Luke Jahnke
@nastystereo.com
Blogging at https://nastystereo.com
My latest blog post is live! Check your Ruby on Rails applications for the use of params[:_json]
nastystereo.com/security/rai...
nastystereo.com/security/rai...
December 10, 2024 at 8:30 AM
My latest blog post is live! Check your Ruby on Rails applications for the use of params[:_json]
nastystereo.com/security/rai...
nastystereo.com/security/rai...
My latest blog post is live 🔥 Read it to learn what SafeMarshal is and *two* very different ways to escape and get RCE!
Read it to find out why Date is *not* a safe class in Ruby or how to leverage serialized strings being constructed with string concatenation!
nastystereo.com/security/rub...
Read it to find out why Date is *not* a safe class in Ruby or how to leverage serialized strings being constructed with string concatenation!
nastystereo.com/security/rub...
December 4, 2024 at 4:57 AM
My latest blog post is live 🔥 Read it to learn what SafeMarshal is and *two* very different ways to escape and get RCE!
Read it to find out why Date is *not* a safe class in Ruby or how to leverage serialized strings being constructed with string concatenation!
nastystereo.com/security/rub...
Read it to find out why Date is *not* a safe class in Ruby or how to leverage serialized strings being constructed with string concatenation!
nastystereo.com/security/rub...
I hope to write a follow up post that covers the footguns I learnt about for R apps, especially jsonlite::fromJSON ;)
December 2, 2024 at 2:55 PM
I hope to write a follow up post that covers the footguns I learnt about for R apps, especially jsonlite::fromJSON ;)
New blog post is up!
Shiny Vulnerabilities in R's Most Popular Web Framework
nastystereo.com/security/r-s...
Turns out the programming language R is used for more than statistics, including web apps!
Shiny Vulnerabilities in R's Most Popular Web Framework
nastystereo.com/security/r-s...
Turns out the programming language R is used for more than statistics, including web apps!
December 2, 2024 at 2:55 PM
New blog post is up!
Shiny Vulnerabilities in R's Most Popular Web Framework
nastystereo.com/security/r-s...
Turns out the programming language R is used for more than statistics, including web apps!
Shiny Vulnerabilities in R's Most Popular Web Framework
nastystereo.com/security/r-s...
Turns out the programming language R is used for more than statistics, including web apps!
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
November 27, 2024 at 9:10 AM
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby!
It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social
nastystereo.com/security/rub...
It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social
nastystereo.com/security/rub...
November 25, 2024 at 5:27 AM
I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby!
It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social
nastystereo.com/security/rub...
It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social
nastystereo.com/security/rub...