This blogpost by Assetnote describes how a weird behaviour of resolving non-existing domains to random IP addresses by a firewall can be exploited to achieve basically the same impact as a subdomain takeover....
#82
Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges
Pollution is a bug class that I only correlated with JavaScript but turns out that Ruby also has the merge method that can be used to pollute a parent object. Doyensec described this with some real-world examples. With this and the Ruby SAML bypass, I gotta take a...
Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)
Signature verification is something that proves problematic over and over again. Not necessarily because the verification itself is difficult but the whole process that precedes it - normalization of the XML or a JWT token, parsing them, dealing with duplicate fields...
From easy wins to epic challenges: Bounty hunter edition
A lot of you enjoyed the Q&A with Jhaddix and Blaklis that I published on my channel last week. If you’d like to familiarise yourself more with Blaklis’ methodology (and trust me, you should), his talk from DEFCON is now public....
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies
If you’ve been on Twitter recently, you’ve definitely heard about this bug in Zenbox. From the technical perspective, it’s a very interesting variation of the ticket trick shared a few years ago by Inti....
Find local RCEs and other bugs with no memory corruption skills
Over the years, despite having absolutely zero memory corruption skills, I have had quite a lot of success in hacking desktop apps. Many people overlook this attack surface. In this article, I will tell you how to successfully find RCEs and other bugs only with your...