Hello World !
Welcome to the my net home, I used it just to have a summary of stuff on which I work (and have worked).
.:Tips to handle Injection into Java application code:.
This document has for objective to provide some tips to handle Injection into Java application code.
It's a work in progress in order to create a cheatsheet about Injection topic with OWASP Java folks.
Cheatsheet name will be Stopping injection in Java cheatsheet.
.:Detection of potential malicious files into file upload:.
POC in order to protect an document upload application feature against "malicious" document submission.
It's part of a current work with OWASP Java folks in order to create an article on OWASP Wiki about this topic...
.:Hibernate Validator Security Contribs:.
Provide a set of content-checking constraint annotations, focused on security, using the JSR303 RI Hibernate Validation.
- Sources repository
- Documentation & metrics
- Browse issues
- Maven Snapshot distribution repository
- Maven Release distribution repository
Artefacts are also published into Maven Central Repository.
Big thanks to Sonatype for this feature...
.:Android application to fuzz WIFI AP:.
This project is a POC trying to find vulnerabilites into WIFI access point (AP).
.:Docker image for web application security scanning:.
Docker build file creating a image of a box containing web application security scanners.
.:OWASP Wiki Contribs:.
- Protect a file upload feature against submission of file containing malicious code.
- Detect profiling phase into web application.
- W3C Content Security Policy specification: Set up in an web app.
- W3C Cross Origin Resource Sharing specification: Origin header scrutiny.
- W3C Cross Origin Resource Sharing specification: Request preflight process checking.
- Automated audit using W3AF.
- Automated audit using SQLMap.
- Automated audit using SKIPFISH.
- Automated audit using WAPITI.
- XPath code injection.
- Error page set up in Java Server Page.
- Error page set up in Java web application deployment descriptor.
- How to decompile Java code.
Rules specification submited (rules are validated, waiting for implementation from SonarQube folks):
- Check about use of session identifier on server side.
- Check about XXE.
- Check about IV when ciphering with CBC.
CVE that have found during my job for Excellium CSIRT (waiting publishing by the MITRE):
- CVE-2016-1161: Security issue affecting the product Password Manager Pro (PMP)
- CVE-2016-1159: Security issue affecting the product Password Manager Pro (PMP)
- CVE-2015-5606: Security issue affecting the product VORDEL XML GATEWAY
- CVE-2015-5462: Security issue affecting the product AXIOM
- CVE-2015-5463: Security issue affecting the product AXIOM
- CVE-2015-5384: Security issue affecting the product AXIOM
Others vulnerability that have found during my job for Excellium CSIRT:
Talks given to conferences:
- VOXXED DAYS Luxembourg 2016: Abusing web browsers for fun and profit
.:IT Security Magazines articles:.
Article created for HAKIN9 and its associated magazines (in fact I have realized that using this channel, the information is not free then I have stopped writing article for magazine and made focus on free wiki like OWASP where information is freely available):