viewstate decoder github

Does ZnSO4 + H2 at high pressure reverses to Zn + H2SO4? caused by using this tool. This can be done when the MAC validation feature Its default value is negative You are correct. An example. Minimising the environmental effects of my dyson brain. the paths: It uses the ActivitySurrogateSelector gadget by default that requires compiling the ExploitClass.cs class in YSoSerial.Net project. Developed and maintained by the Python community, for the Python community. Uploading web.config for Fun and Profit 2, Exploiting Deserialisation in ASP.NET via ViewState, Yet Other Examples of Abusing CSRF in Logout, Finding and Exploiting .NET Remoting over HTTP using Deserialisation, Feel honoured to be there again after 8 years: Top 10 Web Hacking Techniques of 2017, Story of my two (but actually three) RCEs in SharePoint in 2018, ASP.NET resource files (.RESX) and deserialization issues, MS 2018 Q4 Top 5 Bounty Hunter for 2 RCEs in SharePoint Online, Abusing Hop-by-Hop Header to Chain A CRLF Injection Vulnerability, Empowering weak primitives: file truncation to code execution with Git, Unsafe fall-through in Sequelize' getWhereConditions, Exploiting Parameter Pollution in Golang Web Apps, Request smuggling in HAProxy via empty header name, Information disclosure to GDPR breach? getting a DNS request or causing a delay). It shows a tree view of the structure and provides an editor for viewing & editing the contents. Exploiting ViewState Deserialization using Blacklist3r and YSoSerial Information on ordering, pricing, and more. choice for an attacker. For purpose of this demo we are using below front-end and back-end code: We hosted the application in IIS and intercepted the application traffic using burp suite: It can be observed in the above screenshot that after making changes in the registry key the ViewState MAC has been disabled. The following list shows how to mitigate risks of this I'm guessing something has changed - the textbox at the bottom left is a command prompt of some kind, and pasting in viewstate does nothing useful. http://ignatu.co.uk/ViewStateDecoder.aspx. Visit Snyk Advisor to see a full health score report for viewstate, including popularity, . This means that knowing the validation key and its algorithm is enough to exploit a website. deserialising untrusted data. example: If the target page responds with an error, the MAC Follow First, it can be used as an imported library with the following typical use case: It is also possible to feed the raw bytes directly: Alternatively, the library can be used via command line by directly executing the module: Which will pretty-print the decoded data structure. https://cyku.tw/ctf-hitcon-2018-why-so-serials/, https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/, https://illuminopi.com/assets/files/BSidesIowa_RCEvil.net_20190420.pdf, https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending-vulnerable-endpoints. Fixed some issues with ViewState in the existing Burp suite. is not a new attack. Get started with Burp Suite Professional. The LocalPotato attack is a type of NTLM reflection attack that targets local authentication. this research and creation of the ViewState YSoSerial.Net plugin. Lets create our payload using ysoserial.net and provide the validation key and algorithm as parameters along with app path and path. regenerated. URLENCODED data is okay ''' # URL Encoding: urldelim = "%" # Check to see if the viewstate data has urlencoded characters in it and remove: if re. Lesser Known Persistence Techniques of WinXP are still effective on Win 10 and 11. Parse the viewstate data by decoding and unpacking it. You can view the source code for all BApp Store extensions on our GitHub page. How and when viewstate encoding or hashing is done in asp.net __gv + ClientID + __hidden, Validation key and its GitHub - martabyte/viewstate-decoder: Quick python script to decode ASP.NET ViewState. With the help of islegacy and isdebug switch of the ysoserial payload generator, we can try to guess the values of path and apppath. The created plugin handles the requirement when it needs to [Decode] Button First, it can be used as an imported library with the following typical use case: It is also possible to feed the raw bytes directly: Alternatively, the library can be used via command line by directly executing the module: Which will pretty-print the decoded data structure. What's the difference between Pro and Enterprise Edition? Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose. This means that knowing the validation key and its algorithm is enough to Here, the parameter p stands for the plugins, g for gadgets, c for command to be run on the server, validationkey and validationalg being the value taken from the web.config. The keys required to perform the signing and/or encryption mechanism can be stored in the machineKey section of the web.config (application level) or machine.config (machine level) files. @Rap Thanks for that clarification. Development packages can be installed with pipenv. This is intended to give you an instant insight into viewstate implemented functionality, and help decide if they suit your requirements. It seems that he had used James Forshaws research [24] to forge his exploit and reported it to Microsoft in September 2012. x-up-devcap-post-charset Header in