Category

Researcher Corner

Category

Consul is a software first released in 2014 for DNS-based service discovery. It provides distributed key-value storage, segmentation, and configuration. Registered services and nodes can be queried using a DNS interface or an HTTP interface. (Wikipedia) Basically, Consul ensures the coherence of system components and the trust between them. Consul is at the core of your system. It is in all the elements so that they can interact with each other with minimal human intervention.…

This article explains how to exploit Oracle WebLogic for remote code execution by using valid credentials. It’s useful during black-box security audits, pentests, and infrastructure audits, including automated vulnerability scanning. To set up an example playground, we will use the following docker container: docker run -p7001:7001 –name weblogic –rm vulhub/weblogic:12.2.1.3 Again, we need to have management rights & access to the administrator console (/console web endpoint) to cause remote code execution in Oracle WebLogic. In…

JSON Web Token (JWT) is the data format with bill-in signature and encryption mechanisms that are often used by modern web applications to store user sessions and application context, including authentication by SSO and meta-data. Usually, you can find JWT tokens in an Authentication Bearer HTTP headers for authenticated API calls. As Wikipedia says: “The tokens are signed either using a private secret or a public/private key. For example, a server could generate a token…

To my knowledge, the first reference to the idea and principles of signatures for detecting network attacks dates back to 1987. This was a scientific paper by Dorothy E. Denning from Stanford Research Institute (SRI) (Here’s the link to the paper). According to the publication’s records, it was sent to the editors in 1985, but was published almost two years later(Manuscript was received December 20, 1985; revised August 1, 1986). This work was supported by…

In the digital era, financial institutions serve an increasing number of customers through web and mobile applications. Fintech maintains online security, and OWASP offers pieces of the puzzle to address the challenges. We CAN solve these challenges by leveraging the OWASP community knowledge base to secure the financial sector. On May 21st, 2020, I had the honor to dive into these challenges from multiple perspectives with my two guests, Vandana Verma and Victor Gartvich. We…

Figma is a powerful tool for interface development and prototyping. We use it to design our products and to create graphic layouts for marketing and other purposes. One of the most significant advantages of Figma is that it allows you to write custom plugins enabling third-party developers to expand the already extensive range of the platform’s capabilities. Let’s discuss one of such plugins. For new brochures, our product designer came up with an interesting concept:…