The authenticataion telephone game

Link: Relaying 101 – LuemmelSec – Just an admin on someone else´s computer

Great primer on basic Responder tradecraft that’s probably well know by most reading here. What I like though and why I decided to highlight this piece was because it goes on to talk about ntlmrelayx, which isn’t nearly as widely known, even though it’s been around a long while. I think it comes partially from having to master a more advanced concept around the implicit network routing and access required for it to do it’s job most of the time. Seeing it in action is really helpful.

Up to date deserialization methodology

Link: Testing and exploiting Java Deserialization in 2021 | by AFINE | Feb, 2021 | Medium Extra Link: GitHub - NickstaDB/SerializationDumper: A tool to dump Java serialization streams in a more human readable form.

Just a solid article on how deserialization issues and testing in Java look as of now. Focuses on ysoserial and how to go about finding issues in a few different contexts. What caught my eye though was the serialized object parser/examiner. I know I have trouble just picking out serialized objects when I see them, so this was a cool tool to learn about.

Getting around WAFs

Link: Bypassing WAFs (Web Application Filters) | SECFORCE

While I don’t really agree on the pollution of the acronym (WAF, IMO, indicates a firewall, not a bit of framework code) the advice in this is solid. It’s not terribly advanced, but then it is very easy to get into the weeds with something like filter bypasses for anything other than a giant framework like ASP.Net or JavaEE. I liked how the examples were broken up into ‘cases’ and how a developer might have mitigated the issue by adjusting a regex. If you work with devteams who create web applications, maybe pass this along.