Chris Frohoff
@frohoff.org
building things, breaking things, building things that break things. ysoserial night janitor. journeyman ctf plumber. he/him
Reposted by Chris Frohoff
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Reposted by Chris Frohoff
Today I’m raising money to send underrepresented folks to @defcon.bsky.social + other technical cons/training next year! Yes, you’ll get a tax write off ❤️
Hear our Scholar Stories for the impact of WISP: www.wisporg.com/scholars
Here’s the donation link! wisporg.app.neoncrm.com/forms/donation
Hear our Scholar Stories for the impact of WISP: www.wisporg.com/scholars
Here’s the donation link! wisporg.app.neoncrm.com/forms/donation
Scholars - Women in Security and Privacy
WISP Privacy Statement
www.wisporg.com
December 3, 2024 at 2:58 PM
Today I’m raising money to send underrepresented folks to @defcon.bsky.social + other technical cons/training next year! Yes, you’ll get a tax write off ❤️
Hear our Scholar Stories for the impact of WISP: www.wisporg.com/scholars
Here’s the donation link! wisporg.app.neoncrm.com/forms/donation
Hear our Scholar Stories for the impact of WISP: www.wisporg.com/scholars
Here’s the donation link! wisporg.app.neoncrm.com/forms/donation
speech and writing are just serialization for human thoughts #showerthoughts
February 6, 2024 at 7:27 AM
speech and writing are just serialization for human thoughts #showerthoughts
Some very cool research and analysis in this paper, but remember kids: don't assume that fixing/removing/blocking gadget classes is going to protect you if you're still deserializing objects from untrusted data https://twitter.com/TheRegister/status/1561805738699259905
November 22, 2024 at 7:36 AM
Some very cool research and analysis in this paper, but remember kids: don't assume that fixing/removing/blocking gadget classes is going to protect you if you're still deserializing objects from untrusted data https://twitter.com/TheRegister/status/1561805738699259905
Also, your internal app logs are not an API https://twitter.com/rakyll/status/1562239578865405952
November 22, 2024 at 7:36 AM
Also, your internal app logs are not an API https://twitter.com/rakyll/status/1562239578865405952
More fun bespoke Oracle product java deserialization gadget chains and blacklist bypasses https://twitter.com/peterjson/status/1539920744129634305
November 22, 2024 at 7:36 AM
More fun bespoke Oracle product java deserialization gadget chains and blacklist bypasses https://twitter.com/peterjson/status/1539920744129634305
Fun fact: @gebl's URLDNS java deserialization gadget in ysoserial relies on exactly this obscure (and absurd) behavior to trigger a DNS lookup https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java#L27 https://twitter.com/ncweaver/status/1470453024870912000
ysoserial/src/main/java/ysoserial/payloads/URLDNS.java at master · frohoff/ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. - frohoff/ysoserial
github.com
November 22, 2024 at 7:36 AM
Fun fact: @gebl's URLDNS java deserialization gadget in ysoserial relies on exactly this obscure (and absurd) behavior to trigger a DNS lookup https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java#L27 https://twitter.com/ncweaver/status/1470453024870912000
This seems likely to be fruitful against a lot of apps out there. https://twitter.com/iangcarroll/status/1455580303578124291
November 22, 2024 at 7:36 AM
This seems likely to be fruitful against a lot of apps out there. https://twitter.com/iangcarroll/status/1455580303578124291
Handy detailed TLS protocol reference https://tls.ulfheim.net/
The Illustrated TLS 1.2 Connection
Every byte of a TLS connection explained and reproduced
tls.ulfheim.net
November 22, 2024 at 7:36 AM
Handy detailed TLS protocol reference https://tls.ulfheim.net/
Great analogy, and applicable to the whole tech industry https://twitter.com/kwestin/status/1445965144979218435
November 22, 2024 at 7:35 AM
Great analogy, and applicable to the whole tech industry https://twitter.com/kwestin/status/1445965144979218435
Good survey of Ruby ecosystem deserialization vulnerabilities https://twitter.com/zenn_dev/status/1442089822156296193
November 22, 2024 at 7:35 AM
Good survey of Ruby ecosystem deserialization vulnerabilities https://twitter.com/zenn_dev/status/1442089822156296193
In my previous life as a lead sweng, our project's maven pom.xml literally listed my role as "code archaeologist" https://twitter.com/rakyll/status/1441832225595527169
November 22, 2024 at 7:35 AM
In my previous life as a lead sweng, our project's maven pom.xml literally listed my role as "code archaeologist" https://twitter.com/rakyll/status/1441832225595527169
Artistic rendition of code reuse attacks a la ROP and deserialization https://twitter.com/Rainmaker1973/status/1402664288104292353
November 22, 2024 at 7:35 AM
Artistic rendition of code reuse attacks a la ROP and deserialization https://twitter.com/Rainmaker1973/status/1402664288104292353
Great overview and pros/cons of various types of auth tokens https://twitter.com/tqbf/status/1430278923653468168
November 22, 2024 at 7:35 AM
Great overview and pros/cons of various types of auth tokens https://twitter.com/tqbf/status/1430278923653468168
That's the sound of 100k developers firing up Linux VMs https://twitter.com/QuinnyPig/status/1432720164169076755
November 22, 2024 at 7:35 AM
That's the sound of 100k developers firing up Linux VMs https://twitter.com/QuinnyPig/status/1432720164169076755
I don't always do work on weekends, but when I do...
November 22, 2024 at 7:35 AM
I don't always do work on weekends, but when I do...
More excellent WebLogic deserializaion gadget blocklist bypass work from @matthias_kaiser. I've lost count on all these. https://twitter.com/matthias_kaiser/status/1417837065060950021
November 22, 2024 at 7:35 AM
More excellent WebLogic deserializaion gadget blocklist bypass work from @matthias_kaiser. I've lost count on all these. https://twitter.com/matthias_kaiser/status/1417837065060950021
PSA: folks should be aware that AWS Infinidash allows full read access by default so make sure you lock yours down with a fine-grained IAM policy
November 22, 2024 at 7:35 AM
PSA: folks should be aware that AWS Infinidash allows full read access by default so make sure you lock yours down with a fine-grained IAM policy
This would make a great April fool's day prank next year https://twitter.com/FooBartn/status/1411349844292247553
November 22, 2024 at 7:35 AM
This would make a great April fool's day prank next year https://twitter.com/FooBartn/status/1411349844292247553
For anyone who didn't finish the Deathball challenge series at @LayerOneCTF and was curious, here's the map of our pseudo-randomly generated network REPL container labyrinth:
November 22, 2024 at 7:35 AM
For anyone who didn't finish the Deathball challenge series at @LayerOneCTF and was curious, here's the map of our pseudo-randomly generated network REPL container labyrinth:
Do the Germans also have a word for the guilt felt when relishing absurd levels of schadenfreude?
November 22, 2024 at 7:35 AM
Do the Germans also have a word for the guilt felt when relishing absurd levels of schadenfreude?
wow, that's quite an impressive pile of java deserialization vulns https://twitter.com/pedrib1337/status/1333712867246292993
November 22, 2024 at 7:35 AM
wow, that's quite an impressive pile of java deserialization vulns https://twitter.com/pedrib1337/status/1333712867246292993
Use the cloud, they said...
November 22, 2024 at 7:35 AM
Use the cloud, they said...