by Philippe Arteau | Aug 4, 2020
Unicode is the de-facto standard for multilingual character encoding. UTF-8 is the most popular encoding used that supports its hundreds of thousands of characters. Aside from the encoding (byte representation of characters), Unicode defines multiple transformations...
by Philippe Arteau | Jul 16, 2019
Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with a local Document Type Declaration (DTD) file. More...
by Benoit Cote-Jodoin | Jul 3, 2019
Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we...
by Louis Dion-Marcil | Apr 3, 2018
Update: A new blog post has been published as a follow up to this article : ESI Part 2: Abusing specific implementations. Abusing Caching Servers into SSRF and Client-Side Attacks While conducting a security assessment, we noticed an unexpected behavior in the...
by Philippe Arteau | Mar 22, 2017
At the moment, Java deserialization vulnerabilities are becoming well known by vendors and attackers. Nevertheless, pentesters will still encounter these types of vulnerabilities. The low-hanging fruits can be identified with the current tools. Most of the available...