Breaking

Jenkins Remoting RCE II – The return of the ysoserial

Jenkins Logo

Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins server can be a critical part of the infrastructure: It often creates the application packages that later will be deployed on production application servers. If an attacker can execute arbitrary code, s/he can easily manipulate those packages and inject additional code. Another scenario would be that the attacker stealing credentials, like passwords, private keys that are used for authentication in the deployment process or similar.

Continue reading “Jenkins Remoting RCE II – The return of the ysoserial”

Continue reading
Events

New Methods for Exploiting ORM Injections in Java Applications (HITB16)

The HITBSecConf or “Hack In The Box” in Amsterdam is a well known security conference in Europe. We also attended this year too, and there were quite some interesting talks at the HITBSecConf16 conference. One of the talks was about “New Methods for Exploiting ORM Injections in Java Applications” by the security researchers Mikhail Egorov and Sergey Soldatov.

Continue reading “New Methods for Exploiting ORM Injections in Java Applications (HITB16)”

Continue reading
Events

Mind The Gap – Exploit Free Whitelisting Evasion Tactics

At the Troopers 16 Casey Smith has given a talk about the gap in Application Whitelisting.

Application Whitelisting is a technique that should prevent malware and unauthorized applications from running. Broadly speaking this is implemented by deciding if an application is trusted or not before executing it. Casey’s talk gave an understanding where this whitelisiting fails down.

Continue reading “Mind The Gap – Exploit Free Whitelisting Evasion Tactics”

Continue reading
Events

Towards a LangSec-aware SDLC

At the TROOPERS’15 Jacob l. Torrey held a track about LangSec-Aware Software Development Lifecycle. He talked about programming conventions and what tools can be used for enforcing the compliance. There is a lack of metrics to understand what make software more secure or less secure. His main goals was to show that LangSec has far-reaching impacts into software security and to give the audience a framework to transform the theory into practice. A SLDC should help to find bugs sooner in the development process and reduce defect rate in production thereby. A lower defect rate in production does not only improve security it also reduces costs.

Continue reading “Towards a LangSec-aware SDLC”

Continue reading