Security

I appreciate the efforts of fellow security researchers and provide secure means for disclosing security vulnerabilities responsibly. As a reward, I will feature in the hall of fame the name, handle (e.g. Twitter) and/or website of the reporter of any valid vulnerability. Additional rewards are at my discretion.

Rules and Scope

A positive outcome of the validation of a submitted vulnerability can only be achieved if the following rules and scope are respected by the researcher.

Rules

The researcher shall not:

  • Use of automated tools to find vulnerabilities.
  • Conduct non-technical attacks (e.g. social engineering, phishing, etc.).
  • Perform any attack to systems that aren’t listed under the scope section.
  • Perform any attack that could harm the reliability or integrity of target systems (e.g. denial of service, spam, etc.).

The researcher shall:

  • Respect responsible disclosure principles independently of the time taken to validate the report.
  • If it is noticeable any performance degradation of the target systems, all testing must be immediately suspended.

Vulnerabilities report will be accepted as long as:

  • Any materials related with the vulnerability aren’t hosted on a public platform (e.g. YouTube) without prior consent.
  • Hasn’t already been submitted by another researcher, or it isn’t already known.
  • The risk represented by the vulnerability isn’t considered acceptable.
  • The affected systems are in scope as defined bellow.

Scope

Any system that can be reached through a serializing.me (sub-)domain, with the notable exception of www.serializing.me that is hosted by GitHub, are in scope. Also take into account that the following vulnerabilities types are specifically excluded:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting or banner disclosure on common/public services.
  • Disclosure of known public files or directories (e.g. robots.txt, etc.)
  • Clickjacking and issues only exploitable through clickjacking.
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies.
  • Lack of security speedbump when leaving the website.
  • OPTIONS HTTP method enabled.
  • Missing HTTP security headers (e.g. Strict-Transport-Security, X-Frame-Options, etc.)
  • TLS issues and attacks (e.g. BEAST, BREACH, forward secrecy not enabled, etc.)

How to Report

Please contact me using the GPG/PGP key as shown in the contact page.

Hall of Fame

Below is a list of security researchers, white hat hackers, and bug bounty hunters who have contributed to the security of my digital estate. This page is to provide recognition, to say thank you!

  • Jayesh Patel reported a HTTP Host Header Injection (Bugcrowd)

Privacy Policy

This Privacy Policy governs the privacy of this website, located at https://www.serializing.me. The policy sets out the different areas where user privacy is concerned and outlines the obligations and requirements of the users, the website and website owners. Furthermore the way this website processes, stores and protects user data and information will also be detailed within this policy.

Definitions

Cookies are small files saved to the user’s computers hard drive that track, save and store information about the user’s interactions and usage of the website.

Personal Information is non-public information that can be used to identify a user. Personal information may include information such as your name, email address, and other related information that you provide to us or that we obtain about you.

User Privacy

This website follows all legal requirements to protect your privacy. Our Privacy Policy is a legal statement that explains how this website approaches user privacy and how the necessary steps are taken to protect the privacy of its users throughout their visiting experience.

Use of Cookies

This website uses tracking software (to monitor its visitors to better understand how they use it) and advertisement software. These are provided by Google and are called Google Analytics and Google Adsence (respectively). They may use cookies to track visitor usage. The cookies are saved to your computer hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information. You can read Google’s privacy policy here for further information.

Other cookies may be stored to your computers hard drive by external vendors when this website uses advertisements. Such cookies are used for conversion and referral tracking and typically have a small expire date. No personal information is stored, saved or collected. Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website and its external serving vendors.

To Other Websites

Our Website may contain links to other websites that are not under this website control, and hence, have their own policies regarding privacy. We have no control of or responsibility for linked websites and provide these links solely for the convenience and information of our visitors. You access such linked Websites at your own risk and you should adopt a policy of caution before clicking any external web links mentioned throughout this website. This website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.

You should check the privacy policies, if any, of those individual websites to see how the operators of those third-party websites will utilize your personal information. In addition, these websites may contain a link to Websites of our affiliates. The websites of our affiliates are not subject to this Privacy Policy, and you should check their individual privacy policies to see how the operators of such websites will utilize your personal information.

Advertisements

This website may contain advertisements. as previously stated, this website uses advertisement software provided by Google Adsence which has a detailed privacy policy related directly to the advertisements they serve. You can read Google’s privacy policy here for further information. Clicking on any such advertisements will send you to the advertisers website through a referral program which may use cookies and will track the number of referrals sent from this website.

