Chetan Conikee conikeec

## Recipe for demo
# Preparatory Steps (Only needs to be done once!)
-------------------------------------------------

1. Install Java
-----------
(MAC) https://tejaksha-k.medium.com/a-step-by-step-guide-to-installing-java-on-macos-5188bfdf99d7
(WIN) https://www.java.com/download/ie_manual.jsp

2. Install Maven
-----------

## gist:821e99d985214abaefc75539e048d775

Imagine you have an online store that's built using the Java programming language. Your developers used a popular library called Jackson to handle customer data, like names and addresses. Jackson is usually safe, but it has a hidden danger - under certain settings, hackers can sneak in malicious code along with regular customer information. If you're not careful, that hacker code will run on your servers, letting criminals take over your whole website!

Here's the scary part - turning on this dangerous setting is as easy as adding one line of code to your Java application. It's called "enableDefaultTyping" and it tells Jackson to accept any kind of data, even if it might be dangerous. A lot of other Java applications use Jackson too, and many of them had this risky setting turned on without realizing it.
If hackers successfully exploit this flaw in your online store, they could do all sorts of nasty things - steal your customers' private information, vandalize your website, or even use your servers to attack

## gist:236f3091a02b02a64c78e736fe612520
## Build the project
# spin up a shell prompt

git clone https://github.com/conikeec/jackspoilt.git
cd jackspoilt

# compile and package
mvn clean package

# verify if gadgets are avaliable to exploit (refer blog)

## chetan.json
{
	"public_identifier": "conikee",
	"profile_pic_url": "https://s3.us-west-000.backblazeb2.com/proxycurl/person/conikee/profile?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=0004d7f56a0400b0000000001%2F20240319%2Fus-west-000%2Fs3%2Faws4_request&X-Amz-Date=20240319T185441Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=cf3cf67132f6d8abba1f6bfba67f9bc24db6986b4e117f1993b1c588de3b1775",
	"background_cover_image_url": null,
	"first_name": "Chetan",
	"last_name": "Conikee",
	"full_name": "Chetan Conikee",
	"follower_count": 1618,
	"occupation": "Founder and CTO at Qwiet",
	"headline": "Founder and Chief Technology Officer at Qwiet.ai, Seed Investor",

## EsperUtil.scala
package demo1

import com.espertech.esper.client.EventBean
import com.espertech.esper.client.EPAdministrator
import com.espertech.esper.client.UpdateListener
import com.espertech.esper.client.EPListenable
import com.espertech.esper.client.EPServiceProvider

object EsperUtil {

## gist:d5cfdaa40a9625a3ad63c7c4ff2e48e2
# KAFKA INSTALLER:
# downloads, un-tars, moves to $HOME/local, simlinks from full versioned name
# to kafka, exports into path in `.zshrc`, and then starts
# zookeeper and kafka server

brew install sbt # ensure sbt is installed first!

# current kafka for scala 2.12: http://apache.claz.org/kafka/0.10.2.0/kafka_2.12-0.10.2.0.tgz

SCALA_VERSION="2.12"

## KafkaEmbedded.scala
import java.util.Properties
import kafka.server.KafkaServer
import kafka.server.KafkaConfig
import kafka.producer.ProducerConfig
import kafka.producer.Producer
import kafka.message.Message
import kafka.producer.ProducerData
import kafka.consumer.ConsumerConfig
import kafka.consumer.Consumer
import kafka.utils.Utils

## billionlaughs.java
import org.w3c.dom.Document;
import org.xml.sax.SAXException;

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import java.io.ByteArrayInputStream;
import java.io.IOException;

class DocumentBuilder {
    static Document getDocument(String content) {

## Roslyn.cs
public static Assembly Compile(string[] sources, bool isDebug, string tempDir, params AssemblyName[] referencedAssemblies)
{
    var assemblyFileName = tempDir + "gen" + Guid.NewGuid().ToString().Replace("-", "") + ".dll";
    var assemblyPath = Path.GetFullPath(assemblyFileName);

    var compilation = Compilation.Create(assemblyFileName,
                                            new CompilationOptions(OutputKind.DynamicallyLinkedLibrary))
                                    .AddSyntaxTrees(from source in sources
                                                    select SyntaxTree.ParseCompilationUnit(source))
                                    .AddReferences(from ass in referencedAssemblies

## CodeDom.cs
public static Assembly Compile(string[] sources, bool isDebug, string tempDir, params AssemblyName[] referencedAssemblies)
{
    var codeProvider = new CSharpCodeProvider(new Dictionary<string, string> {{"CompilerVersion", "v4.0"}});

    var assemblyReferences = new[]
        {
            "System.dll",
            "System.Core.dll",
            "mscorlib.dll"
        }
	# Preparatory Steps (Only needs to be done once!)
	-------------------------------------------------

