TLDR: It is frightening, a patch was made available the same day it was disclosed and everybody should update their servers. Impact Butor Portal is affected by a Path Traversal vulnerability leading to pre-authentication arbitrary file downloads. Every file...
Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with a local Document Type Declaration (DTD) file. More...
Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of...
Update: A new blog post has been published as a follow up to this article : ESI Part 2: Abusing specific implementations. Abusing Caching Servers into SSRF and Client-Side Attacks While conducting a security assessment, we noticed an unexpected behavior in the...
Content Security Policy – or CSP in short – is the latest milestone in browser XSS attack mitigation. Rather than relying on the browser’s anti-XSS filter solely, it is now possible to instruct browsers to apply additional restrictions on external...
To remain in business, companies rely on perimeter security to protect, among other, their “secret sauce” recipe and the confidential information of their customers. To this end, information security vendors offer different types of defenses. The intent is commendable...