Social Media

Platforms

Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the privacy policies (as well as the terms and conditions) held with each social media platform respectively. Users are advised to use social media platforms wisely and communicate/engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through other primary communication channels such as by email (see the contact page).

This website and its owners through their social media platform accounts may share web links to relevant web pages. By default some social media platforms shorten lengthy links. Users are advised to take caution and good judgement before clicking any shortened links published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine links are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.

Feeds

List of RSS feeds of this site that can be subscribed.

Posts

Subscribe to receive the latest created posts.

Projects

Subscribe to receive the latest created projects.

Pages

Pages only feed. Will contain any newly created page.

Combined

An aggregated feed of all the content which includes, pages, posts and projects.

Contacts

One can follow me on Mastodon (or Twitter) and subscribe to my YouTube and Twitch channel, or check my profile at GitHub and Bugcrowd. You can also drop me a line at my E-mail. If you want to keep any communications content private, feel free to use GPG/PGP to do so.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFf1LooBEADP1fkhn83zAZQg+jj6OP8zBR+cWKYcHiUBJDa7PP+yHz+3dG01
3fKJCCmFT2OeXf44Lo+B5ne1UgoAL4h9YazgMLuMLi5R6sOqRG2t9bM/E1euhGDa
KCtCYjcPFhf0OW0hV0KrJCM+7HW8D9ns6Q2jELOZtbN9Hy4lnJ1gaoBuujsKdvlp
cjy2pj+fGOOF2nnGk/NCzPqhR5aoh1/ubNODVw1KiSVN5jS8DcmNEkcidqZgJJpL
9cyhKhR1IpmVuTjPDW480M3/wX1fldHvmYy6yZC5nEizNGqwH4BE1MD/chsMgxT1
0fTI65q/Q/e8F+DgV5WAvd7oFfLOk94rBEB6Fjzt/OEaUQvPCJGPS14lA9mGkHom
IYdEmnvr9GlaEwDa5bPOkR/5gjFLMty0BYvcGwx37kMPVfTVqYrpVgC7TU+Ibb0f
Eh5fwh9rISvtkXyVNJMlv5V8qaekOpSjyRYv15DozQcOCjZzAR9XG6Zyl6uFFLzx
aSlKjGKm63RYZAOvCVTo8Zx4DPEheLvHWfFo+2TYQSdESadDfsOcWsfP27ESgcfX
gDCpHQqPcfZ+45LyxPXfBsMdGUO06Kg/qTXczGE3kUMWRFNwIp7bUJo/Tqf9zcCW
6tIcTbAW7bO4cuij+SZOcfAt27Voz9Elp3T8o0fUg8CLLVSAP0qYyVs3KQARAQAB
tCpEdWFydGUgU2lsdmEgPGR1YXJ0ZS5zaWx2YUBzZXJpYWxpemluZy5tZT6JAjkE
