On 6th October 2022 new CVE was released for critical vulnerability with identifier CVE-2022-41852. This vulnerability affects Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability.
Capturing network communication based on the TCP protocol and modifying it by creating a specialized Man-in-the-Middle proxy is one of many practices used for searching for security flaws in network applications. In this article, we will focus on the use of the cross-platform open-source application PETEP for testing fat clients using TCP protocols and show a simplified attack procedure on a sample vulnerable application.
Web server compromising very rarely means exploiting only one critical vulnerability, as can be seen for example in Hollywood movies. On the contrary, this type of compromising is usually possible due to a chain series of less serious, sometimes almost absurd, vulnerabilities. In this article, we will describe a real-life scenario in which it was exactly the chain of several vulnerabilities leading to a complete compromise of the web server.