PyJFuzz to the next level

October 20, 2016 Daniele

What is PyJFuzz

In the previous post i wrote about PyJFuzz a project of mine focused on JSON fuzzing, it was developed entirely in Python based on radamsa general-purpose fuzzer. As I promised in this post I will talk about real-life fuzzing using PyJFuzz and Burp Suite. PyJFuzz is modular, easy-to-use, easy-to-extend and easy-to-integrate JSON fuzzer, using it you will be able to fuzz almost everything JSON based with a small effort.

Bludit CSRF Remote Command Execution

September 23, 2016 Daniele

CSRF it's so critical?

Yesterday while i was auditing my own blog in order to fix all possibile bugs, i discovered a trivial but effective vulnerability affecting last version of Bludit CMS , the bug was a CSRF due to inexistence of a token during some requests in order to validate them. Usually this kind of vulnerabilities are considered "not critical" because of their nature, since user interaction is required. CSRF may lead to different vulnerabilities such as

  • Cross Site Scripting
  • Internal File Disclosure
  • Information Leak
  • SQL Injection

Nibble Blog IP spoofing attack

September 22, 2016 Daniele

How it happens?

I was surfing on the net and i was looking for a responsive / easy-to-use CMS framework in order to bringing
my blog to life! with a bit of luck i found a CMS called NibbleBlog, it was XML based (nice feature!), lightweight and easy-to-use...so
it was jsut perfect in order to start a blog!