Log4j Lookups in Depth // Log4Shell CVE-2021-44228 - Part 2

Channel:
United States LiveOverflow
Subscribers:
920,000
Published on ● Video Link: https://www.youtube.com/watch?v=iI9Dz3zN4d8


Category:
Vlog
Duration: 16:07
67,251 views
3,230

In this video we dig a layer deeper into Log4j. We get a quick overview how Log4j is parsing lookup strings and find the functions used in WAF bypasses. Then we bridge the gap to format string vulnerabilities and figure out why the noLookups mitigation has flaws.

Part 1 - Hackers vs. Developers // CVE-2021-44228 Log4Shell: https://www.youtube.com/watch?v=w2F67LbEtnk

My lamest GitHub repo ever: https://github.com/LiveOverflow/log4shell

--

00:00 - Intro
00:38 - Chapter #1: Log4j Lookups in Depth Debugging
03:50 - Log Layout Formatters
06:56 - Chapter #2: Secure Software Design
09:21 - Chapter #3: Format String Vulnerabilities
13:58 - Chapter #4: noLookups Mitigation
15:15 - Final Worlds
15:42 - Outro

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/



Other Videos By LiveOverflow


2022-04-01I Spent 100 Days Hacking Minecraft
2022-03-24I've been Hacking for 10 Years! (Stripe CTF Speedrun)
2022-03-16Missing HTTP Security Headers - Bug Bounty Tips
2022-03-07Finding 0day in Apache APISIX During CTF (CVE-2022-24112)
2022-02-24Exploiting Java Tomcat With a Crazy JSP Web Shell - Real World CTF 2022
2022-02-12Sudo Exploit for (old) Ubuntu 20.04 LTS
2022-02-01Fuzzing Java to Find Log4j Vulnerability - CVE-2021-45046
2022-01-18Debugging The Failing sudoedit Exploit | Ep.16
2022-01-11Creating The First (Failed) Sudoedit Exploit | Ep. 15
2022-01-03Learning about nss (Linux Name Service Switch) During Sudo Exploitation | Ep. 14
2021-12-24Log4j Lookups in Depth // Log4Shell CVE-2021-44228 - Part 2
2021-12-17Log4j Vulnerability (Log4Shell) Explained // CVE-2021-44228
2021-12-14Can We Find a New Exploit Strategy? | Ep. 13
2021-12-02Authorization vs. Authentication (Google Bug Bounty)
2021-11-18Developing GDB Extension for Heap Exploitation | Ep. 12
2021-11-04How Hackers Get Into Every Device!
2021-10-26Design Flaw in Security Product - ALLES! CTF 2021
2021-10-17Fuzzing Heap Layout to Overflow Function Pointers | Ep. 11
2021-10-06Video Essay about the Security Creator Scene
2021-09-26Did you really find a vulnerability in Google? - ft. @PwnFunction
2021-09-19Developing a Tool to Find Function Pointers on The Heap | Ep. 10


Tags:
Live Overflow
liveoverflow
hacking tutorial
how to hack
exploit tutorial
log4j
log4shell
java logging
logger
object serialization
java deserialization
serialisation
remote class loading
jndi
java
jvm
enterprise java
upgrade
update
cve-2021-44228
CVE
walkthrough
exploit walkthrough
in-depth
minecraft
blog
writeup
vulnerability
maven
rmi
ldap
ldap server
ladps
${java:ldap://liveoverflow.com}
zero day
log4j rce
log4shell demo
exploit demo
internals
debugging
intellij