CVSS is a uniform way to describe the severity of a bug. It has received a lot of criticism for its flaws over the years. However, we still use and we'll keep using it for now. Not because it's perfect but because we don’t have anything better. Incorrectly...
Articles by Issue
How to make money with IDORs? IDOR case study
IDORs are often recommended as the easy vulnerability class, good to start the bug hunting journey. “Just change the ID in the URL parameter” they say. But are they really that easy? Well, there’s only one way to find out - to do the case study. This week, I analysed...
SSRFs caused by SNI proxy misconfigurations
SSRFs are one of my favourite bug classes and I’m always amazed to find out about new attack vectors for them. This week, I’ve learnt about exploiting SNI proxy misconfigurations, from a blogpost by Aleksei Tiurin:...
Safely detect Server-side prototype pollution
Server-side prototype pollution often results in an RCE. However, it is very prone to DoSing the app while trying to confirm or exploit it and DoSing the app isn’t what we want to do when hunting on bug bounty programs. But Gareth Heyes made some research and found a...
Triage from the other side – improve your reporting
What’s the most important part of a racecar? Things you probably think of are the engine, aero, chassis, brakes… But did you think about tires? Tires are the single thing sticking a racecar to the track and if you have bad tires then it doesn’t matter how great your...
Learning a new challenging concept
Learning a new challenging concept can be daunting, but with the right mindset and approach, you can tackle and master any skill. I’m a learning junkie and in this article, I’ll explore practical steps and strategies that I’ve used over the years to make it easier....
Preventing XXEs in Java is hard – analysis of 10 classes
You might think that preventing XXEs is easy. "Just disable external entities" would be my recommendation in a pentest report. However, Pieter De Cremer and Vasilii Ermilov from semgrep tested ten different XXE attack vectors on ten different Java classes,...
From finding the target, the bug, through getting the CVE, up to my first CodeQL bounty
Last year, I received my first CodeQL bug bounty, which was a very satisfying achievement because I felt that this bug bounty program was right for me and my skillset. It’s a very unusual program because you receive a bounty for the scanner code that you wrote and not...
RCE in Aspera and approaching Rails source code review
Assetnote blogposts were always great because they would not only tell you what was the bug but also how they found it. They got even better now because apart from telling you what was the bug, how they found it, they now also tell you how you should look for similar...
Simple and easy JavaScript Analysis
Among other superlatives, I would describe Jason Haddix as the person that used or at least tested every single web hacking tool out there. He’s very much into finding more bugs and saving time by using tools well so I’m always listening carefully wherever he shares...