The Security Vault

Building MirageVM: A JavaScript Virtual Machine for Code Obfuscation

Mon, 15 Dec 2025 15:37:27 +0000

Modern web applications face a persistent challenge: automated attacks that bypass traditional security measures. Captcha farms and AI-powered tools have made it increasingly difficult to distinguish between legitimate users and malicious bots. Services like anti-captcha and 2captcha can solve a lot of commercially available captchas, while AI tools enable sophisticated scripts to interact with web pages in ways that mimic human behavior or even solve captchas as well.

While the response was increasing captcha challenge complexity, these often frustrate legitimate users without effectively stopping determined attackers. The escalating arms race between security measures and bypass techniques has led many to seek alternative approaches.

Bots to the Rescue: How I Built an AI Security Wingman

Wed, 07 May 2025 15:37:27 +0000

Security operations teams spend a fair amount of time on repetitive administrative tasks. Answering recurring process questions, manually triaging alerts, guiding teams through procedures, maintaining documentation and tickets. The operational overhead is substantial.

Historically, these tasks required human oversight because they demanded enough contextual understanding to need judgment calls, yet followed predictable patterns. With recent advances in LLM capabilities for understanding context and executing complex instructions, many of these operational tasks can now be effectively automated.

Path Traversal & LFI can be worst than you think

Sun, 29 May 2022 15:37:27 +0000

LFI and Path traversal are not a new thing, but what most people don’t understand is the full impact of the vulnerability.

In this post I’ll cover different attack scenarios when exploiting a LFI vulnerability, like enumerating process, dumping environment variables, and on more extreme cases remote code execution (RCE).

LFI Recap

This type of attack happens when the application loads a file from the the filesystem and somehow the user can exploit this behavior to load unintended files and eventually retrieve its content.

We are making authentication systems wrong

Thu, 11 Nov 2021 00:00:00 +0000

For a long time I’ve been struggling with the way authentication systems work, as they don’t protect your password as they should. If you search for login best practices, like in OWASP, they’ll tell you things like hashing the password with a strong algorithm, use salt and pepper, limit attempts, and the most important, use https.

The Issue

Although all of this is true and should be done, all of this has a huge fail: Users need to trust their password to the server. In this common flow, the user needs to send the password to the server, and trust that the server will take good care of it. But saving it in the database its not all. In 2019 facebook found millions of passwords being written in plaintext to the logs for example. But even besides that, the server hashes and stores a protected version of the password in the DB, but what else can the server do with the unprotected version of the password?

What is and how to prevent Mass Assignment Vulnerabilities

Sun, 13 Jun 2021 00:00:00 +0000

First time I heard about mass assignment vulnerabilities was a long time ago, when I started learning Ruby & Rails. In fact I learnt a lot, security related back then, as Rails is a quite complex and secure framework, and to properly work with it you should understand the underlying mechanisms.

At that time Rails had just introduced a security feature called “Strong Parameters” to help protect against mass assignment attacks and I was curious about what it was for so I spent some time going through the docs.

Attacks with Zip Files and Mitigations

Fri, 12 Mar 2021 00:00:00 +0000

Once again, I bring a topic that I don’t see getting enough attention , and a lot of times this ends up being a big security issue in the targeted systems… Attacks with zip files, two different and interesting attacks.

ZipSlip

Zip Slip is a vulnerability discovered by Snyk and its a really simple concept. It allows to do some kind of path traversal when unzipping files. This happens because the zip specification allows to create file names like:

Are your mobile banking apps secure?

Sat, 06 Mar 2021 00:00:00 +0000

These past few days I’ve been doing some security checks in my mobile banking apps as I basically never did it since opening the accounts a lot of years ago. I was quite surprised with the difference of security among my bank applications, and it even motivated me to close one of the accounts.

In this article I’m going to compare some of the security features between two of my banks’ mobile applications, from the user perspective, without going into the underlying details of the coding implementation.

The Log Forging Vulnerability And How To Fix It

Sun, 10 Jan 2021 00:00:00 +0000

The Log Forging vulnerability, also known as Log Manipulation is a really low ranked vulnerability that in a lot of cases its to farfetched to be reliably exploited, but on others can be quite easy and cause real damage.

In this post we’ll understand what is log forging and see many different conditions that can cause the vulnerability or to increase the risk.

What is Log Forging

Log forging is a vulnerability where an attacker can manipulate the logs, by creating new entries. This usually happens because user input gets directly to the logs without any sanitisation.

Screen Caching

Sun, 01 Nov 2020 00:00:00 +0000

Screen Caching is another of those vulnerabilities nobody is paying attention to, and this one is quite important.

