The is to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published keys.
15. Authentication bypass in Owin.cookie
● Two users created
○ sanjay@mailinator.com
○ admin@mailinator.com
● Goal
○ Impersonate sanjay@mailinator.com to
admin@mailinator.com user.
Demo web application
16. ViewState desealization
.NET used “ObjectStateFormatter”
● To deserialize ViewState
“ObjectStateFormatter” supported gadget of YSoSerial.Net
● ActivitySurrogateSelectorFromFile
● ActivitySurrogateSelector
● TextFormattingRunProperties
● PSObject
● TypeConfuseDelegate