TL;DR for Hackers & Researchers: this is a more conceptual talk for web developers. All are in Mandarin but you can check the slides here if interested.好久沒有打部落格了,紀錄一下這次我在 WebConf 2023 上的演講,大概就是把 Web Security 這十年的演化趨勢分類、並給出相對應的攻擊手法當案例,雖然沒配演講看投影片應該不知道在供三小,不過有興趣還是可以點這邊獲得投影片!由於聽眾皆為網站開發者 (涵蓋前端、後端甚至架構師),因此選用的攻擊手法力求簡單、可快速理解又有趣,不談到防禦手法也在因為短短 45 分鐘內絕對涵蓋不完,所以給自己訂下的小目標是: 只要有一項也好,如果開發者遇到同樣場景、腦中會跳出個紅色小框框警告好像
This is a cross-post blog from DEVCORE. You can check the series on:
A New Attack Surface on MS Exchange Part 1 - ProxyLogon!
A New Attack Surface on MS Exchange Part 2 - ProxyOracle!
A New Attack Surface on MS Exchange Part 3 - ProxyShell!
A New Attack Surface on MS Exchange Part 4 - ProxyRelay!
Hi, this is a long-time-pending article. We could
Hi, this is my fifth time speaking at Black Hat USA and DEFCON. You can get the slide copy and video there:
Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (slides)
Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (video - TBD)
As the most fundamental Data Structure in Computer Science, Hash Table is extensively
Author: Orange Tsai(@orange_8361) from DEVCORE
P.S. This is a cross-post blog from Zero Day Initiative (ZDI)
This is a guest post DEVCORE collaborated with Zero Day Initiative (ZDI) and published at their blog, which describes the exploit chain we demonstrated at Pwn2Own 2021! Please visit the following link to read that :)FROM PWN2OWN 2021: A NEW
Author: Orange Tsai(@orange_8361)
P.S. This is a cross-post blog from DEVCORE
The series of A New Attack Surface on MS Exchange:A New Attack Surface on MS Exchange Part 1 - ProxyLogon!A New Attack Surface on MS Exchange Part 2 - ProxyOracle!A New Attack Surface on MS Exchange Part 3 - ProxyShell!A New Attack Surface on MS Exchange Part 4 - ProxyRelay!
Author: Orange Tsai(@orange_8361)
P.S. This is a cross-post blog from DEVCORE
Hi, this is the part 2 of the New MS Exchange Attack Surface. Because this article refers to several architecture introductions and attack surface concepts in the previous article, you could find the first piece here:
A New Attack Surface on MS Exchange Part 1
Hi, this blog post is just a short post to address the technique part in one of my Red Team cases last year. I believe it's worth sharing, so I reproduced this in my lab environment and made this topic. This topic is also presented in RealWorld CTF Live Forum and OWASP Hong Kong 2021 Techday. It's also on YouTube now! Although it is speaking in Mandarin, the slides and subtitles are in English
Author: Orange TsaiThis is a cross-post blog from DEVCORE. 中文版請參閱這裡
Hi, it’s a long time since my last article. This new post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve
unauthenticated RCE. All the vulnerabilities have been reported to the vendor and got
For non-native readers, this is a writeup of my DEVCORE Conference 2019 talk. Describe a misconfiguration that exposed a magic service on port 3097 on our country's largest ISP, and how we find RCE on that to affect more than 250,000 modems :P
大家好,我是 Orange! 這次的文章,是我在 DEVCORE Conference 2019 上所分享的議題,講述如何從中華電信的一個設定疏失,到串出可以掌控數十萬、甚至數百萬台的家用數據機漏洞!
