SMB hash hijacking & user tracking in MS Outlook
Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could be...
View ArticleWAF Bypass Techniques – Using HTTP Standard and Web Servers’ Behaviour
I had presented a conference talk in AppSec EU 2018 about WAF bypass techniques. Some screenshots and my original tweet about it can be seen below: Here are my WAF bypass talk slides at @appseceu 2018:...
View ArticleMS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online
I was amongst top 5 bounty hunters in MS Q4 2018: https://blogs.technet.microsoft.com/msrc/2018/07/26/recognizing-q4-top-5-bounty-hunters/ Although I am not doing active bug bounty hunting at the...
View ArticleASP.NET resource files (.RESX) and deserialization issues
Article’s PDF version: https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf I have recently published a blog post via NCC Group’s website about the...
View ArticleStory of my two (but actually three) RCEs in SharePoint in 2018
I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer was a...
View ArticleFeel honoured to be there again after 8 years: Top 10 Web Hacking Techniques...
I thought I should document this whilst we are still in 2018… We used to have Top 10 Web Hacking Techniques every year but it suddenly stopped! After having a private conversation with James Kettle in...
View ArticleMore research on .NET deserialization
View whitepaper’s PDF I have recently published a whitepaper and a blog post as part of work research in NCC Group’s website. A number of plugins have also been added to the ysoserial.net project. The...
View ArticleFinding and Exploiting .NET Remoting over HTTP using Deserialisation
Article’s PDF file: https://soroush.me/downloadable/finding_and_exploiting_dotnet_remoting_over_http_using_deserialisation.pdf I have published a blog post in NCC Group’s website to explain how to test...
View ArticleHow to win BIG and even more!
I recently had a presentation in the OWASP Birmingham (UK) chapter meeting. The crowd was very friendly, and it was a good experience overall with a lot of free food! I definitely recommend attending...
View ArticleYet Other Examples of Abusing CSRF in Logout
The “Login/logout CSRF: Time to reconsider?” blog post by Mathias Karlsson (@avlidienbrunn) is a great resource that shows why sometimes CSRF in logout/login can be considered as an impactful security...
View ArticleExploiting Deserialisation in ASP.NET via ViewState
Introduction ASP.NET web applications use ViewState in order to maintain a page state and persist data in a web form. The ViewState parameter is a base64 serialised parameter that is normally sent via...
View Articlex-up-devcap-post-charset Header in ASP.NET to Bypass WAFs Again!
In the past, I showed how the request encoding technique can be abused to bypass web application firewalls (WAFs). The generic WAF solution to stop this technique has been implemented by only allowing...
View ArticleDanger of Stealing Auto Generated .NET Machine Keys
In the Exploiting Deserialisation in ASP.NET via ViewState blog post, I explained how it is possible to run code on an ASP.NET web application using compromised Machine Key secrets. It covers cases in...
View ArticleIIS Application vs. Folder Detection During Blackbox Testing
When testing a website on IIS, it is sometimes important to know whether a path is an application or a folder (or a virtual folder). I am intruding a new sneaky method using some ASP.NET features that...
View ArticleUploading web.config for Fun and Profit 2
Table of Contents: Introduction 1. Execute command using web.config in the root or an application directory 1.1. Executing web.config as an ASPX page 1.2. Running command using AspNetCoreModule 1.3....
View ArticleFile Upload Attack using XAMLX Files
Article’s PDF file: https://soroush.me/downloadable/getting_shell_with_xamlx_files.pdf I have recently published a blog post on use of .XAMLX files to execute command on an IIS based application. This...
View ArticleMy MDSec Blog Posts so far in 2020/2021!
Lately I have only published blog posts through the MDSec website. I thought it might be a good idea to link what I have published so far here as well: COVID-19 has sadly affected many if not all of...
View ArticleThirteen Years On: Advancing the Understanding of IIS Short File Name (SFN)...
The topic of IIS Short File Name (SFN, also known as 8.3) disclosure has been explored across various platforms in the past. In this blog post, I’ll take a look at the insights I presented at SteelCon...
View ArticleAnchor Tag XSS Exploitation in Firefox with Target=”_blank”
Commonly, we use the JavaScript schema to exploit a cross-site scripting (XSS) issue, particularly when the href attribute of an anchor tag is within our control. Here’s an example: Modern browsers,...
View ArticleCookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP.NET Framework...
Introduction In modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the URL....
View Article