Blog

In God we trust; rest we test!

Detecting zero days in software supply chain with static and dynamic analysis

This blog shares some ideas about detecting zero-days in the software supply chain even before they get flagged by your typical Software Composition Analysis (SCA) or Dependency checking tools. Also shares the proof of concept code to detect malicious behavior using static and dynamic analysis techniques on third-party dependencies before the build process in CI/CD pipelines.

Posted by Ajin Abraham on Jan 25 2021

Stealing card details from contactless cards in seconds

This blog intends to demonstrate how easy it is for anyone with a NFC enabled camera phone to steal card details including CVV/CVC from contactless Credit/Debit/Prepaid cards in seconds.

Posted by Ajin Abraham on Mar 21 2020

Exploiting insecure file extraction in Python for code execution

Compressed file extraction with insecure code vulnerable to path traversal in Python can result in arbitrary code execution by overwriting __init__.py

Posted by Ajin Abraham on Sep 28 2017

Exploiting deserialization bugs in Node.js modules for Remote Code Execution

Untrusted data passed into unserialize() function in node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).

Posted by Ajin Abraham on Feb 8 2017

Server Side Template Injection in Tornado

This post explains Server Side Template Injection (SSTI) in Python tornado web framework.

Posted by Ajin Abraham on Jul 3 2016