Home

Sunrise from Crib Goch

Welcome to my space on the web! I’m a coder, information security consultant, and security researcher. I like mental challenges, particularly those involving reverse engineering, even more so if someone says “it can’t be done”.

Check out my blog to see what I’ve been up to. Let me know if you find it useful and feel free to ask questions, leave a comment, or get in touch.

Latest blog posts:

  • Adobe ColdFusion Deserialization RCE (CVE-2017-11283, CVE-2017-11238) 13/10/2017 - During my research into the Java Remote Method Invocation (RMI) protocol, the most common RMI service that I came across was Adobe ColdFusion’s Flex integration service which is used to...
  • When Parameterized Queries Won’t Help 9/10/2017 - The usual recommendation for vulnerabilities that enable us to manipulate database queries (SQL injection) is to use a method such as prepared statements (parameterized queries) to query the database. Correct...
  • Java’s BaRMIe Back Door 1/10/2017 - A week ago I released a tool that I have been working on to enable security professionals to interact with applications that utilise Java’s Remote Method Invocation (RMI). This is...
  • Attacking Java Deserialization 13/8/2017 - Deserialization vulnerabilities are far from new, but exploiting them is more involved than other common vulnerability classes. During a recent client engagement I was able to take advantage of Java...
Advertisements