Hacking Techniques

npm search RCE – Escape Sequence Injection

The bugs in this blogpost are very interesting. In short, the author uses escape sequences to execute a terminal command while only controlling the command’s output. I’ve read it a few times and I still don’t understand 100% how does it work. I think it might also...

Top 10 web hacking techniques of 2023

Portswigger's yearly TOP10 hacking techniques is a collection of the top writeups of the year. I make sure to read all the articles from the top 10 but also, I don't forget about the nominations list - I try to read the most interesting ones from there, too....

37C3 – Breaking “DRM” in Polish trains

This talk isn’t about bug bounty. It isn’t even about the web. But it’s such a cool hacking story. In short, suspiciously, some trains in Poland were not working properly and the company that was using them hired hackers from the Dragon Sector CTF team. They reversed...

Content-Type shenanigans

Parsing of the Content-Type header isn’t straightforward at all yet it can be crucial for some bug classes. Mathias Karlsson published a nice writeup where he described some techniques we can use when we control a suffix of this response header....

Even more ways to bypass URL validation

While I was reading this tweet from Justin Gardner about leaking Oauth codes, I found a cool research paper in a reply by SickSec. The paper was about URL validations and I didn’t think I will find something new. But I have. For example, these two bypasses I wasn’t...