Quantcast
Browsing latest articles
Browse All 21 View Live

WAF Bypass Techniques – Using HTTP Standard and Web Servers’ Behaviour

I had presented a conference talk in AppSec EU 2018 about WAF bypass techniques. Some screenshots and my original tweet about it can be seen below: Here are my WAF bypass talk slides at @appseceu 2018:...

View Article


MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online

I was amongst top 5 bounty hunters in MS Q4 2018: https://blogs.technet.microsoft.com/msrc/2018/07/26/recognizing-q4-top-5-bounty-hunters/ Although I am not doing active bug bounty hunting at the...

View Article


ASP.NET resource files (.RESX) and deserialization issues

Article’s PDF version: https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf I have recently published a blog post via NCC Group’s website about the...

View Article

Story of my two (but actually three) RCEs in SharePoint in 2018

I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer was a...

View Article

Feel honoured to be there again after 8 years: Top 10 Web Hacking Techniques...

I thought I should document this whilst we are still in 2018… We used to have Top 10 Web Hacking Techniques every year but it suddenly stopped! After having a private conversation with James Kettle in...

View Article


More research on .NET deserialization

View whitepaper’s PDF I have recently published a whitepaper and a blog post as part of work research in NCC Group’s website. A number of plugins have also been added to the ysoserial.net project. The...

View Article

Finding and Exploiting .NET Remoting over HTTP using Deserialisation

Article’s PDF file: https://soroush.me/downloadable/finding_and_exploiting_dotnet_remoting_over_http_using_deserialisation.pdf I have published a blog post in NCC Group’s website to explain how to test...

View Article

How to win BIG and even more!

I recently had a presentation in the OWASP Birmingham (UK) chapter meeting. The crowd was very friendly, and it was a good experience overall with a lot of free food! I definitely recommend attending...

View Article


Yet Other Examples of Abusing CSRF in Logout

The “Login/logout CSRF: Time to reconsider?” blog post by Mathias Karlsson (@avlidienbrunn) is a great resource that shows why sometimes CSRF in logout/login can be considered as an impactful security...

View Article


Exploiting Deserialisation in ASP.NET via ViewState

Introduction ASP.NET web applications use ViewState in order to maintain a page state and persist data in a web form. The ViewState parameter is a base64 serialised parameter that is normally sent via...

View Article

x-up-devcap-post-charset Header in ASP.NET to Bypass WAFs Again!

In the past, I showed how the request encoding technique can be abused to bypass web application firewalls (WAFs). The generic WAF solution to stop this technique has been implemented by only allowing...

View Article

Danger of Stealing Auto Generated .NET Machine Keys

In the Exploiting Deserialisation in ASP.NET via ViewState blog post, I explained how it is possible to run code on an ASP.NET web application using compromised Machine Key secrets. It covers cases in...

View Article

IIS Application vs. Folder Detection During Blackbox Testing

When testing a website on IIS, it is sometimes important to know whether a path is an application or a folder (or a virtual folder). I am intruding a new sneaky method using some ASP.NET features that...

View Article


Uploading web.config for Fun and Profit 2

Table of Contents: Introduction 1. Execute command using web.config in the root or an application directory 1.1. Executing web.config as an ASPX page 1.2. Running command using AspNetCoreModule 1.3....

View Article

File Upload Attack using XAMLX Files

Article’s PDF file: https://soroush.me/downloadable/getting_shell_with_xamlx_files.pdf I have recently published a blog post on use of .XAMLX files to execute command on an IIS based application. This...

View Article


My MDSec Blog Posts so far in 2020/2021!

Lately I have only published blog posts through the MDSec website. I thought it might be a good idea to link what I have published so far here as well: COVID-19 has sadly affected many if not all of...

View Article

Thirteen Years On: Advancing the Understanding of IIS Short File Name (SFN)...

The topic of IIS Short File Name (SFN, also known as 8.3) disclosure has been explored across various platforms in the past. In this blog post, I’ll take a look at the insights I presented at SteelCon...

View Article


Anchor Tag XSS Exploitation in Firefox with Target=”_blank”

Commonly, we use the JavaScript schema to exploit a cross-site scripting (XSS) issue, particularly when the href attribute of an anchor tag is within our control. Here’s an example: Modern browsers,...

View Article

Cookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP.NET Framework...

Introduction In modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the URL....

View Article

MongoDB NoSQL Injection with Aggregation Pipelines

Story Last August (2023), while assisting with the NoSQL lab module for PortSwigger Web Academy, I discovered that, in rare cases, it is possible to access other collections when performing an...

View Article
Browsing latest articles
Browse All 21 View Live