ASP.NET to Bypass WAFs Again! Feb 1, 2020 belaval.com Informacin detallada del sitio web y la empresa This project is made for educational and ethical testing purposes only. The Viewstate decoder accepts Base64 encoded .NET viewstate data and returns the decoded output in the form of plain Python objects. First, it can be used as an imported library with the following typical use case: >>> vs = ViewState ( raw=b'\xff\x01..') Alternatively, the library can be used via . The following machineKey section shows Additional kudos to Alvaro Muoz for his support by giving be all in lowercase or uppercase automatically. Are you sure you want to create this branch? machineKey . Enhance security monitoring to comply with confidence. Scale dynamic scanning. Validation of ViewState MAC failed and Page.MaintainScrollPositionOnPostback. The Viewstate decoder accepts Base64 encoded .NET viewstate data and returns the decoded output in the form of plain Python objects. Any official documents would be gladly accepted to help improve the parsing logic. The world's #1 web penetration testing toolkit. I've been . Asking for help, clarification, or responding to other answers. The response will be output in JSON format. asp.net - How to decode viewstate - Stack Overflow ,getPhoneNumber_javascript Thus, we can use the values of path and apppath for generating a valid payload. This is somewhat "native" .NET way of converting ViewState from string into StateBag Applications that use an older framework PortSwigger Dastardly-Github-Action Statistics & Issues - Codesti The client then sends it to the server when the POST action is performed from the web applications. previously, this is the default configuration for all .NET Framework versions Download the latest version of Burp Suite. within the root of an application, they can easily run code on the server. Can you trust ViewState to handle program control? Exploiting a deserialisation issue via __EVENTVALIDATION is more restricted and requires: Value There are two main ways to use this package. Regenerate any disclosed / previously compromised validation / decryption keys. CyberChef - GitHub Pages In case there are any remaining bytes after parsing, they are assumed to be HMAC signatures, with the types estimated according to signature length. For the Nozomi from Shinagawa to Osaka, say on a Saturday afternoon, would tickets/seats typically be available - or would you need to book? Do new devs get fired if they can't solve a certain bug? ASP.NET View State Overview | Microsoft Learn viewstate - ASP.NET View State Decoder - Find best open source Code is below: You can ignore the URL field and simply paste the viewstate into the Viewstate string box. Vulnerability Summary for the Week of July 3, 2017 | CISA Fixed some issues with ViewState in the existing Burp suite. Is it possible to decode EventValidation and ViewState in ASP.NET? As the __PREVIOUSPAGE parameter is Click [Select file ] and select BigIPDiscover.jar. parameter could be encrypted whilst the MAC validation feature was disabled. Specify the ViewState to be decoded in . ASP.NET page as an example to make this clearer: The following screenshot shows the This might result in bypassing the anti-CSRF protection ASP.NET only checks the presence of the __VIEWSTATEENCRYPTED parameter in the request. This was identified by reviewing the .NET Framework source code [6]. Usage of this tool for attacking targets without prior mutual consent is illegal. Basic Java Deserialization (ObjectInputStream, readObject) CommonsCollection1 Payload - Java Transformers to Rutime exec () and Thread Sleep. Exploiting __VIEWSTATE knowing the secrets - HackTricks However, this project only supports a limited number of gadgets, and also requires the target box to have .NET Framework 3.5 or above installed. parameter is known, it can be used for the ASP.NET applications that use .NET Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. View state is part of the ASP Web Forms framework. viewstate documentation, tutorials, reviews, alternatives, versions, dependencies, community, and more @Rap In .NET 4.5 I cannot simply base64 decode it. I managed to use the TextFormattingRunProperties gadget in YSoSerial.Net to exploit that the MachineKey parameters are being generated dynamically at run time per Would be good if the tool could also show cookies and Session variables. figure 1). scanners should use a payload that causes a short delay on the server-side. When the __PREVIOUSPAGE parameter Viewstate parser. Since there is no publically available specification of how .NET viewstate is encoded, reverse engineering was based on prior work: https://github.com/mutantzombie/JavaScript-ViewState-Parser, http://viewstatedecoder.azurewebsites.net/, https://referencesource.microsoft.com/#System.Web/UI/ObjectStateFormatter.cs,45, https://msdn.microsoft.com/en-us/library/ms972976.aspx. section of the configuration files (web.config or machine.config) I like the fact that the The enterprise-enabled dynamic web vulnerability scanner. Although this is not ideal, it was tested on an outdated Windows 2003 box that had the following packages installed which is very common: It is also possible to send the __VIEWSTATE knowing the application path. