Freddy The (De)serialization Killer

Posted on Friday 8th March 2019

This is a plugin for Burp Suite Pro that helps to detect and exploit deserialization vulnerabilities in web applications. Often this kind of vulnerability leads to remote code or command execution on the affected server.

The plugin is capable of passively detecting, and actively scanning for deserialization vulnerabilities in over 30 Java and .NET libraries and APIs dealing with a range of data serialization formats from binary to JSON and XML.

The plugin can be downloaded from the BApp store within Burp Suite Pro.

Website Security Breaches

Posted on Tuesday 5th March 2019

Hackers are reported to be actively targeting a recent highly critical vulnerability in Drupal, a popular website platform. These attacks began just days after a security update was released which hackers reverse-engineered to produce hacking tools targeting the vulnerability.

Continue reading Website Security Breaches

Drupal ‘Coder’ Module Unauthenticated RCE

Posted on Wednesday 13th July 2016

Vendor:Tag1 Consulting
Product:Coder Module for Drupal
Affected Version(s):<= 7.x-2.5, <= 7.x-1.2
Severity:Critical
Reference:SA-CONTRIB-2016-039
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

The third-party ‘Coder’ module for the Drupal content management system had multiple vulnerabilities that could be combined to trigger the execution of arbitrary code on the target server. At the time of discovery this module was reportedly used by around 5,000 websites.

Remediation

Upgrade the module to at least version 7.x-1.3 or 7.x-2.6. The coder module is a development module and should not be published to production environments.