Whatever bug class you’re testing, you always have a variety of tricks or bypasses that you try. Sometimes they work, sometimes they don’t and you rarely know why they do. That’s why I love research with a fact-based approach that says which tricks actually work and...
#79
Splitting the email atom: exploiting parsers to bypass access controls
Gareth Heyes took a closer look at the email format specification. We’ve seen a great talk about emails a few years ago by Inti so I knew parsing emails isn’t straightforward but I didn’t realise it’s that complex. Gareth found a variety of ways to change the encoding...
Listen to the whispers: web timing attacks that actually work
Timing attacks are something I’ve been aware of for a long time yet I haven’t utilised a lot. But this year, James Kettle’s research reveals techniques for timing attacks that allow us to detect timing differences as small as 200μs which we can utilise in a wide range...
Encoding Differentials: Why Charset Matters
Have you ever paid attention to whether the Content-Type header has the charset in it or not? I certainly haven’t. Turns out that the lack of charset may very well lead to an XSS. And it’s not a crazy, impossible edge case. It’s a reasonably likely attack scenario....
A tool for domain bitflips and typosquats
A bitflip is a situation where a bit flips and, for example, google[.]com becomes coogle[.]com or woogle[.]com. Turns out this happens not that rarely and if you register a domain like this, you will receive a lot of traffic. This topic has been research material for...
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
Orange Tsai took a look a “glance” at Apache HTTP Server which resulted in 9 CVEs: CVE-2024-38472 - Apache HTTP Server on Windows UNC SSRF CVE-2024-39573 - Apache HTTP Server proxy encoding problem CVE-2024-38477 - Apache HTTP Server: Crash resulting in Denial of...
The 3 biggest lessons from my first LHE
I’ve been a participant of the h1-702 Live Hacking Event in Las Vegas and it was an unforgettable experience! This one week profoundly changed the way I see bug bounty. In this article, I’ll describe my biggest lessons from the LHE. Of course, most technical things...