As an example, even most bank applications are usually ‘vulnerable’ to this issue (most of mine are). And this is a reality even for those focusing on security, like web based only banks.

So what is screen caching?

Screen caching is a mobile vulnerability, caused due to a performance/usability feature present in mobile OS’s.

How to use Facebook for Open Redirect attacks

Sat, 15 Aug 2020 00:00:00 +0000

Some days ago I found an Open Redirect in Facebook website, that I promptly reported to their Bug Bounty Program. There were a lot of warnings that Open Redirect’s are usually false positives, but this one looked legit to me.

Facebook disregarded the report, saying that wasn’t exploitable as there are protections in place against it.

So this is a blog post of a “not” open redirect issue in Facebook.

Understanding CORS and SOP bypass techniques

Thu, 23 Jul 2020 00:00:00 +0000

CORS which stands for Cross-Origin Resource Sharing is a system designed to help ‘bypass’ some of the restrictions introduced by Same Origin Policy (SOP prevents javascript code from interacting with resources from other origins).

Basically CORS lets us define a set of ‘rules’ to specify which resources can access responses from our server. By default no rule is defined, so SOP will only allow interactions form the same domain.

It is worth notice that SOP/CORS is applied basically for browser’s javascript. This means that if you write an application in Java, or even Node, it shouldn’t affect you in any way.

Auth Token in LocalStorage

Fri, 27 Mar 2020 00:00:00 +0000

Getting right to the point: storing a token in LocalStorage is insecure.
It’s getting more and more common to use token based authentication, specially on Single Page Applications (SPA) that need to communicate with an API. That is a good thing, and I really like the idea of JWT tokens.

Why localStorage is bad

Well, when working with cookies, the golden rule is that when storing sensitive information like an auth token, or a session, the cookie should be marked as httpOnly. This means that it cannot be accessed by javascript, preventing this way an attacker from stealing the sessions from other users if they find for example an XSS attack or if a javascript dependency included in the app gets compromised.

Security of the NPM Packages

Fri, 27 Mar 2020 00:00:00 +0000

Javascript (and typescript) is now one of the most used languages in new projects. It has an awesome performance, and Promises came to improve it even more. With it came tons of new tools and projects like Node and NPM. But not all is good, the security of the NPM packages is a worrying problem. Lets talk about it.

NPM stands for “Node Package Manager” and its a really easy to use tool to get and install dependencies for our projects. But this ease of use can also be used by malicious users.

Breaking C# SecureString

Sat, 18 Jan 2020 00:00:00 +0000

As discussed previously in Heap Inspection post keeping passwords and other sensitive data in memory may be insecure as they can be inspected or dumped.

Although it is almost impossible to completely mitigate Heap Inspection there are several techniques to reduce the time frame sensitive data keeps in memory, lowering the risk of exposure.

Lets review some of them:

Don’t store sensitive data as strings,
Use char arrays, and override their values when not needed anymore
Keep the data as less time as possible in memory
keep data encrypted if needed
Use as few instances of the data as possible

But besides these tricks there are also some constraints that will prevent you from doing it right:

Secure Password Hashing

Wed, 30 Oct 2019 00:00:00 +0000

Password Hashing 101: MD5 and SHA1 which are quite common, are already considered unsafe. So if you are using them, replace them with a secure algorithm. Even for checksums should not considered secure. Check references for more info.

Now that we put that aside lets start from the basics.

User passwords should always be stored in a one way hash.
This means that after hashing it the original content cannot be retrieved.

Hardcoded Passwords

Fri, 19 Jul 2019 00:00:00 +0000

Hardcoded passwords… This is a problem quite common, and most of the projects that I get my hands on have a hardcoded password somewhere.

But, what’s the problem of having for example the password of the database in the code?

Well, actually, a lot!

Lets start by the most straightforward scenario. Hardcoded passwords, (and when I say passwords I mean credentials, not just passwords) get into source control. From there its impossible to remove. If you share source control between all the developers, if you open source the project, everybody with access to it can see those credentials, and depending on the scenarios use them to login on a service. If you are concerned with Heap Inspection its also bad.

Reverse Tabnabbing

Wed, 26 Jun 2019 00:00:00 +0000

Reverse Tabnabbing or also known as Unsafe Target Blank is one of the most underrated vulnerability, and this is the one I like the most. It’s really easy to find an exploitable web application and it’s also quite easy to mitigate.

So what is Reverse Tabnabbing?

When you create a link that opens in a new tab (with target=’_blank’) the browsers injects two variables into the destination page, window.opener and window.referrer.

window.referrer just stores the website that opened the page.

