Finding criticals is hard. Often, you can only target some users, need interaction or the impact isn't that high. However, there's one man that has no problem finding Criticals. It's Alex Chapman and I spoke with him in the recent episode of the podcast to...
#77
How to exploit Android deeplinks
Mobile hacking has been and still is perceived as a niche within bug bounty. If that’s something you’d like to go into, make sure to pay attention to how deeplinks can be exploited and also what to look for when you check WebView-related functionality. To learn about...
Hacking Millions of Modems (and Investigating Who Hacked Sam’s Modem)
Sam Curry wrote an interesting story that started with someone repeating his local HTTP requests and ended with detecting a bug that allowed him to control thousands of routers. https://samcurry.net/hacking-millions-of-modems
SignSaboteur: forge signed web tokens with ease
Zakhar Fedotkin released a Burp plugin that aids in forging web tokens. It's not only about JWTs which are pretty easy to forge but about technology-specific cookies from frameworks like Django, Flask or Express....
Oauth secrets – my NahamCon talk
My talk “Oauth secrets” from Nahamcon, as well as many other talks, are published on YouTube. The Oauth attacks from the talk are something you must be familiar with these days so make sure to watch it. If you’re a BBRE Premium member and read the issues from the...
.js Files Are Your Friends | @zseano
JS files are a goldmine of information but working with them isn’t easy. In the NahamCon talk, zseano shows us his approach to JS files. Watch the full talk here or continue to read my notes. Endpoints in JS files These days it’s very common to use client-side JS code...
Things you wish you didn’t need to know about S3
If you thought you knew S3 buckets, I think you are underestimating them. In this article, Daniel Grzelak showed a lot of S3-related tricks I had no idea about. For example, when uploading an object, you can specify a file’s location in metadata which will give you an...
OAuth #4 – exchanging the code
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...