#58

Practical cache key injection

I have not seen any public writeups about cache key injection. The only mentions I’ve found are the two examples from James Kettle in the original article. However, those bugs were in the CDN providers, not in the applications. Googling cache key injection only yields...

Applying a growth mindset in bug bounty

One of the main things that differentiate pentesting and bug bounty is the importance of the mindset. What you are looking for is the so-called growth mindset. Without it, you will not succeed in bug bounty for the long term with a healthy mind. Recently, Andrew...

An interesting behaviour of nonce-based CSPs

This story of escalating an XSS on a live hacking event is really good and holds the tension better than many Netflix series, with the event time running out quickly. What was interesting to me was this trick with nonce-based scripts. When the website already has some...

SQL injection despite using prepared statements

Our main recommendation for developers to avoid SQL injections is to use prepared statements, ORMs or similar. However, just using them is not a guarantee of being secure. They must use them properly. In this post on the Sonarsource blog, researchers describe an SQL...

Encrypted Doesn’t Mean Authenticated: ShareFile RCE

A lot of you ask me how to learn code review. One of the best things you can do is to read all the blogposts on Assetnote and ask yourself “would I do the same in this situation?”. This time, Dylan Pindur described an RCE. However, the most time-consuming part was not...

Hunting for Nginx Alias Traversals in the wild

The off-by-slash vulnerability in nginx has been with us for many years. However, turns out that you can still find old bugs like this in open-source projects by scanning GitHub. In this blogpost Daniel Matsumoto describes how still, in 2023, he was able to find this...