Rhino Security Labs

Strategic & Technical Blog

Java Deserialization Exploitation With
Customized Ysoserial Payloads

David Yesland

During a recent application assessment at Rhino we identified a Java deserialization vulnerability which ended up leading to unauthenticated remote code execution. Exploitation of the vulnerability turned out to not be as simple as…

Fuzzing Left4Dead 2 with CERT’s
Basic Fuzzing Framework

CloudGoat AWS Scenario Walkthrough: “EC2_SSRF”

Vulnerabilities Leading to RCE in
LabKey Server Biomedical Research Platform

David Yesland

This blog is a walkthrough of the three different vulnerabilities we discovered in the LabKey Server a biomedical research platform–Stored XSS (CVE-2019-9758), CSRF leading to RCE (CVE-2019-9926), and XXE (CVE-2019-9757) allowing…