http://avalz.it/Recent content on AvalZHugo -- gohugo.ioen-usThu, 23 Mar 2023 00:00:00 +0000http://avalz.it/post/2023-03-23-simulating-negative-lookaheads-in-non-pcre-engines/Thu, 23 Mar 2023 00:00:00 +0000http://avalz.it/post/2023-03-23-simulating-negative-lookaheads-in-non-pcre-engines/Negative lookaheads (and lookaround constructs in general) are an awesome feature in PCRE. For example, to match all instances of abc, but only those that are NOT followed by def, you can use the following regex: abc(?!def) However, some modern regex engines do not support lookaround constructs due to performance concerns. This is the case for the default regex engines in Go and Rust (for example, GitHub uses Rust, and so do its search features).http://avalz.it/post/2020-05-21-metasploit-pro-xss-to-rce/Thu, 21 May 2020 00:00:00 +0000http://avalz.it/post/2020-05-21-metasploit-pro-xss-to-rce/The predator becomes the prey. When scanning with Metasploit Pro, your victim can counter with a XSS payload, and even take over your machine. Never trust your victim! UPDATE: our paper “Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners” has been accepted at RAID 2020! Check out the full paper here. Metasploit Pro - XSS to RCE We see the targets of our scan as passive entities, and this leads to underestimating the risk of performing a network scan.http://avalz.it/post/2019-03-08-fileless-curl-to-chromium/Fri, 08 Mar 2019 00:00:00 +0000http://avalz.it/post/2019-03-08-fileless-curl-to-chromium/Sometimes (expecially during CTFs) I need to display the result of a REALLY specific HTTP request that I made with cURL into Chromium. The naive and boring way of doing this would be something like this: curl -s https://avalz.it > /tmp/page.html chromium /tmp/page.html rm /tmp/page.html For some reason, I got stubborn on not creating that temporary file, which led to the mess you can see below. TL;DR curl -s URL | base64 -w 0 | xargs -i chromium "data:text/html;base64,{}" Breakdown The biggest issue is that chromium can’t open files from stdin, but only from URLs passed as argument.http://avalz.it/post/2018-02-14-trigger-source-change/Wed, 14 Feb 2018 00:00:00 +0000http://avalz.it/post/2018-02-14-trigger-source-change/Sometimes, you need to write a source file and “compile” (as in “run a generic script on it”) each time you edit it, just to see the final result. On Ubuntu, you can use the inotifywait command to keep an eye on filesystem operations. sudo apt install inotify-tools You can create a simple bash file such as this: #!/bin/sh inotifywait -m . -e modify | while read path action file; do # Do something.http://avalz.it/post/2017-02-03-security-challenges/Fri, 03 Feb 2017 00:00:00 +0000http://avalz.it/post/2017-02-03-security-challenges/a.k.a. “How the sausage gets made” Cyber security is being widely accepted by companies around the world as a mean for defending their precious data and try to find the best cyber security experts on the market. But HR often turns a blind eye on how security experts become good security experts: can you imagine a cop who’s not able to put himself in a thief’s shoes? Good security experts usually have a deep understanding on how an attack is carried out and they often have to try and attack their own systems to check for vulnerabilities.http://avalz.it/post/2017-02-01-build-pretty-slides/Wed, 01 Feb 2017 00:00:00 +0000http://avalz.it/post/2017-02-01-build-pretty-slides/Slides can be hard: you have to focus on content, then you have to make it pretty, add animations and stuff. If you are like me, you hate using your mouse (except for games), you have a horrible taste in design and you just want to write content and have it styled omakase. You probably use Beamer for slides, or something similar, but results may vary (see below). Then again, if you are like me, you probably like your Beamer default theme just fine, and that’s cool and everything, but other people might actually have some kind of taste and we (unfortunately) have to respect that when building our slides.http://avalz.it/post/2016-06-23-debunking-the-mysql_real_escape_string-myth/Thu, 23 Jun 2016 00:00:00 +0000http://avalz.it/post/2016-06-23-debunking-the-mysql_real_escape_string-myth/Are you sure that mysql_real_escape_string is enough to sanitize your input? (Spoiler: it’s not) From PHP Manual: string mysqli_real_escape_string ( mysqli $link , string $escapestr ) link Procedural style only: A link identifier returned by mysqli_connect() or mysqli_init() escapestr The string to be escaped. Characters encoded are NUL (0x00), \n, \r, \, ’, ", and SUB (Ctrl-Z or 0x1A) Despite what many believe, mysql_real_escape_string does not encode all MySQL special characters; it only encodes characters that may terminate a string.http://avalz.it/research/Mon, 01 Jan 0001 00:00:00 +0000http://avalz.it/research/📃 G. Costa, E. Russo, A. Valenza. “Damn Vulnerable Application Scanner”, in Proceedings of the 5th Italian Conference on Cyber Security (ITASEC). 2021 - Damn Vulnerable Application Scanner (DVAS) 📃 G. Costa, M. Lualdi, M. Ribaudo, A. Valenza. “A NERD DOGMA: Introducing CTF to Non-expert Audience”, in Proceedings of the 21st Annual Conference on Information Technology Education (SIGITE). 2020 📃 A. Valenza, G. Costa, A. Armando. “Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners”, in Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID).