If you’ve read the title and you’re wondering how on Earth has someone found a collision with SHA-256, you’ve missed the word “truncated”. Because OpenWRT only truncated the hash to the first 12 characters so Ryotkak patched hashcat to only compare the beginning of...
#85
Cross-Site POST Requests Without a Content-Type Header
Did you know that this code would send a POST request without a Content-Type header? I didn’t. So if you have a backend code like this, you can use it to bypass the CSRF protection. Quick, simple, and unexpected edge case, just as we all love!...
Predictable Patterns & PII Leakages: Using AI to mass leak data
Insufficiently random tokens is a bug class that I’m slightly upset about. I’m upset about it because I feel that a lot of tokens that we receive when, for example, resetting passwords aren’t really that random, yet their structure makes them hard to predict without...
Bypassing WAFs with the phantom $Version cookie
And as if the cookie parsing logic from the previous article isn’t complex enough, you can add a $Version phantom cookie to the mix that downgrades the cookie parsing logic to some old standard....
Handling Cookies is a Minefield
I feel like even though cookies have been around forever, 2024 is the year where we all realize how complex cookie parsing is and how many things can go wrong. I think a lot of it can be attributed to MatanBer and his interviews in CTTB. But also, to articles like...
OAuth #5 – OAuth recon
I've been having quite a good time recently with authentication bugs. Not all of them are in SSO flows but most of them are and the techniques I've used are the same ones I covered in previous articles from this series: OAuth #1 - How does it even work? Oauth...