Profile cover photo
Profile photo
Philippe Arteau
124 followers
124 followers
About
Posts

Post has attachment
Beware of the Magic SpEL(L) - Part 1 (CVE-2018-1273)
This post was originally posted on GoSecure's blog This February, we ran a Find Security Bugs scan on over at least one hundred components from the Spring Framework, including the core components (spring-core, spring-mvc) but also optional components (sprin...
Add a comment...

Post has attachment
Why you should consider Kotlin for Burp extension development
This post was originally posted on GoSecure's blog This small article is an opinion piece to explain why we find the Kotlin language interesting. Its benefits applied to Burp extension development. Security professionals might not be aware of Kotlin. Howeve...
Add a comment...

Post has attachment
Beware of the Magic SpEL(L) – Part 2 (CVE-2018-1260)
This post was originally posted on GoSecure's blog On Tuesday, we released the details of  RCE vulnerability affecting Spring Data (CVE-2018-1273) . We are now repeating the same exercise for a similar RCE vulnerability in Spring Security OAuth2 (CVE-2018-1...
Add a comment...

Post has attachment
Auditing CSP headers with Burp and ZAP
Content Security Policy (CSP)  is a HTTP header that instruct the browser to limit resource loading of media, styles and scripts. As you may know, CSP is not adopted yet by industry. Multiple surveys have already been made about the adoption of the security...
Add a comment...

Post has attachment
XSS for ASP.net developers
This post was originally posted on GoSecure's blog As a follow-up to the conference given at Confoo few weeks ago , we are doing a focus article on the same topic. The presentation was giving an overview of the modern XSS attack vectors and filter bypass. I...
Add a comment...

Post has attachment
Deserialization Vulnerability : Automating the hunt
At the end of 2015, many Java applications were found vulnerable to a common deserialization bug. It all starts with a presentation at AppSecCali  that demonstrate the danger of deserializing user input and having Apache Commons Collections in the classpath...
Add a comment...

Post has attachment
Automate dependencies checking
An application is like an iceberg. During a security code review, the focus will always be on the code written by the development team. It is easy to forget that most of the code running in production will be framework, libraries, the web server and the ope...
Add a comment...

Post has attachment
Security Code Review for Android applications
You are developing mobile applications and you have red the OWASP Mobile - Top Ten Mobile Risks . You may be wondering what security tools can help you face the growing complexity of your Android applications. Well, there are plenty ! In this article, I wil...
Add a comment...

Post has attachment
crossdomain.xml : Beware of Wildcards
This blog entry will describe a wide spread Flash vulnerability that had affected many big websites including paypal.com. The description will picture the state of the website paypal.com and ebay.com in 2013-2014. The vulnerabilities were completely fixed t...
Add a comment...

Post has attachment
Predicting Struts CSRF Token (CVE-2014-7809)
A week has passed since the official release of Struts 2.3.20. I would like to now explain how CSRF token could be "easily" predicted by taking advantage of the vulnerability...
Add a comment...
Wait while more posts are being loaded