Exploiting Insecure Deserialization: Node-Serialize

Поделиться
HTML-код
  • Опубликовано: 19 сен 2024
  • Quick demo on how to exploit deserialization vulnerabilities using the Celestial machine from HTB:
    Blog Post: TBA
    SOCIALS📱
    =========
    Checkout my newsletter: www.navigating...
    Recommended Courses:
    PNPT Voucher: academy.tcm-se...
    PEH Course: academy.tcm-se...
    Python 101: academy.tcm-se...
    Windows Priv Esc Course: academy.tcm-se...
    Linux Priv Esc Course: academy.tcm-se...

Комментарии • 12

  • @apristen
    @apristen 11 месяцев назад

    thank you very much bro for "opening my eyes" and fresh idea of attack vector!
    previously I missed idea (shame🤦🏻‍♂) that cookies and other similar stuff in base64 with JSON inside are... also processed by nodejs!

  • @aqeebhussain9032
    @aqeebhussain9032 Год назад

    Brother, your explanations are fantastic! I can see you have a great understanding of deserialisation. Please keep your videos going, it’d be great to learn more from you. And of course, best wishes with your OSWE. You got this!

    • @tadii
      @tadii  Год назад

      I appreciate that! More to come hopefully

  • @apristen
    @apristen 11 месяцев назад

    7:47 - "Unexpected token " - it seems it expects token "" ! 🤣🤣🤣

  • @apristen
    @apristen 11 месяцев назад

    Sorry, but I still can't understand how code executed from JSON's string parameter?
    I didn't see eval() anywhere in the code (usually, in real life, in real sites nodejs backend codes) which process JSON input string fields 🙂

  • @huuloc8719
    @huuloc8719 Год назад

    good luck on your OSWE

    • @tadii
      @tadii  Год назад +1

      i appreciate that

  • @ogbooker4538
    @ogbooker4538 Год назад

    stay consistent please bro

    • @tadii
      @tadii  Год назад

      i'll try lol, work it kicking my ass

  • @likimbi
    @likimbi Год назад

    Can i start my cyber security journey (CCNA) with this one..Lenovo ThinkPad T470s Core i7-6600U 16GB 256GB SSD 1920x1080 IPS Backlit WWAN ..thank you

