Category: Technical

Automating Jenkins Command Execution

Almost two years ago, Royce Davis (@r3dy__) published an article about leveraging a Jenkins application, which contained no password, to successfully compromise a system on an organization’s internal network environment. This was accomplished by using a functionality within the application to execute operating system commands. You can find more information about this post here: https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/. To… Read more »

SuperSerial-Active – Java Deserialization Active Identification Burp Extender

Definitively Identifying Java Deserialization Vulnerabilities [Part 1 of this blog series can be found here: Deserialization Passive Detection] To help our customers and readers definitively identify Java Deserialization vulnerabilities, we have created an additional Burp Suite Extender called “SuperSerial-Active” to complement our previous release of “SuperSerial-Passive” (https://github.com/DirectDefense/SuperSerial). Unlike the previous extender, which only passively identifies potential instances… Read more »

SuperSerial – Java Deserialization Burp Extension

Locating your Java Deserializaiton Issues [UPDATE: Part 2 of this blog series can be found here: Deserialization Active Identification] The weekend started off with a bang for some when Foxglove Security posted a blog pertaining to Java Deserialization issues. For application security folks, we just have to shake our heads once more. It comes as no surprise that… Read more »