Last year, I assessed a popular application used by thousands of organizations and discovered a remote code execution (RCE) vulnerability. Several months later, I had the opportunity to retest the application and identified a new parameter that bypassed validation, once again resulting in successful code execution. Discovering the Vulnerability A

In a previous assessment, I identified that the application used a Gluu server for identity and access management. This was confirmed by the discovery of the /.well-known/scim-configuration endpoint. Users managed within the Gluu server had access to multiple applications, including the one assessed. This was my first encounter with

Recently one of our customers engaged Stratum to perform a pentest of their external perimeter. We found a few instances of SSH exposed to the internet and write it up as a low severity finding. The SSH instances didn't show to be vulnerable (at the time of the

During a security assessment for a client’s web application, I encountered a feature that allowed users to define templates containing expressions, specifically for operations related to mathematics, logic, and strings. These templates contained expressions that were vulnerable to Code Injection and, subsequently, Remote Command Execution. Overview of the Application

Apache Lucene Injection was discovered on a past assessment this year and I learned that this vulnerability wasn't mentioned much online. The reason for this is probably because Lucene Injection is limited compared to SQL Injection. Lucene Injection can only be used to query the data (index) that

Since we're still going through the disclosure process, the final payload won't be shown here. However, the goal of this blog post is to educate readers on methodologies and how you can manually bypass WAFs too. During a recent engagement, I was tasked with assessing the

There are many techniques out there to detect and bypass WAFs and the goal of this blog isn't to show or explain all of them - just to share a few techniques that I've found still work well in 2023. Although there are more advanced techniques

This assessment was interesting as multiple issues while integrating Okta, Amazon Cognito, and Tableau led to privilege escalations. Both unauthenticated and authenticated users can escalate their privileges to become administrative users. Application Background The purpose of this application is to allow financial institutions to create dashboards using their financial data

Stratum's own Jared Perry gave a great talk at Code Europe in 2022. They posted the video today. Jared's perspective is based on performing hundreds of cloud security assessments for Stratum's customers. This is a great talk by someone who has a TON of

Recently Stratum Security tested an application that was found to be vulnerable to code execution via a deserialization flaw documented in a CVE from 2018. In an attempt to mitigate the code execution vulnerability, the developer attempted to encrypt the HTTP payload with AES encryption. In this post, we will

While performing a security assessment for an application, there was interesting functionality that allowed users to execute arbitrary Spark SQL queries over analytics data. Vulnerability The blog post: The Dangers of Untrusted Spark SQL Input in a Shared Environment [https://datapipelines.com/blog/the-dangers-of-untrusted-spark-sql-input-in-a-shared-environment/] mentioned there were two functions that

On a recent assessment, I discovered an interesting vulnerability in a Firebase application that allowed me to create a second password for another user giving me access to the privileged account. Application Background The application is used by users to watch sessions, chat about topics, and have conversations with other

While performing an application security assessment on a Ruby on Rails project, I discovered upload functionality that allowed users to upload text, CSV, and YAML files. The latter option interested me because reading online suggested YAML deserialization could be a potential vector. After a few uploads, I understood that the

Stratum performs an ever-increasing number of AWS security assessments for our customers from large to small. These deep-dive assessments help identify deficiencies within the customer's AWS configuration and processes that may expose the customer to risk. Example findings include specific configuration vulnerabilities such as overly permissive security groups,

* Proof of Concept (PoC) * Date: 09/04/2018 * Exploit Author: Jonathan Gaines * Vendor Homepage: https://www.tridium.com/ * Version: Affects Tridium Niagara AX Versions: 3.8 and prior as well as Niagara 4 Versions: 4.4 and prior * Discovered, Reported and PoC'd by Jonathan Gaines of Stratum Security;

PortSwigger’s BurpSuite is the de facto tool for web, API, and mobile application assessments. Over the course of many engagements, the utility of being able to filter and extract data from BurpSuite to the file system became evident. Why? A few reasons… * BurpSuite provides functionality to log to text

Not a lot has changed in recent years with the security of HTTP cookies. As web application security testers, we have been performing a pretty standard set of tests in this area, including a check for two well-known cookie flags, HttpOnly and Secure. Recently, at Stratum Security we started adding