a question in regard to insecure deserialization with the JSON.Net component.
It is my understanding that this component is safe by default unless you specify the TypeNameHandling setting to anything except for none.
However, suppos… Continue reading JSON.Net insecure deserialization
Is accepting arbitrary COM pointers over a process boundary safe?
I have a legacy Windows application that needs to be looked over in terms of security. During this review something caught me eye. In the out of process COM server I’m looking at is a method that accepts an arbitrary class pointer. The met… Continue reading Is accepting arbitrary COM pointers over a process boundary safe?