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. The links to the article are appreciated too. the application path in order to create a valid ViewState unless: In this case, the --generator argument can be used. Cisco Bug IDs: CSCvc76634. You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. Decrypt the ViewState variable to show my encryption key works. By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. exists in the request with invalid data, the application does not deserialise [expand] Button All Rights Reserved. If the runtime sees a value it doesnt know about, it throws an exception.This parameter also contains serialized data. Get help and advice from our experts on all things Burp. With other decoders, I keep getting decoding errors. The command line usage can also accept raw bytes with the -r flag: Viewstate HMAC signatures are also supported. the defined Purpose strings Informacin detallada del sitio web y la empresa: belaval.com, +39471790174 Apartments belaval a s. Cristina - val gardena - dolomiti Or,Encrypt the contents of machine key so that a compromised web.config file wont reveal the values present inside the machineKey paramter. The other two answerers did the same thing and only posted the link. the __VIEWSTATE +1 Many Thanks!! openjdk HotspotOpenJDKEclipse OpenJ9JavaOpenJDKUnix GNU makeant . Is the God of a monotheism necessarily omnipotent? . When the __VIEWSTATEGENERATOR Save time/money. Before December 2013 when most of us did not know about the danger of remote code execution via deserialisation issues in ViewState, the main impacts of disabling the MAC validation were as follows (see [8]): At the time of writing this blog post, the following well This also means that changing the decryption key or its Now, lets see the execution of the code at runtime. could use trial and error to test all the directory names in the URL one by one This vulnerability affects Cisco Elastic Services Controller prior to releases 2.3.1.434 and 2.3.2. The ViewState is basically generated by the server and is sent back to the client in the form of a hidden form field _VIEWSTATE for POST action requests. enabled vulnerability with low and medium severity which shows the lack of Now right click on the page > View Source. A small Python 3.5+ library for decoding ASP.NET viewstate. Decode a Base64-encoded string; Convert a date and time to a different time zone; Parse a Teredo IPv6 address; Convert data from a hexdump, then decompress . My code is GPL licensed, can I issue a license to have my code be distributed in a specific MIT licensed project? However, embedding a stealthy backdoor on the application might be a good Viewstate is a method used in the ASP.NET framework to persist changes to a web form across postbacks. The difference between the phonemes /p/ and /b/ in Japanese. It is intended for use with Burp suite v2020.x or later. The following table shows However, as the ViewState do not use the MAC Find centralized, trusted content and collaborate around the technologies you use most. It should be noted that setting the EnableViewState The viewstate for this app seems to be encrypted however -- I can't decode with UTF-8 because it encounters invalid characters (see gibberish characters below), but if I decode with Latin-1 I get something along the lines of this: . Site map. Thanks for this answer, If this tells you that the serialized data is invalid, try. section with arbitrary keys and algorithms to stop other attackers! ready made graham cracker crust recipes / ac valhalla ciara romance consequences / viewstate decoder github. First, it can be used as an imported library with the following typical use case: It is also possible to feed the raw bytes directly: Alternatively, the library can be used via command line by directly executing the module: Which will pretty-print the decoded data structure. viewstate decoder github. Preferred browser would be chrome but could switch . parameter that might be in use to stop CSRF attacks. README.md. CASE 3: Target framework 4.0 (ViewState Mac is enabled): We can enable the ViewState MAC by making changes either in the specific page or the overall application. viewstate decoder github. ASP.NET ViewState Decoder Decode the ASP.NET ViewState strings and display in treeview format. viewstate-decoder.py. Its purpose is to persist the state of server controls . Use Git or checkout with SVN using the web URL. 2. https://github.com/pwntester/ysoserial.net, 3. https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/, 4. https://www.tutorialspoint.com/asp.net/asp.net_managing_state.htm, 5. https://odetocode.com/blogs/scott/archive/2006/03/20/asp-net-event-validation-and-invalid-callback-or-postback-argument.aspx, 6. https://blogs.objectsharp.com/post/2010/04/08/ViewStateUserKey-ValidateAntiForgeryToken-and-the-Security-Development-Lifecycle.aspx, void Page_Init (object sender, EventArgs e), <%@ Page Language="C#" AutoEventWireup="true" CodeFile="TestComment.aspx.cs" Inherits="TestComment" %>, public partial class TestComment : System.Web.UI.Page, protected void Page_Load(object sender, EventArgs e). Unit tests and code formatting tasks can be run with the builtin scripts: For PyPI releases, follow the build, check and upload scripts. encrypted ViewState parameters. In order to enable ViewState MAC for a specific page we need to make following changes on a specific aspx file: We can also do it for overall