Hacking Unity Games with Malicious GameObjects

The Unity game engine provides various means for getting external assets into a game, such as AssetBundles, for adding assets at runtime and the Asset Store, for purchasing third-party assets.

It’s possible for a GameObject to execute arbitrary code using no custom scripts, only components that are available by default in Unity. If the game uses Bolt or another visual scripting system, there are even more paths to code execution. In this blog I will cover how a malicious GameObject might get into a game, two specific methods I’m aware of for the GameObject to execute code, and possible ways to mitigate the risk.

Announcing RTSPhuzz — An RTSP Server Fuzzer

There are many ways software is tested for faults, some of those faults end up originating from exploitable memory corruption situations and are labeled vulnerabilities. One popular method used to identify these types of faults in software is runtime fuzzing. When developing servers that implement an RFC defined protocol, dynamically mutating the inputs and messages … Read more

Introducing: SafeURL – A set of SSRF Protection Libraries

At Include Security, we believe that a reactive approach to security can fall short when it’s not backed by proactive roots. We see new offensive tools for pen-testing and vulnerability analysis being created and released all the time. In regards to SSRF vulnerabilities, we saw an opportunity to release code for developers to assist in … Read more