Следующие
Автовоспроизведение
What I Learned From 90 Day OSCP Lab Time15:44What I Learned From 90 Day OSCP Lab Time
What I Learned From 90 Day OSCP Lab TimeTadi
Просмотров 42 тыс.
Web Cache Deception vs Web Cache Poisoning31:40Web Cache Deception vs Web Cache Poisoning
Web Cache Deception vs Web Cache PoisoningTadi
Просмотров 1,3 тыс.
Hacking Windows TrustedInstaller (GOD MODE)31:07Hacking Windows TrustedInstaller (GOD MODE)
Hacking Windows TrustedInstaller (GOD MODE)John Hammond
Просмотров 633 тыс.
The Crossbow Cannibal - PhD Student and *Secret* Serial Killer?? | Mystery & Makeup36:41The Crossbow Cannibal - PhD Student and *Secret* Serial Killer?? | Mystery & Makeup
The Crossbow Cannibal - PhD Student and *Secret* Serial Killer?? | Mystery & MakeupBailey Sarian
Просмотров 969 тыс.
We EXPERIENCED a Luxurious LIFESTLYE for 24 Hours *SHOPPING SPREE*19:17We EXPERIENCED a Luxurious LIFESTLYE for 24 Hours *SHOPPING SPREE*
We EXPERIENCED a Luxurious LIFESTLYE for 24 Hours *SHOPPING SPREE*Wendy Ortiz
Просмотров 289 тыс.
iOS 18 is AMAZING! - Try these 10 things first!17:18iOS 18 is AMAZING! - Try these 10 things first!
iOS 18 is AMAZING! - Try these 10 things first!Proper Honest Tech
Просмотров 3 млн
Full Debate: Harris vs. Trump in 2024 ABC News Presidential Debate | WSJ1:49:25Full Debate: Harris vs. Trump in 2024 ABC News Presidential Debate | WSJ
Full Debate: Harris vs. Trump in 2024 ABC News Presidential Debate | WSJThe Wall Street Journal
Просмотров 13 млн
If you're a junior penetration tester, watch this...8:32If you're a junior penetration tester, watch this...
If you're a junior penetration tester, watch this...Tadi
Просмотров 1,5 тыс.
Master Rust Backend with Axum: Full-Stack Guide for Auth, PostgreSQL & Email Verification5:28:15Master Rust Backend with Axum: Full-Stack Guide for Auth, PostgreSQL & Email Verification
Master Rust Backend with Axum: Full-Stack Guide for Auth, PostgreSQL & Email VerificationAarambh Dev Hub
Просмотров 1,5 тыс.
Serialization - A Crash Course8:14Serialization - A Crash Course
Serialization - A Crash Course0612 TV w/ NERDfirst
Просмотров 125 тыс.
He left HackTheBox to build his own cybersecurity learning platform...35:39He left HackTheBox to build his own cybersecurity learning platform...
He left HackTheBox to build his own cybersecurity learning platform...Tadi
Просмотров 2,1 тыс.
How To Get Arrested In 30 Minutes: Cracking A GSM Capture File In Real-time With AIRPROBE And KRAKEN35:16How To Get Arrested In 30 Minutes: Cracking A GSM Capture File In Real-time With AIRPROBE And KRAKEN
How To Get Arrested In 30 Minutes: Cracking A GSM Capture File In Real-time With AIRPROBE And KRAKENRob VK8FOES
Просмотров 1,7 млн
Everyone hates the OSCP, but they still want it...11:10Everyone hates the OSCP, but they still want it...
Everyone hates the OSCP, but they still want it...Tadi
Просмотров 2,7 тыс.
Is this the best OSINT tool out there?!17:10Is this the best OSINT tool out there?!
Is this the best OSINT tool out there?!stuffy24
Просмотров 344 тыс.
I ask this question to every Backend Engineer I interview11:44I ask this question to every Backend Engineer I interview
I ask this question to every Backend Engineer I interviewHussein Nasser
Просмотров 383 тыс.
Master Burp Suite Like A Pro In Just 1 Hour51:29Master Burp Suite Like A Pro In Just 1 Hour
Master Burp Suite Like A Pro In Just 1 HourNetsec Explained
Просмотров 79 тыс.
Леша Жидковский не общается со своими друзьями по 3-4 месяца00:14Леша Жидковский не общается со своими друзьями по 3-4 месяца
Леша Жидковский не общается со своими друзьями по 3-4 месяцаKatya Adushkina
Просмотров 196 тыс.
Новые Пацанки. Остров // 1 выпуск. Премьера нового сезона3:08:24Новые Пацанки. Остров // 1 выпуск. Премьера нового сезона
Новые Пацанки. Остров // 1 выпуск. Премьера нового сезонаТелеканал ПЯТНИЦА
Просмотров 970 тыс.
Хаос Неделимый в #warhammer40k #hobsplay #вархамер00:32Хаос Неделимый в #warhammer40k #hobsplay #вархамер
Хаос Неделимый в #warhammer40k #hobsplay #вархамерHobsplay
Просмотров 85 тыс.
Ты никогда не видел эту сцену "Гарри Поттер и Философский камень" #ГарриПоттер00:41Ты никогда не видел эту сцену "Гарри Поттер и Философский камень" #ГарриПоттер
Ты никогда не видел эту сцену "Гарри Поттер и Философский камень" #ГарриПоттерiKnow Channel
Просмотров 362 тыс.
ШКОЛЬНАЯ ПОРА! Начало учебного года20:48ШКОЛЬНАЯ ПОРА! Начало учебного года
ШКОЛЬНАЯ ПОРА! Начало учебного годаSIDELNIKOVVV
Просмотров 293 тыс.
Наколдовала монстряшку #monsterhigh #monsterhigh202401:00Наколдовала монстряшку #monsterhigh #monsterhigh2024
Наколдовала монстряшку #monsterhigh #monsterhigh2024BersReview
Просмотров 130 тыс.
Never thought this girl can be a killer #shorts #cdrama #coupleofmirrors #movie #drama00:18Never thought this girl can be a killer #shorts #cdrama #coupleofmirrors #movie #drama
Never thought this girl can be a killer #shorts #cdrama #coupleofmirrors #movie #drama欢娱影视官方频道 China Huanyu Ent. Official Channel
Просмотров 11 млн
МАМА В 16 | 2 СЕЗОН, 3 ВЫПУСК | ИРИНА, САНКТ-ПЕТЕРБУРГ1:13:21МАМА В 16 | 2 СЕЗОН, 3 ВЫПУСК | ИРИНА, САНКТ-ПЕТЕРБУРГ
МАМА В 16 | 2 СЕЗОН, 3 ВЫПУСК | ИРИНА, САНКТ-ПЕТЕРБУРГМама в 16
Просмотров 1,7 млн