Since we're still going through the disclosure process, the final payload won't be shown here. However, the goal of this blog post is to educate readers on methodologies and how you can manually bypass WAFs too. During a recent engagement, I was tasked with assessing the security of a customer's

There are many techniques out there to detect and bypass WAFs and the goal of this blog isn't to show or explain all of them - just to share a few techniques that I've found still work well in 2023. Although there are more advanced techniques out there, these will

This assessment was interesting as multiple issues while integrating Okta, Amazon Cognito, and Tableau led to privilege escalations. Both unauthenticated and authenticated users can escalate their privileges to become administrative users. Application Background The purpose of this application is to allow financial institutions to create dashboards using their financial data

Stratum's own Jared Perry gave a great talk at Code Europe in 2022. They posted the video today. Jared's perspective is based on performing hundreds of cloud security assessments for Stratum's customers. This is a great talk by someone who has a TON of experience poking around in a TON

Recently Stratum Security tested an application that was found to be vulnerable to code execution via a deserialization flaw documented in a CVE from 2018. In an attempt to mitigate the code execution vulnerability, the developer attempted to encrypt the HTTP payload with AES encryption. In this post, we will

While performing a security assessment for an application, there was interesting functionality that allowed users to execute arbitrary Spark SQL queries over analytics data. Vulnerability The blog post: The Dangers of Untrusted Spark SQL Input in a Shared Environment [https://datapipelines.com/blog/the-dangers-of-untrusted-spark-sql-input-in-a-shared-environment/] mentioned there were two functions that

On a recent assessment, I discovered an interesting vulnerability in a Firebase application that allowed me to create a second password for another user giving me access to the privileged account. Application Background The application is used by users to watch sessions, chat about topics, and have conversations with other

While performing an application security assessment on a Ruby on Rails project, I discovered upload functionality that allowed users to upload text, CSV, and YAML files. The latter option interested me because reading online suggested YAML deserialization could be a potential vector. After a few uploads, I understood that the

Stratum performs an ever-increasing number of AWS security assessments for our customers from large to small. These deep-dive assessments help identify deficiencies within the customer's AWS configuration and processes that may expose the customer to risk. Example findings include specific configuration vulnerabilities such as overly permissive security groups, IAM privilege

* Proof of Concept (PoC) * Date: 09/04/2018 * Exploit Author: Jonathan Gaines * Vendor Homepage: https://www.tridium.com/ * Version: Affects Tridium Niagara AX Versions: 3.8 and prior as well as Niagara 4 Versions: 4.4 and prior * Discovered, Reported and PoC'd by Jonathan Gaines of Stratum Security; Formerly of

PortSwigger’s BurpSuite is the de facto tool for web, API, and mobile application assessments. Over the course of many engagements, the utility of being able to filter and extract data from BurpSuite to the file system became evident. Why? A few reasons… * BurpSuite provides functionality to log to text

By now, you’ve probably heard of the 2.1 million customers data leaked at the highly esteemed WSJ parent company Dow Jones. In fact, in the last few weeks alone, three such incidents at the Republican National Committee [https://techcrunch.com/2017/06/19/deep-root-gop-data-leak-upguard/], Verizon [https://www.geekwire.

Not a lot has changed in recent years with the security of HTTP cookies. As web application security testers, we have been performing a pretty standard set of tests in this area, including a check for two well-known cookie flags, HttpOnly and Secure. Recently, at Stratum Security we started adding

This is Part 4 of a multi-part series of posts on how we securely ran ThreatSim in AWS for 5 years and never lost a customer (that we know of) due to any cloud security concerns. In a traditional data center, network security plays a huge role in how you

This is Part 3 of a multi-part series of posts on how we securely ran ThreatSim in AWS for 5 years and never lost a customer (that we know of) due to any cloud security concerns. When we set up shop in AWS we ran through different risk models to

This is Part 2 of a multi-part series of posts on how we securely ran ThreatSim in AWS for 5 years and never lost a customer (that we know of) due to any cloud security concerns. In a traditional data center there are controls to prevent someone from turning off