Normal view

There are new articles available, click to refresh the page.
Before yesterdayOrange

A Journey Combining Web Hacking and Binary Exploitation in Real World!

✇Orange
By: [email protected] (Orange Tsai)
24 February 2021 at 07:00
Hi, this blog post is just a short post to address the technique part in one of my Red Team cases last year. I believe it's worth sharing, so I reproduced this in my lab environment and made this topic. This topic is also presented in RealWorld CTF Live Forum and OWASP Hong Kong 2021 Techday. It's also on YouTube now! Although it is speaking in Mandarin, the slides and subtitles are

A New Attack Surface on MS Exchange Part 2 - ProxyOracle!

✇Orange
By: [email protected] (Orange Tsai)
6 August 2021 at 15:57
Author: Orange Tsai(@orange_8361) P.S. This is a cross-post blog from DEVCORE Hi, this is the part 2 of the New MS Exchange Attack Surface. Because this article refers to several architecture introductions and attack surface concepts in the previous article, you could find the first piece here: A New Attack Surface on MS Exchange Part 1

A New Attack Surface on MS Exchange Part 1 - ProxyLogon!

✇Orange
By: [email protected] (Orange Tsai)
6 August 2021 at 15:57
Author: Orange Tsai(@orange_8361) P.S. This is a cross-post blog from DEVCORE The series of A New Attack Surface on MS Exchange:A New Attack Surface on MS Exchange Part 1 - ProxyLogon!A New Attack Surface on MS Exchange Part 2 - ProxyOracle!A New Attack Surface on MS Exchange Part 3 - ProxyShell!A New Attack Surface on MS Exchange Part 4 - ProxyRelay!

A New Attack Surface on MS Exchange Part 3 - ProxyShell!

✇Orange
By: [email protected] (Orange Tsai)
18 August 2021 at 15:08
Author: Orange Tsai(@orange_8361) from DEVCORE P.S. This is a cross-post blog from Zero Day Initiative (ZDI) This is a guest post DEVCORE collaborated with Zero Day Initiative (ZDI) and published at their blog, which describes the exploit chain we demonstrated at Pwn2Own 2021!  Please visit the following link to read that :)FROM PWN2OWN 2021

Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS!

✇Orange
By: [email protected] (Orange Tsai)
17 August 2022 at 16:00
Hi, this is my fifth time speaking at Black Hat USA and DEFCON. You can get the slide copy and video there: Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (slides) Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (video - TBD) As the most fundamental Data Structure in Computer Science, Hash Table is extensively

A New Attack Surface on MS Exchange Part 4 - ProxyRelay!

✇Orange
By: [email protected] (Orange Tsai)
19 October 2022 at 07:58
This is a cross-post blog from DEVCORE. You can check the series on: A New Attack Surface on MS Exchange Part 1 - ProxyLogon! A New Attack Surface on MS Exchange Part 2 - ProxyOracle! A New Attack Surface on MS Exchange Part 3 - ProxyShell! A New Attack Surface on MS Exchange Part 4 - ProxyRelay! Hi, this is a long-time-pending article. We could

從 2013 到 2023: Web Security 十年之進化與趨勢!

✇Orange
By: [email protected] (Orange Tsai)
12 August 2023 at 08:00
TL;DR for Hackers & Researchers: this is a more conceptual talk for web developers. All are in Mandarin but you can check the slides here if interested.好久沒有打部落格了,紀錄一下這次我在 WebConf 2023 上的演講,大概就是把 Web Security 這十年的演化趨勢分類、並給出相對應的攻擊手法當案例,雖然沒配演講看投影片應該不知道在供三小,不過有興趣還是可以點這邊獲得投影片!由於聽眾皆為網站開發者 (涵蓋前端、後端甚至架構師),因此選用的攻擊手法力求簡單、可快速理解又有趣,不談到防禦手法也在因為短短 45 分鐘內絕對涵蓋不完,所以給自己訂下的小目標是: 只要有一項也好,如果開發者遇到同樣場景、腦中會跳出個

❌
❌