前言
身為 DEVCORE 的研究團隊,我們的工作就是研究最新的攻擊趨勢、挖掘最新
First of all, this is such a really interesting bug! From a small memory defect to code execution. It combines both binary and web technique so that’s why it interested me to trace into. This is just a simple analysis, you can also check the bug report and the author neex’s exploit to know the original story :D
Originally, this write-up should be published earlier, but I am now traveling and
Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)
P.S. This is a cross-post blog from DEVCORE
Hi, this is the last part of Attacking SSL VPN series. If you haven’t read previous articles yet, here are the quick links for you:
Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs
Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as
Author: Meh Chang(@mehqq_) and Orange Tsai(@orange_8361)
This is also the cross-post blog from DEVCORE
Last month, we talked about Palo Alto Networks GlobalProtect RCE as an appetizer. Today, here comes the main dish! If you cannot go to Black Hat or DEFCON for our talk, or you are interested in more details, here is the slides for you!
Infiltrating Corporate Intranet Like NSA: Pre-auth
Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)
P.S. This is a cross-post blog from DEVCORE
SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take
This is also a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本!
#2019-02-22-updated
#2019-05-10-updated
#2019-05-10-released-exploit code awesome-jenkins-rce-2019
#2019-07-02-updated the slides is out!
---
Hello everyone!
This is the Hacking Jenkins series part two! For those people who still have not read the part one yet, you can check following link to get some basis and
This is a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本!
# Part two is out, please check this
---
In software engineering, the Continuous Integration and Continuous Delivery is a best practice for developers to reduce routine works. In the CI/CD, the most well-known tool is Jenkins. Due to its ease of use, awesome Pipeline system and integration of Container, Jenkins is
In every year’s HITCON CTF, I will prepare at least one PHP exploit challenge which the source code is very straightforward, short and easy to review but hard to exploit! I have put all my challenges in this GitHub repo you can check, and here are some lists :P
2017 Baby^H Master PHP 2017 (0/1541 solved)
Phar protocol to deserialize malicious object
Hardcode anonymous function name \
Hi! This is the case study in my Black Hat USA 2018 and DEFCON 26 talk, you can also check slides here:
Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out
In past two years, I started to pay more attention on the “inconsistency” bug. What's that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parser
gCalc is the web challenge in Google CTF 2018 quals and only 15 teams solved during 2 days’ competition!
This challenge is a very interesting challenge that give me lots of fun. I love the challenge that challenged your exploit skill instead of giving you lots of code to find a simple vulnerability or guessing without any hint. So that I want to write a writeup to note this :P
The challenge
Author: Orange Tsai(@orange_8361) from DEVCORE
Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities.
This is an simple and interesting case, and seems easy to exploit in real world!
Affected
All PHP version
PHP 5 < 5.6.33
PHP 7.0 < 7.0.27
PHP 7.1 < 7.1.13
PHP 7.2 < 7.2.1
Vulnerability Details
The vulnerability is on the file ext/gd/
Hi, it’s been a long time since my last blog post.
In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences. It's really a memorable experience :P
Thanks Review Boards for the acceptance.
This post is a simple case
Before
GitHub Enterprise is the on-premises version of GitHub.com that you can deploy a whole GitHub service in your private network for businesses. You can get 45-days free trial and download the VM from enterprise.github.com.
After you deployed, you will see like bellow:
Now, I have all the GitHub environment in a VM. It's interesting, so I decided to look deeper into VM :P
把出過的 CTF Web 題都整理上 GitHub 惹,包括原始碼、解法、所用到技術、散落在外的 Write ups 等等
This is the repository of CTF Web challenges I made. It contains challs's source code, solution, write ups and some idea explanation.
Hope you will like it :)
https://github.com/orangetw/My-CTF-Web-Challenges
This is my talk about being a Bug Bounty Hunter at HITCON Community 2016
It shared some of my views on finding bugs and some case studies, such as
Facebook Remote Code Execution... more details
Uber Remote Code Execution... more details
developer.apple.com Remote Code Execution
abs.apple.com Remote Code Execution
b.login.yahoo.com Remote Code Execution... more details
eBay SQL Injection
千呼萬喚始出來XD
How I Hacked Facebook, and Found Someone's Backdoor Script (English Version)
滲透 Facebook 的思路與發現 (中文版本)
看來再找一個 Google 的 RCE 就可以把各大公司的 RCE 系列給蒐集全了XD
Login