EwEIACMFAlf1LooCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDlijOZ
skoukNcREACoEw0ehz9Bzcd3DR91SLZ3JdcO/wWcIC/uGKIulnDbc8RqkG7SuFLG
t9pba2i8l5q78zSPShcApVc4LC31Jht6nwcLQg63LAHtez92TvoxikHdnl0rrtsn
gRNSSA+ul2TNyqHOjtXnmbaH5DsdsWgkGpgBB+3+OOOy1RGD46ofbi36JEaTLSev
HqEt4d9pwaYV6SFStjFwJIDtntzGIWjde8ZFDdTMyTthQh9SkTdrm04IDrylJVag
Zobv8/CxoaNbmKZDRpPRqMw+uVmP1xEPvyUpcwCg2BTtMDyJrHPceAQL5gLeH6lX
IyuqiD/h76NKsoDBhbHh0rky5HquHmc8qeeKdKvlvX0NhpfclXG0Q2sYbgl6kSJM
GqQGc8vPB4QMxrydHK7EwSAs3nsscvpc8BliG0kT0Z1SpvwvvBLh/DShx0axb9Hb
f1NnBOR90nsOjhbaCJrZ0Mlr6PhkRM6B+6EVudr9xiNFN+6KMh6DBGeZYiorHF1u
5BAHRhf2hz9C/WlijUbVGnYsn67jaGXjaEi2HCF9s2/JGME3IyNds4sa3cmgvucv
bcX0nokagfuvaj4aVHa/IWVFEoAcsShu68JEW4VE0tKLDjWBzbnRUJ6PT5oj2Dgs
5dHWl7l+7AalIzhXXR1er7ZtT39IoiACRHArG4JNHwszQlYeaMspa7kCDQRX9S6K
ARAA3/cPHeAIoGT2BEax1/E/HdqYE4Hs/enJvBPNzib54kRGBLJ9yjPtdRl7xfIo
5rKy276RYONLdX3HiZcrY1IVHxs172rccU2WIg8koiosmkNE/ubh7WPp/2JcwJP+
BZMc1I1kPOV4qfiE2W3aGN5GuwguDhA/zOxzrSAoHq21suFKCCazc3XuTj+EZ/A4
0b8dVNvoWWd8GFcg9ETbUh4Z7ZIpU1K/vOs50ji6cucbzvImWekwIhIq5nwGcNju
7dpZlITWYkkpqgRCAlC1EJERUOZLBqw2t2nnYZZWn5EX/tUdiytP51jrA/jhDTLb
elOZeGltTCCpCVooL7IO6KGSqGCugGz7c9BiZiy+JBG5X/hgJ4QbfgoDk2/iMw7O
DkGXNKbeRVlq1hUba6x1ikv0fG7B8B/TcFmDzGiMGY08p369JANgOSkng6tPWO8H
HANwqeZCy2TSUq6E/UJxA/Mm5SI0jPUqfI1ezwFQcWXBr41lnBu3RZLuAwezHdb2
8Po0YiusYJDFjucswn/gh5lxkLwc76iENzj4MMfVhx4MEfeimvNc7OIKP+w9EJjd
BTsBg7NjNRbv2HAeRmL0ps/Gf20Ufl4N19fhIEZgbwJxDC3DPAHYrg+pI+5MBwgH
94b42hlKAuUrKp9UniyPgU8Fr0SwZwAl8lfxu68I8/pZmPMAEQEAAYkCHwQYAQgA
CQUCV/UuigIbDAAKCRDlijOZskoukPc8D/9wAn8idLjHT0E6ZcTKE18yDj0oHcWd
ul7lMX5T2n1Aefmg/nAF6Gti/2BpzSOOUzhtbO/znIlxP9QitdWCkUeImYlcwo8Z
9jamOMzvVMsavNoDojC7fKEMz6j0RSByFqtqINVh2skC/8InU7ogSzYNYI5vnkPG
jZVkoMj+r7Cc8pxbLEcsC0CRAFjvgwKRdd3ZnK2zrDUnJ9rATmdykZKzqbnORqAU
Q3wvK669ZkA+/a73seqAQ536jLoh1SkqopItACSNI7G1vpeM3oFxwBymhTNJsfxG
oKQ0Izo3xCyrY+9Ug2z6pMtfnBRux7l52l35xKo+Nb97qV6QnTDep4JgQmUyYOwN
MgjcZg+lXYd4hZSDPT78dqgFXfHjNYnOMzlEqY09owUmJix85ENuYNg3IiNvL87a
tKPMykaDnd1w3mdKmJZwbWNn2BQNryYKgcgZY7jpiZel/YAFkhgZh43aJurl+ssy
7rf6xPgyDwXZ0EHxtCyqAB619r1DgWot6vG3mMfh7ZvBenxBOKSvIleRpUGj/310
KcfTR7xlBGMw4fsv1vBMfjCdcksJUfC9nYAFThnJbO8v/VHjsX7ZOROsJjFV6+1z
+0nH8N+4DNxRuB4eDpCHksdfSv06wC3wfJnlIiAWcGdW5tkrSuqqVtd+iitmhAd5
YWzoR4W+lcMEjw==
=jV7M
-----END PGP PUBLIC KEY BLOCK-----

