I don’t know how about you but when I see bounties of $100k, $500k or a million bucks, I can’t counteract thinking about learning smart contract hacking. However, now is not the time for me - I want to stabilise a bit with the web stuff before jumping to something...
#20
Cloud Security Breaches and Vulnerabilities: 2021 in Review
Cloud is a constantly evolving topic and demand for security grows along with it. If you want to know what was happening in this field in 2021, check out this article by christophetd . You can read about last year’s trends, biggest fuckups and importantly, preventing...
Community vote launched for Top 10 web hacking techniques of 2021
The community vote is live for the top 10 web hacking techniques 2021! There are tons of mind-blowing writeups there. Some of them, of course, were covered here or on my YouTube. Out of those nominated bugs, we - the community - now choose the top 15 out of which the...
Web Cache Poisoning – part 2 – examples
In the last issue, we discussed the basics of web cache poisoning. Today, we’ll jump straight to the practice and see how are people making money and getting CVEs with this bug class. You should be familiar with the cache poisoning attack idea before jumping to this...
Tricks used to find SSRFs in Websphere Portal
There’s a great writeup on the Assetnote blog about SSRFs. I read the whole blogpost and I encourage you to do the same because we can learn a ton from hacker like Shubs. However, in case you don’t have the time, I extracted a few tricks from the article. To find the...
10 address bypass tricks
Address validations are everywhere in web security. Improper implementations can lead to SSRFs, RCEs, postMessage bugs or CORS misconfigurations to name a few. Luckily for us, it’s extremely complex and developers often make mistakes here. Here are 10 tricks you can...