We're continuing the OAuth series with yet more potential attacks. I'll show you two server-side OAuth attacks that are a bit less known yet, because they don’t need the user interaction, they are usually rated as criticals. I’ll also show you two other...
Articles by Issue
WorstFit: Unveiling Hidden Transformers in Windows ANSI!
The Devcore team published an excellent research describing Windows’ best-fit algorithm to match characters that fall outside a specific charset. This results, among many other examples, in mapping a Yen character to a backslash, which, as you can likely imagine, is...
Red, Blue, and Purple AI – Jason Haddix
I find myself using AI quite frequently while hacking, yet my usage is still mostly asking ChatGPT or Copilot to explain something or, at best, generate code. While I don't believe that hacking bots will entirely replace humans soon, I do think that individuals...
Hackvector web
I feel like I'm sleeping on all the tools released by Gareth Heyes, but I believe they are incredibly powerful and could save me a lot of time. For example, the web version of Hackvector looks incredibly helpful for repetitive things like encoding or transforming...
How DDay Became The Most Valuable Hacker
Most Valuable Hacker at a HackerOne Live Hacking Event is the most prestigious award in the bug bounty space today. Douglas Day won it at H1-305 earlier this year in 2024 and has shared his experience in this blog post. I especially liked this part, which is very...
How a top hunter figures out a complex target
We all read bug bounty write-ups and learn from them. However, the bug is always the culmination of the bug hunting process. We never see the initial phase, where the hunter is confused with everything and only learns how to use and understand the parameters. Ron Chan...
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection
If you’ve read the title and you’re wondering how on Earth has someone found a collision with SHA-256, you’ve missed the word “truncated”. Because OpenWRT only truncated the hash to the first 12 characters so Ryotkak patched hashcat to only compare the beginning of...
Cross-Site POST Requests Without a Content-Type Header
Did you know that this code would send a POST request without a Content-Type header? I didn’t. So if you have a backend code like this, you can use it to bypass the CSRF protection. Quick, simple, and unexpected edge case, just as we all love!...
Predictable Patterns & PII Leakages: Using AI to mass leak data
Insufficiently random tokens is a bug class that I’m slightly upset about. I’m upset about it because I feel that a lot of tokens that we receive when, for example, resetting passwords aren’t really that random, yet their structure makes them hard to predict without...
Bypassing WAFs with the phantom $Version cookie
And as if the cookie parsing logic from the previous article isn’t complex enough, you can add a $Version phantom cookie to the mix that downgrades the cookie parsing logic to some old standard....