RSS

OpSecX | Blog

Exploiting Node.js deserialization bug for Remote Code Execution

tl;dr Untrusted data passed into unserialize() function  in node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE). The Bug During a Node.js code review, I happen to see a serialization/deserialization module named node-serialize. A cookie value that comes from the request was passed into the unserialize() function […]

Server Side Template Injection in Tornado

Tornado is a great and easy to use Python web framework for developing dynamic web applications with ease. When it comes to PoC or CTF Challenge creation, tornado is my default choice. Today we will see how Server Side Template Injection (SSTI) can be achieved in Tornado using the default template engine provided with it. […]

OpSecX Bundle Offers

Bundle offers are great money saving offers by OpSecX. Currently running bundle offers OpSecX WebSec Bundle Get 20% discount on the WebSec Bundle that includes XFP – Cross Site Scripting – XSS for Pentesters NJS – Node.js Security: Pentesting and Exploitation WSN –WebSecNinja: Lesser Known WebAttacks How to avail this Bundle Add all these three courses to the […]

XSS in Instamojo Woocommerce Plugin

We are using Instamojo as a payment gateway for Indian Customers. Instamojo provides a plugin that can be used with WooCommerce. To ensure our customers safety we used to do a code review and security analysis on the plugins we use. Our security assessment revealed that Instamojo plugin is affected by a reflected cross site […]

Launching OpSecX | Security Education for Everyone

We are glad to announce the launch of OpSecX, an online security education platform that provides quality and affordable security education for everyone. The increasing reliance of our information age businesses, economies and governments on computer based infrastructure and technology makes them a target of cyber attacks.  The security industry is growing, evolving and learning new things to tackle […]