All Questions
11 questions
63
votes
3
answers
66k
views
Log4j vulnerability - Is Log4j 1.2.17 vulnerable (was unable to find any JNDI code in source)?
With regard to the Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 - (also see references) - I wondered if Log4j-v1.2 is also impacted, but the closest I got ...
- 2,608
0
votes
1
answer
1k
views
Java Deserialization gadget - Why is this ysoserial payload using reflection to set the TiedMapEntry?
I started studying Java deserialization gadgets. I started with the famous Apache Common Collections gadget and was looking at @matthias_kaiser's gadget chain.
https://github.com/frohoff/ysoserial/...
- 465
0
votes
1
answer
2k
views
CVE-2015-4852: Evaluating Apps for Vunerability
My understanding from the write-up and example exploits of CVE-2015-4852 by Foxglove is that you need code which receives user-provided serialized objects and the Apache commons-collections present on ...
- 1,102
8
votes
1
answer
6k
views
Is it safe to expose java remote debugger port to the internet?
I was going to expose a port for remote debugging of Java-based web service over the internet, but thinking twice I realised that it has no any authentification.
Theoretically, it seems to be ...
- 12.4k
2
votes
1
answer
585
views
Are java exploits based off of the jre used to run the application or the jdk used to compile the code, or both?
I know this question might be kind of broad. There may be some exceptions.
Suppose I compiled with Java 6 jdk, but than ran with Java 7 jre. Would the application be vulnerable to Java 6 exploits ...
- 518
0
votes
3
answers
59
views
Reflection improvements to access field secret, when field type is unknown
I am learning about Security and looking at storing secrets in the clear.
When I retrieve the contents of a private field, it returns an Object. My mal code correctly assumes and casts the Object as ...
0
votes
3
answers
144
views
I can't use malicous reflection to view values of private fields
I can get the value of the protected field, but the private field throws java.lang.IllegalAccessException. I think I know why I'm getting this exception, but how is reflection used to exploit the ...
1
vote
2
answers
782
views
Silly Example of a Deserialisation Attack
I'm trying to understand a deserialisation attack, so I have thought of this example, if you could correct me if I have misunderstood something, that would be helpful.
I have this fiction class.
...
-2
votes
1
answer
480
views
Is Google Chrome Vurnerable to Zero Day Java Exploit like IE?
I've seen IE 6 to 10 can be easaily exploited using the Zero Day Java Exploit (CVE-2013-0422)
And If the IE have been exploited.. We can access the hardisk file even cookies or password..
That's very ...
- 305
0
votes
1
answer
134
views
Where can I download JRE 7u5 plugin for any browser?
I was looking for a good exploit to use as my final project for security class so I though for JRE 7u5 bug to exploit using Metasploit.
Where I can download that version of plugin for FireFox/IE/...
- 6,500
12
votes
12
answers
6k
views
Security exploits in "safe" languages
I just recently finished reading Secure Coding in C and C++ by Brian Seacord, who works for CERT.
Overall, it's an excellent book and I would recommend it to any programmer who hasn't yet read it. ...
- 24.8k