I was lucky enough to be on the voting panel despite having a nomination (I couldn’t vote for myself obviously). In the end, I felt honoured that my request encoding technique to bypass WAFs came in the Top 10 2017 (#8 to be exact). There were seriously good research works and I recommend you to check them out: Top 10 Web Hacking Techniques of 2017
I have always tried to share with the AppSec community as that also enable me to learn more by reading other people’s work or research. The last time I was on the Top 10 was 2009 for the IIS semicolon bug (remember file.asp;.txt bypass technique on IIS6?) so good to be back (#6): Top Ten Web Hacking Techniques of 2009 (Official)
Although there has always been discussions on the type of submissions such as techniques vs one time vulnerabilities as well as voting patterns, having a list of web related submissions is always useful and we now have it for 2017!
I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer was a no!). I began to like it more and more just by looking at the generated payloads, and then by reading its useful references. It even answered one of the questions that I always had in mind: “How can ViewState or EventValidation without MAC enabled lead to remote code execution?“; the answer was simple: “deserialization attacks using ObjectStateFormatter or LosFormatter”. I know I was late to the party but as the attack surface is huge, I managed to exploit a number applications including SharePoint without really having deep knowledge in this area.
As mentioned in the MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online post, I managed to exploit two RCEs in SharePoint Workflows that also affected SharePoint on-prem versions. Therefore, in addition to having a good bounty for the online version, I managed to get two CVEs in .NET Framework (CVE-2018-8284 and CVE-2018-8421).
Details of these vulnerabilities were published in NCC Group’s website as can be seen here:
The first one was a logical issue in the Workflows. This was the one with the epic Microsoft’s response:
The second one however was a deserialisation issue that was not fully exploited on SharePoint until after the advisory was published. Here is the short story:
Which was shortly followed by a fully working exploit thanks to Alvaro’s tip:
It should be noted that Microsoft had already given me the maximum bounty that is for an RCE issue even for the second one.
Finally, 2018 was a good year for me on SharePoint finding 3 RCEs in it. If you are wondering what the third one was, the clue is in the ASP.NET resource files (.RESX) and deserialization issues post. I did not receive any bounty for it despite having a reverse shell on the Microsoft SharePoint Online server due to an ongoing engagement my company (NCC Group) had with them at the same time (unlucky me but I was lucky enough to be compensated by my company as they recognised my efforts).
I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.
I did not get any prize for CVE-2018-8300 which was another RCE in SharePoint using the resource files (the issue was similar to a bug reported in another MS project that I was part of its paid engagement).
I had also created a SQL injection challenge for my Twitter followers before the talk but the solution can be seen below (from Twitter):
As some people couldn't quite solve the CTF (https://t.co/g0wZBAfsMc) using the AppSec EU slides, I have attached this slow video that shows how the sqli could be exploited – I used HTTP Smuggler but that could be done manually. It was hard to type while recording ;-) pic.twitter.com/qEkOxKJZhP