s0md3v shared a bunch of ways in which he bypassed ModSecurity WAF. I always learn new quirks from these articles. For example, did you know that on Linux, you can access a file using a character class? https://s0md3v.github.io/blog/modsecurity-rce-bypass
#37
Bypassing AWS SNS webhook verification
In this blogpost, Spaceraccoon describes the story of how he was able to forge arbitrary signatures in AWS’s SNS webhook service. Interestingly, there was literally only one S3 bucket that he had to use to perform this attack and it turned out to be a publicly...
Escalating an unauthenticated, cookie-based XSS
Bartłomiej Bergier shared a nice writeup about finding and exploiting an XSS in an authentication cookie. In short, the road to success consisted of: finding a way to host an HTML file on the target’s subdomain creating a payload for an unauthenticated XSS because, as...
Bypassing server-side XSS sanitizers
A few issues ago, we talked about bypassing client-side HTML sanitizers in the context of XSS. Today, we’ll do the same but about bypassing server-side HTML sanitizers. Unfortunately, I had to redact some details from the draft article because the steps taken here led...
$100k in bounties and GitLab TOP4 in 16 months
We all have some people in bug bounty that we look up to. It’s often people that are in the industry pretty much since the beginning and they were doing web security even before bug bounty became a thing. There’s always a catch that they started in different times -...
Pause-based desync attacks explained
The last video on my channel is about the CL.0 client-side desync attack. I’m not gonna be artificially modest - I think the video is great and I’m sure that had I seen it first, I would have understood the client-side desync much quicker. It’s because from all my...