Unexpected Journey #7 – GravCMS Unauthenticated Arbitrary YAML Write/Update leads to Code Execution (CVE-2021-21425)

It has been a while since I haven’t published a post on our beloved blog. Today I would like to share technical details and POC for a pretty funny vulnerability that I’ve found at GravCMS.

As I’ve been saying since 2015, my pentest team and I love to chase after 0days during penetration test engagements. This time we come across a GravCMS during the external OSINT process.

Read More

Why Secure Design Matters ? Secure Approach to Session Validation on Modern Frameworks (Django Solution)

I’ve been doing security researches on softwares for a quite long time. During these researchs, I often find myself in a situation where in I think about the state of mind of developers, problems that occur during developments and core problems of nature of software crafting teams. Thinking about these questions always lead me to realize possible software bugs.

People developers are tend to make mistakes by the nature of human being. Mistakes made by developers usually end up with software bugs. If there is a software bug, security researchers always try to take an advantage of this bugs and convert it to a software vulnerability. For that reason, I always start my research by defining a places in softwares where things left to the developer’s initiative. One of good the example for that ‘places’, which also main focus of this post, can be a session validations.

Read More

Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper

Web applications evolved in the last century from simple scripts to single page applications. Such complex web applications are prone to different types of security vulnerabilities. One type of vulnerability, named as secondorder, occurs when an attack payload is first stored by the application on the web server and then later on used in a security-critical operation.

Read More

How to Test Horizontal & Vertical Authorization Issues in Web Application ?

As you know, nowadays web applications could be as complex as operating systems. Most of those complexity comes from authorisation schemas. Such weaknesses are referred to in the literature as Insecure Direct Object Reference.

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.[1]  Read More