Dan Amodio

Rugged Consumerism

Regarding PCI, and disclosure of data breaches.
My credit card recently got cancelled as a preventative measure for doing business with a particular merchant. Which merchant, I have no idea. How did the breach occur? No clue.

Continue reading

Remote Code with Expression Language Injection

Discovering and Exploiting a Spring Framework Vulnerability

Previously, Expression Language Injection has only meant information disclosure. I’ll illustrate how it can actually be used for remote code execution on Glassfish and potentially other EL 2.2 containers.

Continue reading

Mobile Applications & Proxy Shenanigans

Slides and Video from my AppSec USA 2012 presentation with David Lindner. Learn how to:

  • Setup an intercepting proxy. Android or iOS, SSL or non-SSL, device or emulator/simulator.
  • Overcome edge cases with a forward proxy.
  • Brief overview and references for Android APK reverse engineering.

Continue reading

Enterprise Security API (ESAPI) for C Plus Plus

The OWASP ESAPI for C Plus Plus was introduced to the community at AppSec DC 2012. Here are some key takeaways from the presentation:

  • ESAPI Project Overview, and why a C Plus Plus implementation is necessary.
  • Our approach to porting the ESAPI for Java API and a demonstration.
  • The future of ESAPI (3.0), and how to get involved.

Continue reading