OpSecX | Blog

How to write an Application Security Resume

Introduction This post aims to help people to write appropriate resume for Application Security related roles like Security Consultant/Analyst, Security Engineer, Product Security Engineer, Security Researcher, DevSecOps Engineer etc. I am not an experienced guy nor an expert when it comes to writing resume, but I do have some experience in taking and getting interviewed […]

Exploiting Node.js deserialization bug for Remote Code Execution

tl;dr Untrusted data passed into unserialize() function  in node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE). The Bug During a Node.js code review, I happen to see a serialization/deserialization module named node-serialize. A cookie value that comes from the request was passed into the unserialize() function […]

Server Side Template Injection in Tornado

Tornado is a great and easy to use Python web framework for developing dynamic web applications with ease. When it comes to PoC or CTF Challenge creation, tornado is my default choice. Today we will see how Server Side Template Injection (SSTI) can be achieved in Tornado using the default template engine provided with it. […]

XSS in Instamojo Woocommerce Plugin

We are using Instamojo as a payment gateway for Indian Customers. Instamojo provides a plugin that can be used with WooCommerce. To ensure our customers safety we used to do a code review and security analysis on the plugins we use. Our security assessment revealed that Instamojo plugin is affected by a reflected cross site […]

Launching OpSecX | Security Education for Everyone

We are glad to announce the launch of OpSecX, an online security education platform that provides quality and affordable security education for everyone. The increasing reliance of our information age businesses, economies and governments on computer based infrastructure and technology makes them a target of cyber attacks.  The security industry is growing, evolving and learning new things to tackle […]