Introduction In modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the U...
Commonly, we use the JavaScript schema to exploit a cross-site scripting (XSS) issue, particularly when the href attribute of an anchor tag is within our control. Hereās an example: Modern brow...
https://soroush.me/blog/2023/08/anchor-tag-xss-exploitation-in-firefox-with-target_blank/
The topic of IIS Short File Name (SFN, also known as 8.3) disclosure has been explored across various platforms in the past. In this blog post, Iāll take a look at the insights I presented at S...
Lately I have only published blog posts through the MDSec website. I thought it might be a good idea to link what I have published so far here as well: COVID-19 has sadly affected many if not all...
https://soroush.me/blog/2020/10/mdsec-blog-posts-so-far-in-2020/
Articleās PDF file: https://soroush.me/downloadable/getting_shell_with_xamlx_files.pdf I have recently published a blog post on use of .XAMLX files to execute command on an IIS based applicatio...
https://soroush.me/blog/2019/09/file-upload-attack-using-xamlx-files/
Table of Contents: Introduction 1. Execute command using web.config in the root or an application directory 1.1. Executing web.config as an ASPX page 1.2. Running command using AspNetCoreModule 1...
https://soroush.me/blog/2019/08/uploading-web-config-for-fun-and-profit-2/
When testing a website on IIS, it is sometimes important to know whether a path is an application or a folder (or a virtual folder). I am intruding a new sneaky method using some ASP.NET features...
https://soroush.me/blog/2019/07/iis-application-vs-folder-detection-during-blackbox-testing/
In the Exploiting Deserialisation in ASP.NET via ViewState blog post, I explained how it is possible to run code on an ASP.NET web application using compromised Machine Key secrets. It covers cas...
https://soroush.me/blog/2019/05/danger-of-stealing-auto-generated-net-machine-keys/
In the past, I showed how the request encoding technique can be abused to bypass web application firewalls (WAFs). The generic WAF solution to stop this technique has been implemented by only all...
https://soroush.me/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/
Introduction ASP.NET web applications use ViewState in order to maintain a page state and persist data in a web form. The ViewState parameter is a base64 serialised parameter that is normally sen...
https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/
The āLogin/logout CSRF: Time to reconsider?ā blog post by Mathias Karlsson (@avlidienbrunn) is a great resource that shows why sometimes CSRF in logout/login can be considered as an impactful...
https://soroush.me/blog/2019/04/yet-other-examples-of-abusing-csrf-in-logout/
I recently had a presentation in the OWASP Birmingham (UK) chapter meeting. The crowd was very friendly, and it was a good experience overall with a lot of free food! I definitely recommend atten...
https://soroush.me/blog/2019/04/how-to-win-big-and-even-more/
Articleās PDF file: https://soroush.me/downloadable/finding_and_exploiting_dotnet_remoting_over_http_using_deserialisation.pdf I have published a blog post in NCC Groupās website to explain h...
https://soroush.me/blog/2019/03/finding-and-exploiting-net-remoting-over-http-using-deserialisation/
View whitepaperās PDF I have recently published a whitepaper and a blog post as part of work research in NCC Groupās website. A number of plugins have also been added to the ysoserial.net pro...
https://soroush.me/blog/2018/12/more-research-on-net-deserialization/
I thought I should document this whilst we are still in 2018ā¦ We used to have Top 10 Web Hacking Techniques every year but it suddenly stopped! After having a private conversation with James Ke...
I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer w...
https://soroush.me/blog/2018/12/story-of-two-published-rces-in-sharepoint-workflows/
Articleās PDF version: https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf I have recently published a blog post via NCC Groupās website about th...
https://soroush.me/blog/2018/08/asp-net-resource-files-resx-and-deserialization-issues/
I was amongst top 5 bounty hunters in MS Q4 2018:Ā https://blogs.technet.microsoft.com/msrc/2018/07/26/recognizing-q4-top-5-bounty-hunters/ Although I am not doing active bug bounty hunting at th...
https://soroush.me/blog/2018/08/ms-2018-q4-top-5-bounty-hunter-for-2-rces-in-sharepoint-online/
I had presented a conference talk in AppSec EU 2018 about WAF bypass techniques. Some screenshots and my original tweet about it can be seen below: Here are my WAF bypass talk slides at @appseceu...
https://soroush.me/blog/2018/08/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour/
Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could ...
https://soroush.me/blog/2018/08/smb-hash-hijacking-user-tracking-in-ms-outlook/