There's an annual vote for Portswigger's top 10 research techniques. As always, I discover some blog posts that I've missed throughout the year, and it'll take me weeks to read through all of them. Make sure to cast your vote now!...
Hacking Techniques
WorstFit: Unveiling Hidden Transformers in Windows ANSI!
The Devcore team published an excellent research describing Windows’ best-fit algorithm to match characters that fall outside a specific charset. This results, among many other examples, in mapping a Yen character to a backslash, which, as you can likely imagine, is...
Predictable Patterns & PII Leakages: Using AI to mass leak data
Insufficiently random tokens is a bug class that I’m slightly upset about. I’m upset about it because I feel that a lot of tokens that we receive when, for example, resetting passwords aren’t really that random, yet their structure makes them hard to predict without...
Breaking the most popular Web Application Firewalls in the market
This blogpost covers WAF bypasses for XSSes and SQLis in as many as 16 different providers! It is definitely a place to go if you’re encountering a WAF. https://nzt-48.org/breaking-the-most-popular-wafs
Arc Browser UXSS, Local Fil Read, Arbitrary File Creation and Path Traversal to RCE
And if you are in the mood for some browser hacking, check out this writeup by Renwa. It’s about an Arc browser which is a software I have never heard about but it pays up to $20,000. It’s Chromium-based but it did expose some custom endpoints to install extensions...
HeroCTF v6 Writeups
Kévin Mizu’s blog is always a quality read when it for CTF writeups. In this one, he describes three challenges from HeroCTF. The one I think is most likely to become useful is the second one that describes how does the client-side caching work and how it can be...
Splitting the email atom: exploiting parsers to bypass access controls
Gareth Heyes took a closer look at the email format specification. We’ve seen a great talk about emails a few years ago by Inti so I knew parsing emails isn’t straightforward but I didn’t realise it’s that complex. Gareth found a variety of ways to change the encoding...
Hacking Millions of Modems (and Investigating Who Hacked Sam’s Modem)
Sam Curry wrote an interesting story that started with someone repeating his local HTTP requests and ended with detecting a bug that allowed him to control thousands of routers. https://samcurry.net/hacking-millions-of-modems
npm search RCE – Escape Sequence Injection
The bugs in this blogpost are very interesting. In short, the author uses escape sequences to execute a terminal command while only controlling the command’s output. I’ve read it a few times and I still don’t understand 100% how does it work. I think it might also...
You can not simply publicly access private secure links, can you?
Whenever I’m sharing something via a URL, I wonder if it will get indexed by URL analysis tools, thus becoming public to anyone. Unfortunately, from this blogpost, we can learn that, unfortunately, there’s a great chance they are. It’s quite hard to say which tool...