Chris Frohoff @frohoff.org - Bluesky Profile

Scholars - Women in Security and Privacy WISP Privacy Statement

Today I’m raising money to send underrepresented folks to @defcon.bsky.social + other technical cons/training next year! Yes, you’ll get a tax write off ❤️

Hear our Scholar Stories for the impact of WISP: www.wisporg.com/scholars

Here’s the donation link! wisporg.app.neoncrm.com/forms/donation

03.12.2024 14:58 — 👍 59 🔁 29 💬 0 📌 4

Scene from "The Hobbit" movie with Elrond and Bilbo talking with meme text saying "it is said: go not to the principal engineers for counsel, for they will say both no and yes"

29.11.2024 19:30 — 👍 2 🔁 0 💬 0 📌 0

What I had read in multiple places seemed to indicate that it did not do that, but now I'm not so sure

26.11.2024 05:41 — 👍 1 🔁 0 💬 1 📌 0

Imported my previous posts from twitter. App should show a small indicator to note that it isn't new

26.11.2024 04:17 — 👍 1 🔁 0 💬 1 📌 0

speech and writing are just serialization for human thoughts #showerthoughts

06.02.2024 07:27 — 👍 2 🔁 0 💬 0 📌 0

summary of how apps tended to mitigate a reported deserialization vulnerability

25.08.2022 00:23 — 👍 0 🔁 0 💬 0 📌 0

summary of how gadgets tended to be introduced into a library

25.08.2022 00:17 — 👍 0 🔁 0 💬 1 📌 0

paper here https://arxiv.org/pdf/2208.08173.pdf

24.08.2022 23:59 — 👍 0 🔁 0 💬 1 📌 0

Some very cool research and analysis in this paper, but remember kids: don't assume that fixing/removing/blocking gadget classes is going to protect you if you're still deserializing objects from untrusted data https://twitter.com/TheRegister/status/1561805738699259905

24.08.2022 23:55 — 👍 0 🔁 0 💬 1 📌 0

Though tbf, anything trying to be an API is only as good as it's documentation, contracts, and change control

24.08.2022 05:19 — 👍 0 🔁 0 💬 0 📌 0

Also, your internal app logs are not an API https://twitter.com/rakyll/status/1562239578865405952

24.08.2022 05:16 — 👍 0 🔁 0 💬 1 📌 0

More fun bespoke Oracle product java deserialization gadget chains and blacklist bypasses https://twitter.com/peterjson/status/1539920744129634305

24.06.2022 00:42 — 👍 0 🔁 0 💬 0 📌 0

ysoserial/src/main/java/ysoserial/payloads/URLDNS.java at master · frohoff/ysoserial A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. - frohoff/ysoserial

Fun fact: @gebl's URLDNS java deserialization gadget in ysoserial relies on exactly this obscure (and absurd) behavior to trigger a DNS lookup https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java#L27 https://twitter.com/ncweaver/status/1470453024870912000

14.12.2021 03:08 — 👍 0 🔁 0 💬 0 📌 0

This seems likely to be fruitful against a lot of apps out there. https://twitter.com/iangcarroll/status/1455580303578124291

05.11.2021 00:01 — 👍 0 🔁 0 💬 0 📌 0

The Illustrated TLS 1.2 Connection Every byte of a TLS connection explained and reproduced

Handy detailed TLS protocol reference https://tls.ulfheim.net/

19.10.2021 23:42 — 👍 0 🔁 0 💬 0 📌 0

https://twitter.com/josephfcox/status/1448711092201472006

14.10.2021 18:17 — 👍 0 🔁 0 💬 0 📌 0

Great analogy, and applicable to the whole tech industry https://twitter.com/kwestin/status/1445965144979218435

07.10.2021 19:16 — 👍 0 🔁 0 💬 0 📌 0

Good survey of Ruby ecosystem deserialization vulnerabilities https://twitter.com/zenn_dev/status/1442089822156296193

27.09.2021 15:20 — 👍 0 🔁 0 💬 0 📌 0

In my previous life as a lead sweng, our project's maven pom.xml literally listed my role as "code archaeologist" https://twitter.com/rakyll/status/1441832225595527169

25.09.2021 18:37 — 👍 0 🔁 0 💬 0 📌 0

Artistic rendition of code reuse attacks a la ROP and deserialization https://twitter.com/Rainmaker1973/status/1402664288104292353

21.09.2021 18:57 — 👍 0 🔁 0 💬 0 📌 0

Older post focusing on intra-service auth is also great https://web.archive.org/web/20200507173734/https://latacora.micro.blog/a-childs-garden/

08.09.2021 07:51 — 👍 0 🔁 0 💬 0 📌 0

Great overview and pros/cons of various types of auth tokens https://twitter.com/tqbf/status/1430278923653468168

08.09.2021 07:45 — 👍 0 🔁 0 💬 1 📌 0

That's the sound of 100k developers firing up Linux VMs https://twitter.com/QuinnyPig/status/1432720164169076755

31.08.2021 17:52 — 👍 0 🔁 0 💬 0 📌 0

I don't always do work on weekends, but when I do...

21.08.2021 22:38 — 👍 0 🔁 0 💬 0 📌 0

More excellent WebLogic deserializaion gadget blocklist bypass work from @matthias_kaiser. I've lost count on all these. https://twitter.com/matthias_kaiser/status/1417837065060950021

21.07.2021 22:29 — 👍 0 🔁 0 💬 0 📌 0

PSA: folks should be aware that AWS Infinidash allows full read access by default so make sure you lock yours down with a fine-grained IAM policy

03.07.2021 21:30 — 👍 0 🔁 0 💬 0 📌 0

This would make a great April fool's day prank next year https://twitter.com/FooBartn/status/1411349844292247553

03.07.2021 19:37 — 👍 0 🔁 0 💬 0 📌 0

LayerOne 2021 CTF "Deathball: *" challenge series LayerOne 2021 CTF "Deathball: *" challenge series. GitHub Gist: instantly share code, notes, and snippets.

And if you want to play more, just run this docker-compose project locally and netcat to the entrance at port 4444

https://gist.github.com/frohoff/3a387ede3364f4ee2733fbffe7d297d0

31.05.2021 03:48 — 👍 0 🔁 0 💬 0 📌 0

For anyone who didn't finish the Deathball challenge series at @LayerOneCTF and was curious, here's the map of our pseudo-randomly generated network REPL container labyrinth:

31.05.2021 02:12 — 👍 0 🔁 0 💬 1 📌 0

Do the Germans also have a word for the guilt felt when relishing absurd levels of schadenfreude?

28.01.2021 17:50 — 👍 0 🔁 0 💬 0 📌 0

Chris Frohoff

Latest posts by frohoff.org on Bluesky

@frohoff.org is following 20 prominent accounts