/dev/posts/

UMA 2.0 diagrams

Published:

Some diagrams (mostly sequence diagrams) about UMA 2.0.

Read more…

MIME-type spoofing in Firefox/Thunderbird and file managers

Published:

An interesting spoofing attack resulting from the interaction between Firefox (or Thunderbird) MIME types handling and file managers.

Read more…

Code execution through MIME-type association of Mono interpreter

Published:

A dangerous file type association in Debian which could be used to trigger arbitrary code execution.

Read more…

OAuth 2.x and OpenID Connect sequence diagrams

Published:

Some sequence diagrams about OAuth 2.x and OpenID Connect.

Read more…

Browser-based attacks on WebDriver implementations

Published:

Some context and analysis about attacks on in WebDriver implementations.

Read more…

Introduction to TLS v1.3

Published:

Some notes about how TLS v1.3 works. This is a follow-up of the previous episode about TLS v1.2. As before, the goal is to have a high-level overview about how the protocol works, what is the role of the different messages and be able to understand (and debug) a network traffic dump.

Read more…

CSRF and DNS-rebinding to RCE in Selenium Server (Grid)

Published:

Vulnerabilities in found on the WebDriver endpoints of Selenium Server (Grid).

Read more…

DNS rebinding vulnerability to RCE in GeckoDriver

Published:

A DNS rebinding vulnerability I found in GeckoDriver which could be used to execute arbitrary shell commands. This is bug #1652612 and CVE-2021-4138.

Read more…

Introduction to TLS v1.2

Published:

Some notes about how TLS v1.2 (Transport Layer Security) works. The goal explain what is going on in a network traffic dump, the role of the different TLS extensions, the impact of the different cipher suites on security, etc. It includes several diagrams and many references.

Read more…

Cross-origin/same-site request forgery to RCE in chromedriver

Published:

I found a cross-origin/same-site request forgery vulnerability in chromedriver. It was rejected (won't fix) because it is only possible to trigger this from the cross-origin/same-site and not cross-site. In practice, it means it is really only possible to trigger this from another localhost-bound web application.

Read more…

Page 1 of 2 | | | JSON Feed | Atom Feed