/dev/posts/

Lack of X.509 TLS certificate validation in OWASP ZAP

Published:

Lack of X.509 TLS certificate validation in OWASP ZAP (Zed Attack Proxy) could be used for man-in-the-middle attacks.

Read more…

DNS rebinding on ReadyMedia/minidlna v1.3.0 and below

Published:

A DNS rebinding vulnerability I found in ReadyMedia (formerly MiniDLNA) v1.3.0 and below. This is CVE-2022-26505.

Read more…

Introduction to TLS v1.3

Published:

Some notes about how TLS v1.3 works. This is a follow-up of the previous episode about TLS v1.2. As before, the goal is to have a high-level overview about how the protocol works, what is the role of the different messages and be able to understand (and debug) a network traffic dump.

Read more…

CSRF and DNS-rebinding to RCE in Selenium Server (Grid)

Published:

Vulnerabilities in found on the WebDriver endpoints of Selenium Server (Grid).

Read more…

DNS rebinding vulnerability to RCE in GeckoDriver

Published:

A DNS rebinding vulnerability I found in GeckoDriver which could be used to execute arbitrary shell commands. This is bug #1652612 and CVE-2021-4138.

Read more…

Introduction to TLS v1.2

Published:

Some notes about how TLS v1.2 (Transport Layer Security) works. The goal explain what is going on in a network traffic dump, the role of the different TLS extensions, the impact of the different cipher suites on security, etc. It includes several diagrams and many references.

Read more…

Introduction to the Diffie-Hellman key exchange

Published:

The Diffie-Hellman (DH) key exchange (and variants thereof) is widely used in many protocols (such as TLS, SSH, IKE (IPSec), Signal, etc.) to bootstrap some symmetric key material which may then be used to secure communication channel between two parties. This introduction focuses on the different ways the DH key exchange is used in practice in several protocols (especially TLS) and the impact of these different approaches on the security. This is intended as a prelude for the upcoming next episodes about how TLS works.

Read more…

What is in my COVID-19 vaccination certificate?

Published:

Manually inspecting the content of a French COVID-19 vaccination certificate QR code. The main intent is to show with a concrete example which data is actually included in the certificate.

Read more…

Cross-origin/same-site request forgery to RCE in chromedriver

Published:

I found a cross-origin/same-site request forgery vulnerability in chromedriver. It was rejected (won't fix) because it is only possible to trigger this from the cross-origin/same-site and not cross-site. In practice, it means it is really only possible to trigger this from another localhost-bound web application.

Read more…

CSRF to RCE in GeckoDriver

Published:

A Cross-Site Request Forgery (CSRF) vulnerability I found in GeckoDriver which could be used to execute arbitrary shell commands. CVE-2020-15660 has been assigned to this vulnerability. This was fixed by GeckoDriver v0.27.0 in 2020-07-27. This is bug #1648964.

Read more…

Page 3 of 10 | | | JSON Feed | Atom Feed