Blog


In God we trust; rest we test!

Exploiting insecure file extraction in Python for code execution

Compressed file extraction with insecure code vulnerable to path traversal in Python can result in arbitrary code execution by overwriting __init__.py

Exploiting deserialization bugs in Node.js modules for Remote Code Execution

Untrusted data passed into unserialize() function in node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).

Server Side Template Injection in Tornado

This post explains Server Side Template Injection (SSTI) in Python tornado web framework.

Instamojo Woocommerce Plugin XSS

We are using Instamojo as a payment gateway for Indian customers in our security education platform OpSecX. Instamojo provides a plugin that can be used with WooCommerce. To ensure our customers safety we used to do a code review and security analysis on the plugins we use. Our security assessment revealed that Instamojo plugin is affected by a reflected cross site scripting (XSS).

OS X Mavericks 10.9.5 – out of bound read/write in memmove()

Running cat command on a malformed file in OSX Maverick's Terminal.app results in crash. This post explains the crash analysis. Code execution was not achieved due to limited buffer.