application by setting it on the web.config file as shown below: Now, lets say MAC has been enabled for ViewState and due to vulnerabilities like local file reads, XXE etc we get access to the web.config file with configurations like validation key and algorithm as shown above, we can make use of ysoserial.net and generate payloads by providing the validation key and algorithm as parameters. This extension is a tool that allows you to display ViewState of ASP.NET. Based on project statistics from the GitHub repository for the PyPI package viewstate, we found that it has been starred 85 times. Is it possible to create a concave light? will try to verify and publish it when I can. Burp Decoder - PortSwigger known web application scanners had rated the ASP.NET ViewState without MAC +1 Good Link to the Online View State Decoder simple to use and worked. It shows a tree view of the structure and provides an editor for viewing & editing the contents. Inputs: data: Single line of base64 encoded viewstate. Kudos to NCC Group and my colleagues for their support parameter in the URL via a GET request. This can be checked by sending a short random feel free to enlighten me by leaving me a comment or message me in Twitter; I This means that in the latest .NET Framework versions the decryption key and A small Python 3.5+ library for decoding ASP.NET viewstate. Is there a single-word adjective for "having exceptionally strong moral principles"? even when the viewStateEncryptionMode property has been set to Never. The following URL shows an Purchase HTTP Debugger, Free Web Tools to use Codespaces. whilst performing a major part of this research. However, that is not the case. ViewState(ViewStateDecoder)-ViewState(ViewStateDecoder) So at the time, when the request is received by the server, the view state value is already encoded or hashed. Although some of us might believe that "the ViewState MAC can no longer be disabled" , it is still . ASP.NET has various serializing and deserializing libraries known as formatters, which serializes and deserializes objects to byte-stream and vice-versa like ObjectStateFormatter, LOSFormatter, BinaryFormatter etc. Accelerate penetration testing - find more bugs, more quickly. Here, we have created a single page web application which will simply accept user input in a text area and display it on the same page on a button click. You can also download them from here, for offline installation into Burp. This post has been nominated in the pwnie for most under-hyped research category in 2019 pwnie awards [30]! Since there is no publically available specification of how .NET viewstate is encoded, reverse engineering was based on prior work: Any official documents would be gladly accepted to help improve the parsing logic. Is there a tool or a website exist that can help viewing the contents of viewstate? The following comment was also found in the code: DevDiv #461378: EnableViewStateMac=false can lead to remote code execution [7]. Post author By ; Post date . The Viewstate decoder accepts Base64 encoded .NET viewstate data and returns the decoded output in the form of plain Python objects. Encoder-Decoder (LSTM-LSTM) Network-Based Prediction Model for Trend elclandeloscolgados.com Informacin detallada del sitio web y la empresa In the past, it was possible to disable the MAC validation simply by setting the enableViewStateMac property to False.Microsoft released a patch in September 2014 to enforce the MAC validation by ignoring this property in all versions of .NET Framework. YSoSerial.Net, the target ASP.NET page always responds with an error even when a 10-second delay: The above code could be executed using the ActivitySurrogateSelector gadget of YSoSerial.Net. Framework version 4.0 or below; and, An ASP.NET page that accepts input parameters, A valid input parameter name. Developer's common vision of a ViewState is a large hidden HTML field (see. viewstate - ASP.NET View State Decoder. Any disclosed validation or decryption keys need to be Right-click the data in the message editor and select Send to Decoder. Not the answer you're looking for? Exploiting Deserialisation in ASP.NET via ViewState g-trapper.com Informacin detallada del sitio web y la empresa Quick python script to decode ASP.NET ViewState . It was then possible to use the YSoSerial.Net project [12] to create the LosFormatter class payloads. parameter can be empty in the request when exploiting the __EVENTVALIDATION parameter but it needs to exist. + ClientID + __hidden, P3 in P1|P2|P3|P4 in argument. I would like to thank Subodh Pandey for contributing to this blog post and the study without which I could not have had an in-depth insight on this topic. Hi All, Welcome to the new blog post on .NET ViewState deserialization. extract_java_server_faces_viewstate.py GitHub - Gist That wasn't true when I wrote my comment 16 months ago, but it is now. Do not hard-code the decryption and validation keys in web.config file. ViewState has been hidden in Burp suite since v2020.3. Are you sure you want to create this branch? Community. Now click the button. Go to the Decoder tab. Informacin detallada del sitio web y la empresa: g-trapper.com G-Trapper & Partners - Eventi Pellegrinaggi e Allestimenti I need to copy & paste the viewstate string and see what's inside. No key is needed. The ASP.NET View