Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

ForgeRock is an access management service. While working on previous OpenID (newer OAuth2), the author found a serious finding that did not relate to OAuth at all.

While doing source code analysis, there are a few things to look for. First, how is the authorization done? Secondly, insecure methods such as serialization, command injection, XML processing and other pain points. Although source code analysis tools work, Michael highly recommends grinding through the source code by hand.

While looking through the application, the author noticed the usage of Jato. Jato is a 20 year old legacy framework without a single CVE assigned to it. Old and untouched seems like something to hit.

Within Jato, there was a field that was being arbitrarily deserialized that appeared to be user controllable. To test out the exploitability out the deserialization, Michael created a Java object to test out the functionality.

After finding a custom gadget chain, he tried his luck on a few other applications within bug bounty scope. To find the chain, Michael used two tools at gadgetinspector and serianalyzer. One of them returned a valid chain, which allowed for code execution.

The research for gadget finding is interesting, but not my cup of tea; there are more details in this post about how the gadgets work. In order to patch this bug, the endpoint was removed entirely that had the user controllable data going to Jato.