In this blog I present two vulnerabilities I found in the Azure Functions and another very interesting case of a padding oracle, available as an undocumented HTTP endpoint on every Function instance. Initially I was ecstatic about this finding as theoretically it would have allowed me to achieve remote code execution over arbitrary Azure Functions. However, in a twist of irony, an implementation bug in Microsoft’s Cryptography codebase made this oracle dysfunctional (a false oracle!) and I could not achieve RCE.
The first vulnerability allowed an attacker with code execution over a Function to escalate privileges by installing a permanent…
For more than 2 years, Blockfolio was vulnerable to any attacker stealing their source code and perhaps even injecting his own code into their repositories.
This is a quick write-up about how I was able to find a Github token to Blockfolio.
Blockfolio is the most popular Cryptocurrency price tracking app, with more than 1 million downloads on Android alone. They offer an interface to watch Cryptocurrency prices, set alerts for price movements and even monitor your portfolio (through inputting read-only exchange API keys).
I’ve been into Crypto coins for a little while now, and its common knowledge that using…
Welcome to a tutorial on building your first LLVM based obfuscator!
In this post we will briefly present LLVM, discuss popular obfuscation approaches and their shortcomings and build our own epic LLVM-based string obfuscator.
All the code I present in this article is also available in Github.
LLVM is a compiler framework built with the purpose of reducing time and cost of constructing new language compilers. With LLVM, all a language has to do is implement a “front-end” to LLVM. …