I think OWASP TOP 10 lists are great resources for developers. They have a single resource that can give them sufficient amount of information to be at least somewhat aware of what risks are present. It’s also good when you are just getting familiar with a new area of...
Articles by Issue
Abusing Client-Side Desync on Werkzeug
Client-side desync bug class got a bit forgotten since it’s release one year ago. But it’s back in a great blogpost by Kevin Mizu. I liked how he also described the process of weaponizing the bug which included finding an open redirect....
Hacking Salesforce-backed WebApps
I know for a fact that Salesforce is properly complex and hard to secure. On the other hand, however, you need to know a lot of Salesforce-specific things to hack it well. From this blogpost, you can learn how are IDs created, why they are not as random as they look,...
Portswigger GraphQL labs
Portswigger labs are the best practical resource for learning the basics of web security. Period. They now released the article and 5 labs about GraphQL so if that’s something you want to improve at, make sure to give it a try!...
Source code review – catching low-hanging fruit
Manual source code review is tedious and often takes a long time. Albeit tools will never replace a human, utilising tools is simply a smart thing to do. Sometimes, you will be lucky and you will get a bug straight away. I’ve been lucky with it recently. Most of the...
Cookie Bugs – Smuggling & Injection
This blogpost by Ankur Sundara once again proved useful for solving a CTF challenge. This time, one player use the empty cookie trick to solve my challenge in an unintended way. More about that in the video I’ll dedicate to the task but I’m sharing this already...
Tips and tricks for Burp Suite Pro by @Agarri_FR
Working productively with Burp suite is key to allowing your mind to focus on the hacking itself and not the usage of the tool. In this talk on NorthSec 2023, Nicolas Grégoire shared a bunch of tricks in Burp but also in a few extensions. Watch the talk yourself here...
Hacking root EPP servers to take control of zones
When you see four names like Sam Curry, Brett Buerhaus, Rhys Elsmore, and Shubham Shah collaborating together, you know their work will result in a serious threat to the Internet. It wasn’t different this time when got the ability to control DNS zones in all of the...
Story of an RCE on Apple Through Hot Jar Swapping by Frans Rosen
Frans Rosen is one of the hunters whose reports I love the most. They are always at least somewhat novel and crazy. This time, he found an RCE on Apple and used a technique called hot jar swapping - he replaced an already loaded JAR file and walked on a very thin...
AI Canaries
When I was creating the transcript of my latest video, I asked chatGPT to add some interpunction and change the capitalization of the text, without modifying the content. But in the middle of the text, chat stopped rewriting the transcript and started to explain to me...