OSV-Scanner is Google’s tool to find existing vulnerabilities affecting dependencies. I think it’s a good addition to your SSDLC. https://github.com/google/osv-scanner
#45
4-part series about hacking GitHub Actions workflows
If I were to predict what attacks will be growing in popularity in 2023, I would bet it’s different kinds of software development pipelines. It’s because they are getting more automated and do more things by themselves which opens more possibilities for nice attacks....
What advice would top hackers give to beginners?
NahamSec asked an excellent question on Twitter recently. Here are some of the responses that I resonate with: https://twitter.com/NahamSec/status/1605592932458778625
Finding bugs by reading RFCs
Every hacker has a different hacking style. Some of them are absolutely fascinating to me like the hacking style of Inti. He likes to simply read the docs or RFCs and do the research. It almost sounds too stupid to work but his findings prove it does. In his recent...
Why copy&paste XSSes work and interesting regex bypass
In my recent XSS case study, there were 3 copy & paste XSSes. While I was familiar with the general underlying mechanism, I didn’t know exactly how it works under the hood. This article by spaceraccoonsec describes those mechanisms in a writeup of a bug in Zoom....
DOs and DON’Ts I would tell my younger self before starting bug bounty
Every journey consists of good and bad things. While it’s impossible to just follow other people, it’s wise to learn from their stories. In this article, I’ll write a few things that would benefit me had I heard them a few years ago. I’m sure you will find here...
$1 mln bounty in Aurora blockchain for no input sanitisation bug
Bugs in the Web3 world are quite insane! And so are the bounties. In the last video, we've covered the vulnerability in Aurora that allowed to much take money from anyone's wallet without any interaction from them. https://youtu.be/Ol62FnY6mw8
4 scenarios where CSRFs you can still find CSRFs in 2023
I’ll admit I was mistaken about the impact of SameSite cookies on CSRFs. I thought that when browsers will start defaulting to SameSite=Lax, CSRFs will vanish. Surely, the number of CSRFs is decreasing but by no means have they vanished. In this article, I’ll show you...