NotSoSecure Blog

LDAP/XPATH Injection tools

16 Aug 2011

At this year’s Blackhat US, we conducted a small workshop titled “The Art of Exploiting Leser Known Injection Flaws”. In the workshop we discussed a variety of techniques for exploiting…

Read More

APPSECUSA CTF! Another Write Up

06 Jul 2011

I recently came across the Appsec USA CTF. I must say it was a fantastic CTF and i wish there were more CTFs around application security topics. Well done Appsec…

Read More

BSQLBF v 2.7

20 Jun 2011

An updated version is now available for download. This supports “-nomatch” switch. The -nomatch switch is exactly opposite of the -match switch, ie, it will look for the supplied unique…

Read More

Upcoming Conferences

04 Jun 2011

It has been a long time since i posted something here ; infact, so long that i even forgot the password for the blog So, Just a small update on…

Read More

Oracle CPU Jan 2011

19 Jan 2011

Oracle recently patched a vulnerability which I reported in 2009. The vulnerability was a SQL Injection in procedure mdsys.reset_inprog_index(). This procedure cannot be executed by public and when I reported…

Read More

Magento E-commerce Persistent XSS

23 Nov 2010

In a recent pentest, I identified a critical security flaw within Magento ecommerce solution. The flaw is a ‘text-book’ persistent XSS within the admin console which can be triggered by…

Read More

Oracle CPU:October 2010

16 Oct 2010

There are some very interesting issues fixed by Oracle in this month’s Critical Patch Update (CPU). Although, the details about the exact vulnerabilities are still not public. The ones which…

Read More

LFI..Code Exec..Remote Root!

20 Aug 2010

Recently on a pentest i came accross an interesting Local file inclusion vulnerability. On this occassion it was definitely not a RFI and all i could do was include files…

Read More