Kévin Mizu’s blog is always a quality read when it for CTF writeups. In this one, he describes three challenges from HeroCTF. The one I think is most likely to become useful is the second one that describes how does the client-side caching work and how it can be...
Articles by Issue
Paranoids’ Vulnerability Research: NetIQ iManager Security Alerts
I think this writeup by The Paranoids went a little bit under the hood yet it’s a really good quality blogpost. Similarly to Assetnote’s writeups, it not only shows us the exploit but also the vulnerable code, the obstacles and their bypasses. Of course, the most...
200K $ in 2 weeks : A clickbait title but (hopefully) valuable advice
If you want to learn more about LHEs, this blogpost is great. Doomerhunter describes how he got into Live Hacking Events and how he, with Geluchat, made $200k on AWS during the H1-0131. It’s a nice, honest advice and I can only agree with everything that has been said...
Cookies, Caching & Attacking Chrome Extensions with MatanBer CT 95&96
All of you should listen to all the Critical Thinking podcasts. That’s the only reason I’m not putting every single episode in the newsletter and I only do it once in a while. Like now when I’m sharing with you the episode with MatanBer about hacking browser...
Practical Exploitation of DoS in Bug Bounty – Roni Lupin Carta
What I’m noticing this year in a lot of top hunters is how they are able to somehow test functionality that others don’t. There are a few methods through which they achieve that. Some of them spend thousands of dollars using the website. Others spend hours looking at...
Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall
This blogpost by Assetnote describes how a weird behaviour of resolving non-existing domains to random IP addresses by a firewall can be exploited to achieve basically the same impact as a subdomain takeover....
Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges
Pollution is a bug class that I only correlated with JavaScript but turns out that Ruby also has the merge method that can be used to pollute a parent object. Doyensec described this with some real-world examples. With this and the Ruby SAML bypass, I gotta take a...
Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)
Signature verification is something that proves problematic over and over again. Not necessarily because the verification itself is difficult but the whole process that precedes it - normalization of the XML or a JWT token, parsing them, dealing with duplicate fields...
From easy wins to epic challenges: Bounty hunter edition
A lot of you enjoyed the Q&A with Jhaddix and Blaklis that I published on my channel last week. If you’d like to familiarise yourself more with Blaklis’ methodology (and trust me, you should), his talk from DEFCON is now public....
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies
If you’ve been on Twitter recently, you’ve definitely heard about this bug in Zenbox. From the technical perspective, it’s a very interesting variation of the ticket trick shared a few years ago by Inti....