Mobile bug bounty always seemed like an area that was presented as a niche or an opportunity in the bug bounty world. Yet, personally, I never really spent much time on it. One reason was that I assumed many bugs would require an app to be installed on the victim’s...
Articles by Issue
GraphQL Case Study – there’s so much more than IDORs!
If your GraphQL testing ends with introspection queries and basic ID swapping, you’re missing out on a lot of impactful bugs. GraphQL APIs can open doors to vulnerabilities ranging from SQL injections and CSRF attacks to subtle caching issues, tricky race conditions,...
XXE Case Study
XXE is a very curious bug class for me because I don’t find it often. When I say I don't find it often, I actually mean that the last time I came across one was during a pentest four years ago. So I wanted to figure out whether they’ve just become rare, or if I'm...
Inside the FBI’s Secret Encrypted Phone Company ‘Anom’ – Joseph Cox
While I try to keep the content of the newsletter relevant for bug bounty, long-time subscribers know that I won’t resist sharing a cool cybersecurity story once in a while. And here’s one about the FBI conducting a massive, worldwide phone surveillance operation....
DoubleClickjacking: A new era of UI redressing?
A few weeks ago, I discovered what a cross-window forgery is. If you're unfamiliar with it, it'll be covered in next week's podcast. It's one of the methods used to exploit one-click confirmation screens, such as OAuth consent screens. Yet today, I...
Server-Side Prototype Pollution gadget collection
In hacking, there are certain things that I enjoy doing and certain things that I don’t. Looking for SSPP gadgets certainly belongs to the latter category. Luckily for me, the Language-Based Security group at KTH Royal Institute of Technology started collecting them...
Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal
Maxence Schmitt is back with another article about client-side path traversals. This time about constructing JSON payloads that can be interpreted as PDFs by the backend. The trick I liked the most is the one with bypassing the file unix command. By default, it uses a...
Signature Verification Bypass in Nuclei
Due to a different definition of what a line ending is, it was possible to bypass a signature verification in nuclei by using \r as a line separator within a comment. The injected content was processed as part of the yaml template but not used for the signature...
Top Ten (New) Web Hacking Techniques of 2024 voting open
There's an annual vote for Portswigger's top 10 research techniques. As always, I discover some blog posts that I've missed throughout the year, and it'll take me weeks to read through all of them. Make sure to cast your vote now!...
SQL Injection Isn’t Dead Smuggling Queries at the Protocol Level
One of the fascinating techniques I overlooked this year but discovered on the Portswigger’s TOP 10 nominations list was this talk about SQL injection at the protocol level. This research not only presents cool bugs but also techniques applicable to various attack...