Category Archives: Security Articles

My Articles

How to win BIG and even more!

I recently had a presentation in the OWASP Birmingham (UK) chapter meeting. The crowd was very friendly, and it was a good experience overall with a lot of free food! I definitely recommend attending the next one if you are close by.

In my presentation, I showed a few examples how I managed to win a lot of money in gambling games, cheated when doing my online shopping, and got more free gifts than necessary! Obviously all of my actions were as part of defined security assessments, and therefore I legally had the necessary permissions to carry out my tests.

My presentation’s description was:

I am going to review a number of interesting flaws that I have seen within the payment systems and gambling games. This includes examples that allowed me to win big while I was gambling very responsibly as well as simple methods that brought me free goods such as expensive books that I really didn’t need, fake moustaches, or even caskets for my fake funeral!

Disclaimer: all issues were reported responsibly to the companies and no moustache or slot machine was harmed in this process! I am not going to name any companies during this presentation.

Its slides are available via the SlideShare website:

After this presentation, Ashley Cox and I performed a research for NCC Group about abusing voucher codes. As a result, we also made the following blog post: Online shoplifting – exploiting e-commerce basket and voucher faults for five-finger discount.

Perhaps this how some people find glitches to post in the hotukdeals website!

I have also updated the whitepaper I had created for testing financially-oriented web applications to cover more discovered test-cases. This freely accessible guideline has been created for penetration testers and bug bounty hunters to assess ecommerce and financial services applications: https://www.nccgroup.trust/uk/our-research/common-security-issues-in-financially-orientated-web-applications/

I would personally be grateful if you could give a reference to me or this whitepaper if you have found it useful or you have managed to identify a vulnerability using this.

Finding and Exploiting .NET Remoting over HTTP using Deserialisation

I have published a blog post in NCC Group’s website to explain how to test deserialisation issues within the SOAP requests that are used by ASP.NET Remoting over a HTTP channel:

This research is accompanied by an open source project that show a sample vulnerable server and a client that can be useful for testing purposes: https://github.com/nccgroup/VulnerableDotNetHTTPRemoting/

The blog link is as follows: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/

More research on .NET deserialization

I have recently published a whitepaper and a blog post as part of work research in NCC Group’s website. A number of plugins have also been added to the ysoserial.net project.

The whitepaper can aid security researchers as well as developers to find more deserialisation issues in .NET applications by identifying built-in methods or classes that can be abused in this process. The whitepaper can be downloaded from: https://www.nccgroup.trust/globalassets/our-research/uk/images/whitepaper-new.pdf

In the blog post, I have also explained one of the most interesting findings of the research with which code could be executed upon pasting an object from the clipboard:

Story of my two (but actually three) RCEs in SharePoint in 2018

I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer was a no!). I began to like it more and more just by looking at the generated payloads, and then by reading its useful references. It even answered one of the questions that I always had in mind: “How can ViewState or EventValidation without MAC enabled lead to remote code execution?“; the answer was simple: “deserialization attacks using ObjectStateFormatter or LosFormatter”. I know I was late to the party but as the attack surface is huge, I managed to exploit a number applications including SharePoint without really having deep knowledge in this area. 

As mentioned in the MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online post, I managed to exploit two RCEs in SharePoint Workflows that also affected SharePoint on-prem versions. Therefore, in addition to having a good bounty for the online version, I managed to get two CVEs in .NET Framework (CVE-2018-8284 and CVE-2018-8421).

Details of these vulnerabilities were published in NCC Group’s website as can be seen here:

  1. Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint
  2. Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data

The first one was a logical issue in the Workflows. This was the one with the epic Microsoft’s response:

The second one however was a deserialisation issue that was not fully exploited on SharePoint until after the advisory was published. Here is the short story:

Which was shortly followed by a fully working exploit thanks to Alvaro’s tip:

It should be noted that Microsoft had already given me the maximum bounty that is for an RCE issue even for the second one.

Finally, 2018 was a good year for me on SharePoint finding 3 RCEs in it. If you are wondering what the third one was, the clue is in the ASP.NET resource files (.RESX) and deserialization issues post. I did not receive any bounty for it despite having a reverse shell on the Microsoft SharePoint Online server due to an ongoing engagement my company (NCC Group) had with them at the same time (unlucky me but I was lucky enough to be compensated by my company as they recognised my efforts).

ASP.NET resource files (.RESX) and deserialization issues

I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.

The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

PDF version of the blog post published by NCC Group can be downloaded from:

https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf

In addition to this, the advisories can be seen via:

Code Execution by Unsafe Resource Handling in Multiple Microsoft Products: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-unsafe-resource-handling-in-multiple-microsoft-products/

Code Execution by Viewing Resource Files in .NET Reflector: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-viewing-resource-files-in-net-reflector/

I had also reported the same vulnerability in Telerik justDecompile and JetBrains dotPeek:

https://blog.jetbrains.com/dotnet/2018/08/02/resharper-ultimate-2018-1-4-rider-2018-1-4-released/

https://www.telerik.com/support/whats-new/justdecompile/release-history/justdecompile-r2-2018-sp1

Relevant tweets about this: