Dan Amodio

Hacker, Foodie, Musician, Dad.

Rugged Consumerism

Regarding PCI, and disclosure of data breaches.
My credit card recently got cancelled as a preventative measure for doing business with a particular merchant. Which merchant, I have no idea. How did the breach occur? No clue.

  • Do we have a problem with visibility into the security culture of organizations today?
  • How can I be more proactive as a consumer?

Continue reading

Remote Code with Expression Language Injection

Discovering and Exploiting a Spring Framework Vulnerability

Previously, Expression Language Injection has only meant information disclosure. I’ll illustrate how it can actually be used for remote code execution on Glassfish and potentially other EL 2.2 containers. We’ll cover the following:

  • Background on the original issue.
  • Play by play from discovery to exploitation.
  • Breadth of the issue, along with how to prevent it from affecting your applications.

This research was cross-posted from Aspect Security.

Continue reading

Mobile Applications & Proxy Shenanigans

Slides and Video from my AppSec USA 2012 presentation with David Lindner. Learn how to:

  • Setup an intercepting proxy. Android or iOS, SSL or non-SSL, device or emulator/simulator.
  • Overcome edge cases with a forward proxy.
  • Brief overview and references for Android APK reverse engineering.

Continue reading

Enterprise Security API (ESAPI) for C Plus Plus

The OWASP ESAPI for C Plus Plus was introduced to the community at AppSec DC 2012. Here are some key takeaways from the presentation:

  • ESAPI Project Overview, and why a C Plus Plus implementation is necessary.
  • Our approach to porting the ESAPI for Java API and a demonstration.
  • The future of ESAPI (3.0), and how to get involved.

Continue reading