Research Worth Reading Week 48/2024

Published: 01 Dec 2024

Only content from Australia and New Zealand this week! Is the rest of the world asleep?

💎 Ruby 3.4 Universal RCE Deserialization Gadget Chain

If you like Ruby as much as I do, you will love Luke's post on Ruby 3.4 Universal RCE Deserialization Gadget Chain. Explore his improvements on the previous Ruby gadget.

🪄 Remote Code Execution with Spring Properties

From File Write to RCE, Steven guides us through this "tour-de-force" in this latest article: Remote Code Execution with Spring Properties.

🌐 Cross-Site POST Requests Without a Content-Type Header

Another article from Luke: Cross-Site POST Requests Without a Content-Type Header. While you're at it, read the rest of the blog 😉

👺 Tales From The Crypt: Microsoft Unicode Collation Oddities Leading to Software Vulnerabilities

I'm just going to share the first sentence of this article: "A goblin emoji and an empty string are the same thing, according to Microsoft SQL Server". That should be more than enough to pique your interest... Tales From The Crypt: Microsoft Unicode Collation Oddities Leading to Software Vulnerabilities

🔐 Windows - Data Protection API (DPAPI) Revisited

A great article from Claudio who I met twice this year! Deep dive into the Data Protection API in this article Windows - Data Protection API (DPAPI) Revisited.

Photo of PentesterLab
Written by PentesterLab
The platform to learn web hacking and security code review