h4fan security
  • Tags
  • Archive
  • Story
  • Blog
A Q
h4fan security

blog about security, tech

  • RSS
  • Email
  • GitHub
  • Mastodon
  • About
count
h4fan  •  2026

  • 如何黑盒检测fasterxml jackson反序列化漏洞

    黑盒检测检测jackson反序列化的步骤

    Posted on January 15, 2021

    序 前段时间,fasterxml jackson又出新的反序列化的payload了,看看各家的通告。心里想着,啥时候能测到一个反序列化漏洞。 [Read More]
    Tags:
    • jackson
    • websec
    • 反序列化

  • Learning XXE with gosecure

    Gosecure的XXE环境学习记录

    Posted on December 27, 2020

    LAB 1: Basic XXE ./gradlew build 没有反应,修改版本 21_rssviewer_xxe/gradle/wrapper/gradle-wrapper.properties distributionUrl=https\://services.gradle.org/distributions/gradle-4.8.1-all.zip 重新build即可。 [Read More]
    Tags:
    • xxe
    • websec

  • Learning SSTI with gosecure

    Gosecure的SSTI环境学习记录

    Posted on December 25, 2020

    环境地址 gosecure 的ssti教程地址template-injection-workshop [Read More]
    Tags:
    • ssti
    • websec

  • Intigriti XSS Challenge-2020 Writeup

    Posted on December 15, 2020

    Intigriti’s December XSS Challenge https://challenge-1220.intigriti.io/ [Read More]
    Tags:
    • xss

  • An unsuccessful expressjs SSTI story

    Posted on December 14, 2020

    Recon Response Header x-powered-by: express. An expressjs website. [Read More]
    Tags:
    • ssti
    • expressjs
  • ← Newer Posts
  • Older Posts →
  • fortawesome并不是供应链安全事件 | 26 Apr 2026
  • 某wasm实现的签名分析记录 | 11 Sep 2024
  • javascript Object赋值(=) | 03 Sep 2024
  • intigriti challenge 0824 writeup | 03 Sep 2024
  • 如何只下载Github Repo的部分内容 | 30 Aug 2024
  • research on service worker | 29 Aug 2024
  • the 'bad' psk | 28 Aug 2024
  • the eks cluster games CTF writeup | 05 Aug 2024
  • DoH - dns over https | 02 Aug 2024
  • the big iam challenge CTF writeup | 30 Jul 2024