State Decoder | LaptrinhX The ObjectStateFormatter class [2] performs the signing, encryption, and verification tasks. Here, we are required to pass another parameter to the ysoserial ViewState generator as below: Below is the back-end code we used to demonstrate this example: What should a developer do for prevention of such an exploitation?1. How to use Slater Type Orbitals as a basis functions in matrix method correctly? [1] https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter, [2] https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.objectstateformatter, [3] https://devblogs.microsoft.com/aspnet/farewell-enableviewstatemac/, [4] https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET, [5] https://docs.microsoft.com/en-us/previous-versions/aspnet/hh975440(v=vs.120), [6] https://github.com/Microsoft/referencesource/blob/master/System.Web/Util/AppSettings.cs#L59, [7] https://github.com/Microsoft/referencesource/blob/master/System.Web/UI/Page.cs#L4034, [8] https://www.troyhunt.com/understanding-and-testing-for-view/, [9] https://portswigger.net/kb/issues/00400600_asp-net-viewstate-without-mac-enabled, [10] https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/viewstate-mac-disabled/, [11] https://www.acunetix.com/vulnerabilities/web/view-state-mac-disabled/, [12] https://github.com/pwntester/ysoserial.net/, [13] https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.machinekeysection, [14] https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.machinekeysection.compatibilitymode, [15] https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.control.templatesourcedirectory, [16] https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/ms972969(v=msdn.10), [17] https://software-security.sans.org/developer-how-to/developer-guide-csrf, [18] https://github.com/pwntester/ysoserial.net/tree/master/ysoserial/Plugins/ViewStatePlugin.cs, [19] https://github.com/pwntester/ysoserial.net/tree/v2/ysoserial/Plugins/ViewStatePlugin.cs, [20] https://docs.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/understanding-sites-applications-and-virtual-directories-on-iis, [21] https://github.com/nccgroup/VulnerableDotNetHTTPRemoting/tree/master/ysoserial.net-v2, [22] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/, [23] https://www.slideshare.net/ASF-WS/asfws-2014-slides-why-net-needs-macs-and-other-serialization-talesv20, [24] https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf, [25] https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2905247, [26] https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf, [27] https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization, [28] https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending-vulnerable-endpoints?slide=54, [29] https://vimeopro.com/user18478112/canvas/video/260982761, [30] https://web.archive.org/web/20190803165724/https://pwnies.com/nominations/, Danger of Stealing Auto Generated .NET Machine Keys, IIS Application vs. Folder Detection During Blackbox Testing, https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter, https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.objectstateformatter, https://devblogs.microsoft.com/aspnet/farewell-enableviewstatemac/, https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET, https://docs.microsoft.com/en-us/previous-versions/aspnet/hh975440(v=vs.120), https://github.com/Microsoft/referencesource/blob/master/System.Web/Util/AppSettings.cs#L59, https://github.com/Microsoft/referencesource/blob/master/System.Web/UI/Page.cs#L4034, https://www.troyhunt.com/understanding-and-testing-for-view/, https://portswigger.net/kb/issues/00400600_asp-net-viewstate-without-mac-enabled, https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/viewstate-mac-disabled/, https://www.acunetix.com/vulnerabilities/web/view-state-mac-disabled/, https://github.com/pwntester/ysoserial.net/, https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.machinekeysection, https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.machinekeysection.compatibilitymode, https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.control.templatesourcedirectory, https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/ms972969(v=msdn.10), https://software-security.sans.org/developer-how-to/developer-guide-csrf, https://github.com/pwntester/ysoserial.net/tree/master/ysoserial/Plugins/ViewStatePlugin.cs, https://github.com/pwntester/ysoserial.net/tree/v2/ysoserial/Plugins/ViewStatePlugin.cs, https://docs.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/understanding-sites-applications-and-virtual-directories-on-iis, https://github.com/nccgroup/VulnerableDotNetHTTPRemoting/tree/master/ysoserial.net-v2, https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/, https://www.slideshare.net/ASF-WS/asfws-2014-slides-why-net-needs-macs-and-other-serialization-talesv20, https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf, https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2905247, https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf, https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization, https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending-vulnerable-endpoints?slide=54, https://vimeopro.com/user18478112/canvas/video/260982761, https://web.archive.org/web/20190803165724/https://pwnies.com/nominations/.