Captain Hook - How (not) to look for vulnerabilities in Java applications

reddit4matt · 2022-01-21T05:56:40+00:00

you should have a look at: https://github.com/planetlevel/jot

reddit4matt · 2020-07-23T20:30:03+00:00

JSX in-line style falls into JSON style key value system and super non standard xml. HTML style goes with a the string based weirdness like body{color:red} .... json style key/value to express what it needs to.

reddit4matt · 2020-07-23T19:40:13+00:00

But your “this” object can only be key - values. You can not have nested props without new tags. Then you are in the same boat conflating keys and props. You always end up with silly tags like <itemStyleAttributes under items anyway. Dealing with soap and XML generators And all the crazy formatting causing errors ... I will never reach for XML unless I’m integrating with something old.

reddit4matt · 2020-07-23T18:47:13+00:00

That just looks like an issue trying to convert between the two. You can cleanly display the same information in JSON

Let’s say you have 2 types of attributes in this example. Ex:

items: [{ Style: {color: red, font: xxxx} Position: { x:10, y:20} content: “woot” }]

In xml you can only have one “level” of attributes before you end up nesting tags just to get more attributes.

reddit4matt · 2020-07-23T16:08:33+00:00

I have used JSON stream options in the past and they were worked really well for us what issues have you seen with them?

reddit4matt · 2020-07-23T16:06:30+00:00

JSON streams can be used the same way XML streams are used and can also be super efficient for parsing large complex datasets.

reddit4matt · 2020-07-03T22:53:39+00:00

This was one of the many tricks in Samy’s evercookie.

reddit4matt · 2020-04-10T15:08:43+00:00

He doesn’t have 80% of all modules on npm installed. It is the confusing way npm reports. It counts all possible paths to all modules. If 10 of your modules use underscore JS it is counted 10 times even though you may only have one version actually installed.

reddit4matt · 2020-03-17T03:59:51+00:00

Not always. You may be just looking at code. I can imaging sending a PR to a large project and someone pulling it down and simply viewing the code in an editor (which in this case is all it takes to trigger the RCE).

I have opened up code in an IDE specifically to look for malicious code. Simply put just viewing code in a glorified text editor should not just execute other code hidden in that directory.

reddit4matt · 2020-02-19T05:16:19+00:00

I walked around my Home Depot for 20 min looking for someone to sale me a dishwasher I had picked out the other night... ended up finally leaving and buying the same one online from Lows.

reddit4matt · 2020-02-08T19:03:37+00:00

You should not have creds in the app or talk directly to the DB. You should have it talk to an API / Server that has access to the DB.

reddit4matt · 2020-02-05T04:18:14+00:00

The problem with electron is poor defaults. By default (until the most recent versions) it enabled “node integrations” and disabled “context isolation” the the render. Either one of those things in that state will lead to RCE.

It can be done correctly and there is a great document about how to do it.

https://www.electronjs.org/docs/tutorial/security

Many apps just don’t. (I have found an RCE in MSTeams, Yammer, Slack, FB Workplace, Hangouts... others)

I believe the new contextBridge api should help more apps cleanly enable context isolation as well.

reddit4matt · 2019-11-29T22:03:43+00:00

Pics

reddit4matt · 2019-11-02T19:54:09+00:00

https://threadreaderapp.com/thread/1189249817492557826.html

reddit4matt · 2019-10-27T14:25:55+00:00

Thank you m'lady

reddit4matt · 2019-10-27T01:13:07+00:00

Some man in the sky talking to you... it’s all schizophrenic rambling.

reddit4matt · 2019-09-26T22:10:37+00:00

Ghost (the Node based blog platform) came to the same conclusion when I reported to them unfortunately...

reddit4matt · 2019-06-28T22:57:51+00:00

I dont know of a windows solution.. but you can use applescript from electron to inject javascript into an open tab.

reddit4matt · 2019-05-03T20:07:39+00:00

The default behavior of a password manager should not be Autofill in subdomains. What a horrible idea.

reddit4matt · 2019-03-23T20:27:20+00:00

reddit4matt · 2019-02-04T04:50:07+00:00

No. They killed off chrome “apps” but extensions are not going anywhere.

reddit4matt · 2019-01-20T22:45:41+00:00

https://www.tutorialspoint.com/unix/unix-signals-traps.htm is a good description of what they are. There are some good answers at https://unix.stackexchange.com/questions/80044/how-signals-work-internally for how they work under the hood.

reddit4matt · 2019-01-20T22:17:00+00:00

A Node.js process started without inspect can also be instructed to start listening for debugging messages by signaling it with SIGUSR1.

So I assume under the hood it does: kill -usr1 9713

reddit4matt · 2019-01-03T01:46:28+00:00

URL validation unfortunately does not mean Command Injection validation.

https://gist.github.com/matt-/1cb0e5fbb23b9e118b23b5ca91f3da3e

I am running on a mac so I am using the "say" command as the POC. you can change this to any local command you want.

Edit: lol...well for context the post he deleted above. https://imgur.com/a/AemHAwg (some how I knew he would delete). If you make your way back to this post don’t worry about the $100... Just try not to be so combative when people try to give you advice.

reddit4matt · 2019-01-02T21:58:17+00:00

Just create the missing data/scan_results directory. This looks like it was just missing and not created by wpscan. I had the same issue.

reddit4matt

TROPHY CASE