I feel like even though cookies have been around forever, 2024 is the year where we all realize how complex cookie parsing is and how many things can go wrong. I think a lot of it can be attributed to MatanBer and his interviews in CTTB. But also, to articles like...
Articles by Issue
OAuth #5 – OAuth recon
I've been having quite a good time recently with authentication bugs. Not all of them are in SSO flows but most of them are and the techniques I've used are the same ones I covered in previous articles from this series: OAuth #1 - How does it even work? Oauth...
Breaking Down Multipart Parsers: File upload validation bypass
The multipart request body format turns out to be really challenging for WAFs or reverse proxies, which often allows you to just hide a payload from them instead of bypassing them directly. This blog post shows six different methods to achieve that....
Story of a Cloud Architecture Diagramming Tool gone wrong
This blog post goes over a story of one of Google’s applications that eventually led it to be taken down because of XSSes, path traversals, and a lot of data disclosure. Basically, everything. https://jdomeracki.github.io//2024/11/09/sketchy_cheat_sheet/
Exploring the DOMPurify library: Bypasses and Fixes
Kévin Mizu comes back to the newsletter for the second issue in a row. This time, with a blog post about DOMPurify bypasses and some mXSSes. If you think you know HTML, read it and I guarantee you will change your mind. I certainly know nothing about HTML, but...
Breaking the most popular Web Application Firewalls in the market
This blogpost covers WAF bypasses for XSSes and SQLis in as many as 16 different providers! It is definitely a place to go if you’re encountering a WAF. https://nzt-48.org/breaking-the-most-popular-wafs
From an Android Hook to RCE: $5000 Bounty
One of the first things that you learn when learning security is that everything that’s on the client-side is untrusted. Even if it’s encrypted. This blog post shows it really well how a client-side encryption in the mobile app was used to obfuscate a functionality...
Switching from pentesting to bug bounty – 6 things I had to change
If you’re a web pentester, you’re hacking web applications. If you want to do web bug bounty, you’re also going to hack web applications. It sounds like it should be an easy transition. However, for many, it isn't. It certainly wasn't for me. I like to draw an...
Oh Sh*t bug bounty moments
Bug bounty is means hacking is mostly done on production targets. And we can be as careful as possible, we’ll still break things at times. Here’s a thread with some Oh Sh*t bug bounty moments from the community. https://x.com/hacker_/status/1509986966384877569
Arc Browser UXSS, Local Fil Read, Arbitrary File Creation and Path Traversal to RCE
And if you are in the mood for some browser hacking, check out this writeup by Renwa. It’s about an Arc browser which is a software I have never heard about but it pays up to $20,000. It’s Chromium-based but it did expose some custom endpoints to install extensions...