Contributions

Over time, I have contributed to some Open Source Software projects. What follows a list of such contributions. The list of contributions is grouped by project and sorted in chronological order.

Metasploit

  1. Fixed AnyConnect IPC message format (#17564).

IVRE

  1. Minor fixes to IVRE’s web interface (#601).
  2. NSE script sslv2-drown causes import error (#631).
  3. Added the display:vulnerability search filter directive (#634).
  4. Fixed an issue with the calculation of the top CPEs (#635).

stoQ Framework

  1. Integration between stoQ Framework and LIEF (#22).
  2. Updated integration between stoQ Framework and LIEF to the latest API (#44).
  3. Fix LIEF plugin usage of stoQ’s configuration API (#107).

Pafish

  1. Fix the compilation under Linux with MinGW cross-compiler (#29).
  2. Added extra checks for VMWare and Wine (#31, as reported in #15).
  3. Disabled Wow64 file system redirection (#34).
  4. Added a check for less than one GiB of memory (#35).
  5. Fixed some compilation warnings (#37).
  6. Added HackingTeam VM detection methods (#39).

Evilarc

  1. Added support to prepending a path to a transversal (#3).

bash-portscanner

  1. Some fixes and improvements (#1)

Suricata

  1. Cleaned up repeated code (#482).
  2. Unified2 alert output X-Forwarded-For support rewrite and improvement (#544).
  3. Fix the segmentation fault while logging the host on the custom HTTP logger (#734).
  4. Simple code fixes (#1105).
  5. Added X-Forwarded-For support to JSON logging (#1254).
  6. Added support for SHA1 and SHA256 (#2252).

AisLib

  1. Added missing AIS message types (#1).

Logback

  1. Fixed an issue where exception stack traces were being included (#34).

Nmap

Change log can be found here.

  1. Improvements to smtp-open-relay.nse;
  2. Created the smtp-enum-users.nse, which attempts to find user account names over SMTP by brute force testing using RCPT, VRFY, and EXPN tests.
  3. Created the http-vuln-cve2011-3192.nse that detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.
  4. Made http-wordpress-enum.nse able to get names of users who have no posts.
  5. Added path argument to the http-auth.nse script and update the script to use stdnse.format_output.
  6. Added new fingerprints to http-enum.nse for Subversion, CVS and Apache Archiva.
  7. Applied patch to snmp-brute.nse that solves problems with handling errors that occur during community list file parsing.
  8. Added new services and the ATTACK category to the dnsbl script.
  9. Fixed a bug in http-wordpress-users.nse that could cause extraneous output to be captured as part of a username.

Licensing

Content (e.g. research, documentation, images, etc.) on this website that is of my authorship (see the about page) is by default (i.e. when not otherwise stated) published under the terms of the Creative Commons Attribution-NonCommercial 4.0 International License. There are some notable exceptions to this rule:

This includes content hosted by third parties (e.g., GitHub, YouTube, etc.)

Third Parties

This website makes use of the following third party software:

  • jQuery (license terms can be found here).
  • FontAwesome (license terms can be found here).
  • Bootstraap (license terms can be found here).

About

Yet another blog about personal projects and research, thoughts and ideas. Just about anything that I’m tinkering at the moment but focusing on one of my passions, Communications and Information Systems (CIS) security.

Author

I was always fond of understanding how things worked, breaking them down and getting them back together. In high school I started moving away from hardware to software. I decided to follow an CIS specific course for the three years that preceded college. I was also an avid online gamer and when in college I decided to apply my basic reverse engineering skills (previously used against basic executable packers and the likes) with the online First Person Shooter (FPS) game Unreal Tournament.

My Profile Picture

Granted that at the time, the Unreal Engine was already somewhat documented (community effort), but on the other-hand, the anti-cheats systems were not. This was my first one hundred percent dedicated effort into the realm of CIS security. Experience was gained into Windows internals and development, assembly and the tools of the trade.

Later on, I started branching into other areas of CIS security. After finishing my degree, I was focusing on web based applications security when I took duties up as a software developer at a small consulting company. The company was small and diverse in activities, I was doing software development, middleware installation and support, and after my employers noticed my interest and skill in discovering security vulnerabilities in Web applications, I performed my first professional security assessment. After that, I got to do more security assessments and had the possibility to grow professionally in a area that I have always only been able to dedicate my free time.

Disclaimer and Support

Even though some of the content I create may relate to something I have been dealing or have dealt in the past in my work environment, my views are my own and not of my current or past employer. There is no support (i.e. financial or otherwise) from them, the development of this site and the creation of content that is published on it and in other platforms (e.g., YouTube, Twitch, etc.), is done on my own time. While I take a completely independent approach at any subject, I do accept donations. As such, if you want to help supporting the creation of new content, don’t be afraid to donate by contacting me, or if you prefer cryptocurrencies use the QR-codes bellow :)

38VZd5rg4DziZ2S2rkKyExtXs338UypfGJ
Bitcoin Address
LcXizY3wKrZkauFbxmniV1uiUXxAtq8wkZ
Litecoin Address
86eRDKaY7gMXWrVnZuJmYQJJx5xHwW5yFP1rEXcqG79NUbLPeL3pHRz4fdLddec41MGLDxT3YBems36EifpdVAaoUXsZ9f1
Monero Address
 Note that when donating, you are certifying that you own the funds and acknowledge that all donations are non-refundable.