NotSoSecure Blog

Hacking Oracle From Web: Part 2

28 Oct 2011

It has been a long time since I posted something. In 2010, I released a paper which talked about how to execute OS code when exploiting a SQL Injection in…

Read More

LDAP/XPATH Injection tools

16 Aug 2011

At this year’s Blackhat US, we conducted a small workshop titled “The Art of Exploiting Leser Known Injection Flaws”. In the workshop we discussed a variety of techniques for exploiting…

Read More

APPSECUSA CTF! Another Write Up

06 Jul 2011

I recently came across the Appsec USA CTF. I must say it was a fantastic CTF and i wish there were more CTFs around application security topics. Well done Appsec…

Read More

BSQLBF v 2.7

20 Jun 2011

An updated version is now available for download. This supports “-nomatch” switch. The -nomatch switch is exactly opposite of the -match switch, ie, it will look for the supplied unique…

Read More

Upcoming Conferences

04 Jun 2011

It has been a long time since i posted something here ; infact, so long that i even forgot the password for the blog So, Just a small update on…

Read More

Oracle CPU Jan 2011

19 Jan 2011

Oracle recently patched a vulnerability which I reported in 2009. The vulnerability was a SQL Injection in procedure mdsys.reset_inprog_index(). This procedure cannot be executed by public and when I reported…

Read More

Magento E-commerce Persistent XSS

23 Nov 2010

In a recent pentest, I identified a critical security flaw within Magento ecommerce solution. The flaw is a ‘text-book’ persistent XSS within the admin console which can be triggered by…

Read More

Oracle CPU:October 2010

16 Oct 2010

There are some very interesting issues fixed by Oracle in this month’s Critical Patch Update (CPU). Although, the details about the exact vulnerabilities are still not public. The ones which…

Read More