-
Automating local DTD discovery for XXE exploitation
Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with a local Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files. XML External…
-
ESI Injection Part 2: Abusing specific implementations
Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on…
-
Beware of the Magic SpEL(L) – Part 2 (CVE-2018-1260)
On Tuesday, we released the details of RCE vulnerability affecting Spring Data (CVE-2018-1273). We are now repeating the same exercise for a similar RCE vulnerability in Spring Security OAuth2 (CVE-2018-1260). We are going to present the attack vector, its discovery method and the conditions required for exploitation. This vulnerability also has similarities with another vulnerability disclosed in 2016.…
-
Beware of the Magic SpEL(L) – Part 1 (CVE-2018-1273)
This February, we ran a Find Security Bugs scan on over at least one hundred components from the Spring Framework, including the core components (spring-core, spring-mvc) but also optional components (spring-data, spring-social, spring-oauth, etc.). From this exercise, we reported some vulnerabilities. In this blog post, we are going to give more details on a SpEL…
-
When Governments Fail, Private Initiative Is the Solution
In a disturbing number of incidents in recent years, local governments have withheld critical services, resulting in destruction and death. Consider, for example, the mass shooting in Uvalde, Texas, on May 24, 2022. Law enforcement officers waited for 77 minutes inside Robb Elementary School before confronting and killing the active shooter who murdered 21 people—19…
-
The Banking Surveillance Industrial Complex
A bombshell report was released in December of 2024 by the House Judiciary Committee, revealing that a massive and constitutionally dubious surveillance operation has been underway by the federal government against countless Americans. Titled, “How the Federal Government Weaponized the Bank Secrecy Act to Spy on Americans,” its key findings demonstrate that the FBI and…
-
Will Am I Racist? Stand the Test of Time?
Am I Racist?, Matt Walsh’s searing attack on Diversity, Equity, and Inclusion (DEI) initiatives, dominated the documentary film box office in 2024. Screening in 1,600 theaters at its height, the film earned $12.3 million before streaming on the Daily Wire. Walsh’s film grossed more at the box office than any other documentary since 2019. That’s…
-
What is Double Extortion Ransomware?
Double extortion is an advanced ransomware tactic where attackers not only encrypt a victim’s data to demand a ransom for decryption but also steal the data and threaten to release or sell it publicly if the ransom isn’t paid. Talk about salt in a wound, this one is the worst. Go to Source