	1. Install Java
	-----------
	(MAC) https://tejaksha-k.medium.com/a-step-by-step-guide-to-installing-java-on-macos-5188bfdf99d7
	(WIN) https://www.java.com/download/ie_manual.jsp

	2. Install Maven
	-----------

	Imagine you have an online store that's built using the Java programming language. Your developers used a popular library called Jackson to handle customer data, like names and addresses. Jackson is usually safe, but it has a hidden danger - under certain settings, hackers can sneak in malicious code along with regular customer information. If you're not careful, that hacker code will run on your servers, letting criminals take over your whole website!

	Here's the scary part - turning on this dangerous setting is as easy as adding one line of code to your Java application. It's called "enableDefaultTyping" and it tells Jackson to accept any kind of data, even if it might be dangerous. A lot of other Java applications use Jackson too, and many of them had this risky setting turned on without realizing it.
	If hackers successfully exploit this flaw in your online store, they could do all sorts of nasty things - steal your customers' private information, vandalize your website, or even use your servers to attack
	## Build the project
	# spin up a shell prompt

	git clone https://github.com/conikeec/jackspoilt.git
	cd jackspoilt

	# compile and package
	mvn clean package

	# verify if gadgets are avaliable to exploit (refer blog)
	{
	"public_identifier": "conikee",
	"profile_pic_url": "https://s3.us-west-000.backblazeb2.com/proxycurl/person/conikee/profile?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=0004d7f56a0400b0000000001%2F20240319%2Fus-west-000%2Fs3%2Faws4_request&X-Amz-Date=20240319T185441Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=cf3cf67132f6d8abba1f6bfba67f9bc24db6986b4e117f1993b1c588de3b1775",
	"background_cover_image_url": null,
	"first_name": "Chetan",
	"last_name": "Conikee",
	"full_name": "Chetan Conikee",
	"follower_count": 1618,
	"occupation": "Founder and CTO at Qwiet",
	"headline": "Founder and Chief Technology Officer at Qwiet.ai, Seed Investor",
	package demo1

	import com.espertech.esper.client.EventBean
	import com.espertech.esper.client.EPAdministrator
	import com.espertech.esper.client.UpdateListener
	import com.espertech.esper.client.EPListenable
	import com.espertech.esper.client.EPServiceProvider

	object EsperUtil {
	# KAFKA INSTALLER:
	# downloads, un-tars, moves to $HOME/local, simlinks from full versioned name
	# to kafka, exports into path in `.zshrc`, and then starts
	# zookeeper and kafka server

	brew install sbt # ensure sbt is installed first!

	# current kafka for scala 2.12: http://apache.claz.org/kafka/0.10.2.0/kafka_2.12-0.10.2.0.tgz

	SCALA_VERSION="2.12"
	import java.util.Properties
	import kafka.server.KafkaServer
	import kafka.server.KafkaConfig
	import kafka.producer.ProducerConfig
	import kafka.producer.Producer
	import kafka.message.Message
	import kafka.producer.ProducerData
	import kafka.consumer.ConsumerConfig
	import kafka.consumer.Consumer
	import kafka.utils.Utils
	import org.w3c.dom.Document;
	import org.xml.sax.SAXException;

	import javax.xml.parsers.DocumentBuilderFactory;
	import javax.xml.parsers.ParserConfigurationException;
	import java.io.ByteArrayInputStream;
	import java.io.IOException;

	class DocumentBuilder {
	static Document getDocument(String content) {
	public static Assembly Compile(string[] sources, bool isDebug, string tempDir, params AssemblyName[] referencedAssemblies)
	{
	var assemblyFileName = tempDir + "gen" + Guid.NewGuid().ToString().Replace("-", "") + ".dll";
	var assemblyPath = Path.GetFullPath(assemblyFileName);

	var compilation = Compilation.Create(assemblyFileName,
	new CompilationOptions(OutputKind.DynamicallyLinkedLibrary))
	.AddSyntaxTrees(from source in sources
	select SyntaxTree.ParseCompilationUnit(source))
	.AddReferences(from ass in referencedAssemblies
	public static Assembly Compile(string[] sources, bool isDebug, string tempDir, params AssemblyName[] referencedAssemblies)
	{
	var codeProvider = new CSharpCodeProvider(new Dictionary<string, string> {{"CompilerVersion", "v4.0"}});

	var assemblyReferences = new[]
	{
	"System.dll",
	"System.Core.dll",
	"mscorlib.dll"
	}