RCE – Really Crap Encryption

In December 2022, we completed a web application security assessment for a client who wanted assurance that their newly developed application was ready for production. The application allowed users to upload documents, rename files, create directories – basically acting as a web based file explorer. As a penetration tester, file upload functionality always raises alarm bells in our head as it’s deceivingly difficult to implement securely.