What is Kubernetes?
(As per kubernetes website)
Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation
The container could be anything and does not matter what platform it is coming from.
The kubernetes setup can be either done on premise or can be deployed on public clouds like AWS, GCP etc.
For the purpose of learning you can also make use of minikube which is a all in one solution i.e …
Welcome to the new blog post on .NET ViewState deserialization. I would like to thank Subodh Pandey for contributing to this blog post and the study without which I could not have had an in-depth insight on this topic.
Before getting started with ViewState deserialization, let’s go through some key terms associated with ViewState and its exploitation.
ViewState: According to TutorialsPoint:
The view state is the state of the page and all its controls. It is automatically maintained across posts by the ASP.NET framework.
When a page is sent back to the client, the changes in the properties of…
Welcome to my new blog on Java Deserialization series. Below are the links of my previous blogs on java deserialization:
Okay, so in this blog we will be discussing on Jackson deserialization and vulnerable implementations and exploitation of the same.
So, before we begin with our discussion on the insecure implementation of Jackson Deserialization lets have understand few basics related to Jackson library which is used to parse(Deserialize) JSON input/data.
Jackson is a java based library which is used to serialize or map POJO(Plain Old Java Objects) to JSON and deserialize JSON to POJO.
Lets look at a…
Welcome to my new blog on Java De-serialization. In this blog we will understand the basics of Java Deserilization, how is it vulnerable and how can this vulnerability be remediated. Here I will be discussing on the the category of JAVA deserialization which is human unreadable like binary data as opposed to other human readable java deserialization like JSON, XML, SOAP etc.
This is gonna be a long article so please bear with me.
Well, deserilization is the process of converting stream of bytes into a copy of original object. …
This blog is about a SnakeYaml deserilization vulnerability that was exploited by my friend in one of the recent penetration testing engagements. I have recreated the scenario here to demonstrate the deserilization exploitation.
So basically, the vulnerable application had a functionality where we can upload a Yaml file from web UI and the server side code will parse it using snakeyaml library.
Now, the vulnerabilities lies in the way the snakeyaml parses the yaml file which can be seen in the below piece of code:
Yaml yaml = new Yaml();
Object obj = yaml.load(<--user input data-->);