In hacking, there are certain things that I enjoy doing and certain things that I don’t. Looking for SSPP gadgets certainly belongs to the latter category. Luckily for me, the Language-Based Security group at KTH Royal Institute of Technology started collecting them...
Server-side hacking techniques
Signature Verification Bypass in Nuclei
Due to a different definition of what a line ending is, it was possible to bypass a signature verification in nuclei by using \r as a line separator within a comment. The injected content was processed as part of the yaml template but not used for the signature...
SQL Injection Isn’t Dead Smuggling Queries at the Protocol Level
One of the fascinating techniques I overlooked this year but discovered on the Portswigger’s TOP 10 nominations list was this talk about SQL injection at the protocol level. This research not only presents cool bugs but also techniques applicable to various attack...
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection
If you’ve read the title and you’re wondering how on Earth has someone found a collision with SHA-256, you’ve missed the word “truncated”. Because OpenWRT only truncated the hash to the first 12 characters so Ryotkak patched hashcat to only compare the beginning of...
Breaking Down Multipart Parsers: File upload validation bypass
The multipart request body format turns out to be really challenging for WAFs or reverse proxies, which often allows you to just hide a payload from them instead of bypassing them directly. This blog post shows six different methods to achieve that....
Paranoids’ Vulnerability Research: NetIQ iManager Security Alerts
I think this writeup by The Paranoids went a little bit under the hood yet it’s a really good quality blogpost. Similarly to Assetnote’s writeups, it not only shows us the exploit but also the vulnerable code, the obstacles and their bypasses. Of course, the most...
Practical Exploitation of DoS in Bug Bounty – Roni Lupin Carta
What I’m noticing this year in a lot of top hunters is how they are able to somehow test functionality that others don’t. There are a few methods through which they achieve that. Some of them spend thousands of dollars using the website. Others spend hours looking at...
Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall
This blogpost by Assetnote describes how a weird behaviour of resolving non-existing domains to random IP addresses by a firewall can be exploited to achieve basically the same impact as a subdomain takeover....
Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges
Pollution is a bug class that I only correlated with JavaScript but turns out that Ruby also has the merge method that can be used to pollute a parent object. Doyensec described this with some real-world examples. With this and the Ruby SAML bypass, I gotta take a...
Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)
Signature verification is something that proves problematic over and over again. Not necessarily because the verification itself is difficult but the whole process that precedes it - normalization of the XML or a JWT token, parsing them, dealing with duplicate fields...