Thursday, May 17, 2018

Beware of the Magic SpEL(L) – Part 2 (CVE-2018-1260)

On Tuesday, we released the details of RCE vulnerability affecting Spring Data (CVE-2018-1273). We are now repeating the same exercise for a similar RCE vulnerability in Spring Security OAuth2 (CVE-2018-1260). We are going to present the attack vector, its discovery method and the conditions required for exploitation. This vulnerability also has similarities with another vulnerability disclosed in 2016. The resemblance will be discussed in the section where we review the fix.

Tuesday, May 15, 2018

Beware of the Magic SpEL(L) - Part 1 (CVE-2018-1273)

This February, we ran a Find Security Bugs scan on over at least one hundred components from the Spring Framework, including the core components (spring-core, spring-mvc) but also optional components (spring-data, spring-social, spring-oauth, etc.). From this exercise, we reported some vulnerabilities. In this blog post, we are going to give more details on a SpEL injection vulnerability. While some proof of concept code and exploitation details have already surfaced on Twitter, we will add a focus on how these vulnerabilities were found, followed by a thorough review of the proposed fix.

Wednesday, January 24, 2018

Why you should consider Kotlin for Burp extension development

This small article is an opinion piece to explain why we find the Kotlin language interesting. Its benefits applied to Burp extension development.
Security professionals might not be aware of Kotlin. However, it is becoming a trending language in the Android development ecosystem. Additionally, being propelled by Google and JetBrains, it should not be seen as a risky technology choice. In this article, we are going to outline the main advantages of this language.