Taking over a server with a single HTTP request:
https://gebir.ge/blog/privesc-part-3/

I went ahead and created a social media presence, that's how proud I am! ¯\_(ツ)_/¯

#rce #privilegeescalation #deserialization

Posted a technical #AttackerKB #writeup of CVE-2022-47986 (CVE_2022_47986 / #CVE202247986), a #Ruby #deserialization #vulnerability in IBM's Aspera software, which runs on a humorously old version of Ruby:

https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis?source=mastodon

Pwn2owning two hosts at the same time: abusing Inductive Automation Ignition's custom #deserialization

// by @thezdi

https://www.zerodayinitiative.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization

#VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive

CVE-2022-31706: VMware vRealize Log Insight #Directory #Traversal #Vulnerability

CVE-2022-31704: VMware vRealize Log Insight broken Access Control Vulnerability

CVE-2022-31710: VMware vRealize Log Insight #Deserialization Vulnerability

CVE-2022-31711: VMware vRealize Log Insight Information Disclosure Vulnerability

https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive/

Supercharging Zero-Copy Deserialization, by Manish Goregaokar at Rust Zürisee 2022, https://youtu.be/DM2DI3ZI_BQ.

#RustLang #talk #deserialization #performance

This looks like a really *fantastic* way to teach and learn about security vulnerabilities in JS-based apps: a standards-uncompliant gamified hacking sandbox!

---
With v6.3.0 (which will come out next week latest & adds some really bad #deserialization vulnerability) we are officially at 100% "incompliance" with 2017's @OWASPTop10 while staying fully "backward-incompliant" with all previous editions! @owasp @vanderaj @j12934
https://twitter.com/owasp_juiceshop/status/949061098526961664