Parsing of the Content-Type header isn’t straightforward at all yet it can be crucial for some bug classes. Mathias Karlsson published a nice writeup where he described some techniques we can use when we control a suffix of this response header....
#63
mTLS When Certificate Authentication Done Wrong
I remember the first time I was about to test the mTLS authentication. I had no idea what to do! I wish back then there was a talk like this one, by Michael Stepankin, about some bugs that can occur in the mTLS authentication mechanism. I watched it and now I...
GraphQL wordlists
The team from Escape did a great work extracting words from over 60,000 GraphQL schemas and compiled wordlists that we can all reliably use for brute-forcing GraphQL. It’s divided into separate categories for different contexts like queryField or argument....
EJS Vulnerabilities
As you know, I’m a big fan of CTFs. I think we can learn a great deal from them. At the very least, they give us a lot of cool writeups. In this one, for example, Huli described a way to turn this, at first, securely-looking code, into an RCE. The reason is that, in...
Shortcuts that speed up my hacking every day
Using shortcuts makes you more efficient in any job and hacking is no exception. Small gains here and there save you hours in the long run and simply allow you to find more bugs in the same amount of time. Moreover, I know it’s not 100% accurate but I have to admit...
XSS exploits made easy (and super cool)
When somebody would ask me about the real impact of an XSS, I used to say that the attacker can generally do exactly the same things as the victim. It was true - in theory, I could create a JS payload that would give me exact access to what the user is doing. The...
The true potential of web race conditions
For a long time, we were thinking of race conditions as bugs like reusing a promo code multiple times or something related to the checkout functionality. When testing any website with purchasing, I’ve tried these things but honestly, I don’t think it ever worked. I...