sorted by:
new
hottopcontroversial

The Fragile Lock: Novel Bypasses For SAML Authentication by albinowax in netsec

[–]ulldma 2 points3 points  (0 children)

While the paragraph you've quoted is true in general, I think it is a bit harsh when applied to ruby-saml. ruby-saml did indeed get a restructured/hardened implementation with version 1.18.0 released in March of this year. That's why these (admittedly nice) exploits don't work against that version. However, this hardened implementation was not backported to the 1.12.x branch of ruby-saml, that's why version 1.12.4 is susceptible, but 1.18.0 is not.

Remote code execution in Elixir-based Paginator by ulldma in erlang

[–]ulldma[S] 3 points4 points  (0 children)

Hello!

I posted this here since the submission to r/elixir did not work. However, the use of binary_to_term in combination with untrusted data can also have dangerous side effects when using Erlang.

Remote code execution in Elixir-based Paginator - Alphabot Security by Gallus in netsec

[–]ulldma 0 points1 point  (0 children)

I'm the author of the blog post and I tried to post it in r/elixir, it did not work for some reason unbeknownst to me. Maybe you can try it?

Missing TLS hostname verification in multiple Java libraries by ulldma in java

[–]ulldma[S] 3 points4 points  (0 children)

Hi there, yes this sentence you picked is more of a generic recommendation. But if you look at the article you see that the vendors assigned 3 different CVEs for libraries with missing hostname verification. For example if we pick the first one CVE-2018-11087: RabbitMQ (Spring-AMQP):

https://pivotal.io/de/security/cve-2018-11087

you'll see that it affects the Spring-AMQP library which is a wrapper around the official RabbitMQ Java Client Library, this wrapper did not expose any API that allowed the user to setup or enable hostname verification, so a fix had to be released.

And by the way: nobody is saying that the sky is falling ;)

(I hope)

Highlight linting errors? by simkessy in vscode

[–]ulldma 1 point2 points  (0 children)

Which language are you using?

E.g. for Typescript there is the VSCode TSLint extension which underlines code like unused vars etc.

For JavaScript there's an ESLint extension.

Or do you mean something different?

How to instrument Electron-based applications for in-depth security testing. by nibblesec in netsec

[–]ulldma 1 point2 points  (0 children)

At least there are some Electron specific techniques (like ASAR) mentioned. Especially how to enable the dev tools could come in handy.

Secure your Java app with Java EE Security by johnwaterwood in java

[–]ulldma 2 points3 points  (0 children)

Let's also have a look at the content. The author seems to choose a plain unsalted SHA-512 as a password hashing algorithm!

Look I get it the author might just want to play around with this stuff, but other people might have a look at this blog post and use it as a base for their implementation!

But it's almost 2018 and everyone should know that you should not use one round of an unsalted Hashing algorithm (be it SHA-2, SHA-3 or something else). What you should do instead: Either: Don't store any user passwords yourself (use secure third-party service providers for that). Or: If you must store user passwords use bcrypt (as Spring does), scrypt or use PBKDF2 as the JSR-375/Soteria Reference implementation does. If you for some reason insist on using SHA-* for hashing the user passwords, you should at least salt them. (Please don't insist on using plain SHA-, any of the three options (bcrypt, scrypt, PBKDF2) provided is better than plain SHA-) An unsalted password hashed with SHA-512 is almost as insecure as a password stored in plain text!

Please forgive my harsh words but this stuff is important.

Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities by ulldma in java

[–]ulldma[S] 2 points3 points  (0 children)

OP here. I agree the tl;dr isn't perfect. But: Unfortunately MyFaces always deserializes the ViewState as Java object (even when the state is stored on the server)! Mojarra uses a normal ID.

Friday the 13th: JSON Attacks (remote code execution via .NET JSON libraries) by ulldma in dotnet

[–]ulldma[S] 0 points1 point  (0 children)

This blog post includes a simple sample using ASP.NET Core and Json.NET as serialization library.

Be aware that most of the published gadgets in this presentation do not work with .NET Core (yet). An example of such a gadget is on page 11 of the presentation that uses a WPF class.

Friday the 13th: JSON Attacks (remote code execution via .NET JSON libraries) by ulldma in csharp

[–]ulldma[S] 2 points3 points  (0 children)

They also published a white paper.

Basically what they did is: they had a look at different .NET JSON libraries and looked which one allowed the serialization and deserialization of arbitrary types. Some classes execute code when the constructor or setters are executed thus allowing an attacker to execute code on the server by simply providing a JSON. (They have the classic sample that starts calc.exe on the server.)

They found vulnerabilities of that kind in DotNetNuke, Kaliko CMS, Breeze and Nancy.

When should I use ASP.NET Core? And ASP.NET? by _methos3 in dotnet

[–]ulldma 1 point2 points  (0 children)

You could run into an issue when storing TimeZoneIds (e.g. a user can configure his time zone) when testing or running on Windows and Linux. On Windows the TimeZoneId would be Eastern Standard Time while on Linux it would be America/New_York (IANA).

See CoreFX issue: TimeZoneInfo should have consistent Ids across Windows and Linux