Today I learnt about log4J vulnerability:
log4J is a powerful library and that's why its used by most companies like;Cisco,Apple,Android e.t.c.
A hacker can do a Remote Code Execution and gain control of the server.And that strings of the vulnerability in placed through an app,good thing being it is not limited,it works on all the operating systems.The string is put in a card ID,as part of your track data.
CVSS 10 is easy to exploit.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1651992285376/i10YdJ1ic.png" alt="show.png" /><a target="_blank" href="Link">Text</a>
N/B:People don't log passwords just user name.
Different things to checkout:
a)Message Lookup substitution.
b)WAF(Web Application Firewall),you will see they can also be easily bypassed.
c)A command:log4J-shell-poc/(look in the GitHub)
d)Static Application Security Testing(SAST)


Today I learnt about log4J vulnerability:
log4J is a powerful library and that's why its used by most companies like;Cisco,Apple,Android e.t.c.
A hacker can do a Remote Code Execution and gain control of the server.And that strings of the vulnerability in placed through an app,good thing being it is not limited,it works on all the operating systems.The string is put in a card ID,as part of your track data.
CVSS 10 is easy to exploit.

![show.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1651992285376/i10YdJ1ic.png align="left")[Text](Link)

N/B:People don't log passwords just user name.
Different things to checkout:
a)Message Lookup substitution.
b)WAF(Web Application Firewall),you will see they can also be easily bypassed.
c)A command:log4J-shell-poc/(look in the GitHub)
d)Static Application Security Testing(SAST)



Bluehook's blog

Bluehook's blog

Log4j Vulnerability

Table of contents

No headings in the article.