This was definitely the hardest case study. Usually, I am able to quite well, reduce the number of different labels that I have. But there's a huge variety of bugs that can result in a command execution. It also shows how much we have to learn to be able to find those...
Articles by Issue
Content-Type shenanigans
Parsing of the Content-Type header isn’t straightforward at all yet it can be crucial for some bug classes. Mathias Karlsson published a nice writeup where he described some techniques we can use when we control a suffix of this response header....
mTLS When Certificate Authentication Done Wrong
I remember the first time I was about to test the mTLS authentication. I had no idea what to do! I wish back then there was a talk like this one, by Michael Stepankin, about some bugs that can occur in the mTLS authentication mechanism. I watched it and now I...
GraphQL wordlists
The team from Escape did a great work extracting words from over 60,000 GraphQL schemas and compiled wordlists that we can all reliably use for brute-forcing GraphQL. It’s divided into separate categories for different contexts like queryField or argument....
EJS Vulnerabilities
As you know, I’m a big fan of CTFs. I think we can learn a great deal from them. At the very least, they give us a lot of cool writeups. In this one, for example, Huli described a way to turn this, at first, securely-looking code, into an RCE. The reason is that, in...
Shortcuts that speed up my hacking every day
Using shortcuts makes you more efficient in any job and hacking is no exception. Small gains here and there save you hours in the long run and simply allow you to find more bugs in the same amount of time. Moreover, I know it’s not 100% accurate but I have to admit...
XSS exploits made easy (and super cool)
When somebody would ask me about the real impact of an XSS, I used to say that the attacker can generally do exactly the same things as the victim. It was true - in theory, I could create a JS payload that would give me exact access to what the user is doing. The...
The true potential of web race conditions
For a long time, we were thinking of race conditions as bugs like reusing a promo code multiple times or something related to the checkout functionality. When testing any website with purchasing, I’ve tried these things but honestly, I don’t think it ever worked. I...
Client-side vs server-side bugs
A very interesting take on client-side vs server-side bugs by Shubs. He said a similar thing in my podcast interview with him which you can listen to here. https://twitter.com/infosec_au/status/1698322940159557987
Finding Vulnerabilities with MRVA CodeQL
Some time ago, CodeQL got an addition of MRVA which allows to run CodeQL queries on multiple repositories. I’ve been procrastinating running some queries for a long time but the author of this article - Maiky didn’t procrastinate and described the process of finding...