Application Security

From Deploy WAR (Tomcat) to Shell (FreeBSD)

O objetivo deste post é demonstrar como a implementação insegura de serviços na rede pode facilitar o comprometimento de toda a infraestrutura de sua empresa. Neste caso a demonstração será com a instalação padrão do Apache Tomcat [1], em um servidor com o sistema operacional FreeBSD [2], sem nenhum ajuste nas configurações ou hardening no pós-instalação. Durante um teste de…
Read more

Phishing scam using Conviso's name: don't fall for it!

Webinar: PIX and the Secure Development

Application SecurityUncategorized

Github Hacking for fun and... sensitive data search!

Conviso Research and Development Team is usually reading thousands and thousands of information daily and we make some filters and pay attention to some special words. We saw a very interesting post at Full Disclosure about advanced GitHub Search. Right after reading what we shared in our internal list, this information and a little bit of Github Hacking proved that GitHub is a Disneyland of…
Read more

Phishing scam using Conviso's name: don't fall for it!

Webinar: PIX and the Secure Development

Application Security

Exploiting Unsafe Reflection in Ruby/Rails Applications

There is a class of vulnerabilities known as Unsafe Reflection [1] that has not been much discussed in the Ruby/Rails circle, despite being somewhat related to the recent deserialization vulnerabilities found in Rails. Unsafe Reflection vulnerabilities via constant creation occur in Ruby normally when the Module#const_get method is called with user-controlled data. The Rails framework expands the…
Read more

Phishing scam using Conviso's name: don't fall for it!

Webinar: PIX and the Secure Development

Application Security

Ruby on Rails SQL Injection (CVE-2012-2695)

We found a SQL Injection vulnerability in Ruby on Rails that affected all versions and reported it to the Rails security team. On the 12th of June, they released an advisory [1], patches and new versions that fix it. This vulnerability was also independently reported by other researchers. These new patches actually fixed two variants of the CVE-2012-2661 case. We will cover them later. First…
Read more

Phishing scam using Conviso's name: don't fall for it!

Webinar: PIX and the Secure Development