#63

Content-Type shenanigans

Parsing of the Content-Type header isn’t straightforward at all yet it can be crucial for some bug classes. Mathias Karlsson published a nice writeup where he described some techniques we can use when we control a suffix of this response header....

GraphQL wordlists

The team from Escape did a great work extracting words from over 60,000 GraphQL schemas and compiled wordlists that we can all reliably use for brute-forcing GraphQL. It’s divided into separate categories for different contexts like queryField or argument....

EJS Vulnerabilities

As you know, I’m a big fan of CTFs. I think we can learn a great deal from them. At the very least, they give us a lot of cool writeups. In this one, for example, Huli described a way to turn this, at first, securely-looking code, into an RCE. The reason is that, in...

Shortcuts that speed up my hacking every day

Using shortcuts makes you more efficient in any job and hacking is no exception. Small gains here and there save you hours in the long run and simply allow you to find more bugs in the same amount of time. Moreover, I know it’s not 100% accurate but I have to admit...

XSS exploits made easy (and super cool)

When somebody would ask me about the real impact of an XSS, I used to say that the attacker can generally do exactly the same things as the victim. It was true - in theory, I could create a JS payload that would give me exact access to what the user is doing. The...