CSP is very complex and also, very annoying when you have an XSS. From this blogpost by Johan Carlsson, you can learn why the following payload bypassed CSP both on Twitter and Portswigger's website. Also, I didn't know that even though you don't see...
Articles by Issue
3 unauth RCEs in Lucee and $20k bounty from Apple
This writeup by Harsh Jaiswal & Rahul Maini is incredible! Maybe, you remember my video from 2021 about a $50,000 RCE in Apple via a 0day in Lucee. It was by the same pair of hunters. And they decided to find another RCE there. And they found it. But it wasn't...
Exploiting Hardened .NET Deserialization by Piotr Bazydło
I didn’t know about this research until the Portswigger’s TOP 10 list came out. It’s about finding deserialisation gadgets in .NET but also, about a new way of exploiting these bugs as deserialisation-serialisation chains in cases where you don’t have gadgets good...
Top 10 web hacking techniques of 2023
Portswigger's yearly TOP10 hacking techniques is a collection of the top writeups of the year. I make sure to read all the articles from the top 10 but also, I don't forget about the nominations list - I try to read the most interesting ones from there, too....
Breaking HTTP parsers using HTTP garden
Smaller and bigger inconsistencies in HTTP parsing occur all the time. However, there are infinite combinations of servers and reverse proxies but some of those inconsistencies are only dangerous in very specific contexts. And the trick is to be able to find them when...
Mobile hacking resources and interview with Joel Margolis
If you are into mobile hacking, you should definitely check out Jason Haddix’s issues of Executive Offense newsletter number 7 and number 9. He shares a lot of mobile testing tools and in the 9th issue, there’s even an interview with Joel Margolis....
A Recipe for Scaling Security from Google
I am passionate about finding bugs and, since you are reading this, you probably are, too. However, the truth is that on the scale of a huge company, fixing one bug is only one of a thousand steps that you would have to take to be secure. To take bigger steps than one...
cvemap from ProjectDiscovery
How many CVEs do you think were issued last year? 100? 1,000? 10,000? No, 24,804. Or 68 per day. It means “a” CVE doesn’t mean much. We need to find “the” CVE. The cvemap from Project Discovery is there to help us. It indexes CVEs along with attributes like the...
Popping WordPress Plugins – Methodology Brain dump
If you are into hacking Wordpress plugins, you must listen to this episode of the Critical Thinking bug bounty podcast! Ram shares a lot of unintuitive traps that are awaiting developers and tricks we can use to exploit them. After listening to the podcast, you can...
Forging signed commits on GitHub
I find reports like this one very satisfying. In short, in GitHub’s commit signing flow, there were two different components and one of them extracted the email of the author regardless of whether there was a username while the regex in another component only accepted...