Insecure Deserialization in Java

Mon, 17 Jun 2019 00:00:00 +0000

Insecure deserialization got in OWASP top 10 in 2017 as most of web applications written in Java and .net where found vulnerable and in most of the scenarios the vulnerabilities got to Remote Code Execution (RCE)

So lets see how this vulnerability works, how to exploit it and how to prevent it.

Deserialization in Java and the Read Object

package org.securitywhitepapers.deserialization;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.logging.Level;
import java.util.logging.Logger;
import ysoserial.payloads.ObjectPayload;

public class Main {

    private static String serializedFile = "serialized.bin";
    
    public static void main(String[] args) {

        try {
            //serialize an user object
            User u = new User("Whitepapers");
            serialize(u);
            
            //and this triggers the vulnerability
            u = (User)deserialize(serializedFile);
        } 
        catch (Exception ex) {
            Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex);
        }
    }
    
    private static Object deserialize(Object o)
    {
        FileInputStream fileIn = null;
        ObjectInputStream in = null;
        try 
        {
            fileIn = new FileInputStream(serializedFile);
            in = new ObjectInputStream(fileIn);
            return in.readObject();
        } 
        catch (FileNotFoundException ex) {
            Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex);
        } 
         catch (IOException | ClassNotFoundException ex) {
            Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex);
        } 
        finally {
            try {
                fileIn.close();
                in.close();
            } catch (IOException ex) {
                Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex);
            }
        }
        
        return null;
    }
    
    private static void serialize(Object o)
    {
        try {

            FileOutputStream fileOut = new FileOutputStream(serializedFile);
            ObjectOutputStream out = new ObjectOutputStream(fileOut);
            out.writeObject(o);
            out.close();
            fileOut.close();
        } 
        catch (IOException ex){
            Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex);
        } 
   }
}

In this small example we are creating an object of type User, serialize it and deserialize it.
And this is an exploitable implementation.

Weak Random

Mon, 17 Jun 2019 00:00:00 +0000

A lot of developers don’t know that regular Random is a weak random implementation. In fact its quite predictable. A lot of code relies on this class to generate passwords, tokens and other security related values, that in fact end up not being secure at all.

I’m going to focus on Java, but a lot of the concepts are the same for other languages

How Java (weak) Random Works

There are some nice articles about this on the net, the one that caught my eye when learning about this a long time ago was the one from Franklin To. This is an awesome article explaining how he replicated the Random class from java. Its quite easy to understand and I recommend everybody to read it.

XML External Entities (XXE)

Mon, 17 Jun 2019 00:00:00 +0000

XML and JSON are two formats ruling the web right now.
Although JSON’s adoption is increasing significantly specially with REST, XML is still widely used.

What most of developers don’t know is that most of the XML parsers out there by following the specification by default have major security flaws. In some cases (not that much) you can even get RCE (Remote Code Execution)

Lets start by the basics and understand the problem.

Heap Inspection

Sun, 16 Jun 2019 00:00:00 +0000

Heap Inspection is a vulnerability that most of the times developers don’t care about, since it is not easy to mitigate, and most of libraries/frameworks are not prepared to handle it.

So what is Heap Inspection?

Basically it’s just when you get access to a machine and get access to process memory data. Then you can search for passwords or other sensitive information.

The prevention for this is to have sensitive information in memory as less time as possible, and even encrypted if needed. When you don’t need the information, discard it.

How Antivirus works and bypass techniques - part 1

Sun, 16 Jun 2019 00:00:00 +0000

This time i’m not going to talk about a specific vulnerability. Instead I’m going to show how attackers disguise malware in order to bypass antivirus.

Antivirus 101

To start, we need to understand how AV works.
I’m just going to touch on the basics, but they should be enough to understand the logic behind all of this.

To know that a malware is actually a malware the AV checks an internal database where it stores what is called a signature. This signature is a peace of the malware, that should be unique to that program. In a lot of scenarios these signatures are strings or checksum hashes from the binaries.

Hello world!

Sat, 15 Jun 2019 00:00:00 +0000

“What hath God wrought?”
“Mr. Watson–come here–I want to see you.”
“Tere, kas sa kuuled mind?”
“QWERTYUIOP”
“just setting up my twttr”
“Merry Christmas.”
“Houston”
“Glory to God in the highest and on earth peace to men of good will.”
“Wait a minute, wait a minute, I tell yer, you ain’t heard nothin”

These are all probably just best sentences to start the first blog post then the ones I imagined so I’m leaving them all here