Eric Rafaloff

My personal blog on software development and security

An Analysis of CVE-2017-5638

I just published some research I did with Gotham Digital Science on the recent Struts vulnerability, CVE-2017-5638. You can find that (rather long) post here, full of in-depth code review and an additional, lesser known attack vector: An Analysis of CVE-2017-5638

OSCP Certified

On December 1st, I took the Offensive Security Certified Professional (OSCP) exam and successfully earned my certification. For those unfamiliar with OSCP, it is a hands-on training course and certification offered by Offensive Security. The content it focuses on is immense; Everything from SQL injection to writing your own remote buffer overflow exploits is covered by Continue Reading

Cross-Site Scripting via DOM-Based Open Redirects

Consider the following JavaScript application which clearly contains a DOM-based open redirect vulnerability: As if this weren’t bad enough, this application is less obviously vulnerable to cross-site scripting. Consider what would happen if the window’s location were set to javascript:alert(). This is effectively the same thing as typing javascript:alert() into the navigation bar in your Continue Reading

BSides Pre-Con Capture the Flag

This challenge involved a web application that featured a PHP variable inspector. The instructions read: NETTITUDE.COM CTF Enter some serialised PHP in our form below and we’ll output it on the page. We have some built in classes too. Objective: Simply run the “getFlag()” method.

Redis Post-Exploitation in the Wild

My team saw a failed attempt to compromise one of our Redis servers today. In lieu of script kiddies reading antirez’s article about Redis security, many system administrators are seeing this happen to their systems. Although one of our QA servers was running the incorrect Redis config file (whoops!), we were fortunate that the user Continue Reading

Regex Security Issues in Ruby

I see this kind of problem everywhere in the Ruby ecosystem, despite it being an old one. Consider the regular expression /^https?:\/\/[\S]+$/: So far so good. However, consider this: This matches our regex because /^ matches the beginning of a line and $/ matches the end of one. This poses a very common misunderstanding of Continue Reading

Feature Flags with Rollout

Role-based authorization is a common requirement in modern web applications. In the Rails ecosystem, there are several great open source libraries that provide this (see devise’s roles, cancan, and rolify). Feature flagging is a little bit different than roles. Features can be flipped on and off regardless of a users’ state. This means that if we Continue Reading