There are some vulnerabilities where I think to myself “How on Earth did they make such a stupid mistake?” but there are also ones where I’m not at all surprised that the developer didn’t know about a quirk of a language or a framework. Today, I will show you an...
Articles by Issue
ModSecurity WAF bypasses
s0md3v shared a bunch of ways in which he bypassed ModSecurity WAF. I always learn new quirks from these articles. For example, did you know that on Linux, you can access a file using a character class? https://s0md3v.github.io/blog/modsecurity-rce-bypass
Bypassing AWS SNS webhook verification
In this blogpost, Spaceraccoon describes the story of how he was able to forge arbitrary signatures in AWS’s SNS webhook service. Interestingly, there was literally only one S3 bucket that he had to use to perform this attack and it turned out to be a publicly...
Escalating an unauthenticated, cookie-based XSS
Bartłomiej Bergier shared a nice writeup about finding and exploiting an XSS in an authentication cookie. In short, the road to success consisted of: finding a way to host an HTML file on the target’s subdomain creating a payload for an unauthenticated XSS because, as...
Bypassing server-side XSS sanitizers
A few issues ago, we talked about bypassing client-side HTML sanitizers in the context of XSS. Today, we’ll do the same but about bypassing server-side HTML sanitizers. Unfortunately, I had to redact some details from the draft article because the steps taken here led...
$100k in bounties and GitLab TOP4 in 16 months
We all have some people in bug bounty that we look up to. It’s often people that are in the industry pretty much since the beginning and they were doing web security even before bug bounty became a thing. There’s always a catch that they started in different times -...
Pause-based desync attacks explained
The last video on my channel is about the CL.0 client-side desync attack. I’m not gonna be artificially modest - I think the video is great and I’m sure that had I seen it first, I would have understood the client-side desync much quicker. It’s because from all my...
A tool to get a USA phone number
The problem of needing another phone number for registering a test account on a website is quite an annoying one. Especially when the number has to be from a particular company, often the USA. While free SMS gates are sometimes enough, often they don’t work as they...
Preparing a technical presentations
Chelsea Troy wrote an interesting article about preparing a technical talk. I think this kind of material is needed because while articles about preparing presentations are all over the Internet, there are very few materials about technical talks. They are vastly...
Funny origin of an Auth bypass in IIS
Orange Tsai focused his attention on the Microsoft IIS server and specifically - the cache. He found 3 bugs: CVE-2022-22025 - Microsoft IIS Hash-Flooding DoS CVE-2022-22040 - Microsoft IIS Cache Poisoning Attack CVE-2022-30209 - Microsoft IIS Authentication Bypass The...