Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In .NET, the ViewState parameter contains information about the state of a users session. This is serialized in the __VIEWSTATE parameter, which is sent on every request the user sends.

People running .NET sites ran into the problem of the ViewState being too large. So, developers added another variable called __VSTATE and compressed it.

Why does this matter? The handler is serialized data, giving potential RCE if unchecked. Later, the data was encrypted so that it couldn't be tampered with. However, the changes were no backfilled to __VSTATE.

Knowing about this issue, they decided to do a wide search on this. While searching on the code search platform, they saw that Higher Logic used this technique and may be vulnerable.

They set up a interactsh (personal Burp Collaborator), setup a ysoserial payload and attempted the modification of the variable. Boom! It worked. A DNS interact was spotted, indicating that this was successful.

The reporting process was extremely hairy. HigherLogic did not care at all. So, they reported to IBM and 8x8's bug bounty programs directly, who asked HigherLogic about it. Finally, the bug was fixed but they refused to make a security release about it; only the customers who knew about it could ask for the patch.

They wrote up a nuclei template for scanning. They found 1.7K websites that were vulnerable to the HigherLogic issues RCE bug. They sent another email informing them about a public disclosure and blog post. This time, they silently patched all of the devices without telling anyone of the issues.

A lot of the articles on this blog are inspired by other issues. I enjoy seeing where the ideas came from and how they helped the author track down the issues. Overall, fun article that's explained like a veteran of the industry.