If you’ve been on Twitter recently, you’ve definitely heard about this bug in Zenbox. From the technical perspective, it’s a very interesting variation of the ticket trick shared a few years ago by Inti....
Server-side hacking techniques
Automating XXE hunt with AI
Personally, I don’t test for XXEs as often as I should. One of the reasons is that, especially for a docx-based XXE, it’s quite a lot of work to put the payload, repackage the archive etc. STÖK is someone that loves XXE and he wrote a series of tweets describing how...
Next.js and cache poisoning: a quest for the black hole
Incredible, how sometimes adding a single header like x-middleware-prefetch: 1 can cause a website to be DoSed for everyone. This is an actual technique used by @zhero___ and described in this blogpost. Or, more specifically, one of three different cache poisoning...
Chaining Three Bugs to Access All Your ServiceNow Data
Assetnote blogposts are amazing! Not only do you learn what the bug was but you even get to know the whole architecture of the target technology. From this one, you go all the way from injecting XML tags, through bypassing a blocklist, up to template injection and...
The X-Correlation between Frans & RCE – Research Drop – @fransrosen & @ctbbpodcast
On the Critical Thinking podcast, Frans Rosen dropped research about exploiting parts of the application that I always ignore - the correlation headers like Request-ID, which resulted in crazy findings! For example, sending this x-request-id header resulted in the...
Gotta cache ’em all: bending the rules of web cache exploitation
Whatever bug class you’re testing, you always have a variety of tricks or bypasses that you try. Sometimes they work, sometimes they don’t and you rarely know why they do. That’s why I love research with a fact-based approach that says which tricks actually work and...
Listen to the whispers: web timing attacks that actually work
Timing attacks are something I’ve been aware of for a long time yet I haven’t utilised a lot. But this year, James Kettle’s research reveals techniques for timing attacks that allow us to detect timing differences as small as 200μs which we can utilise in a wide range...
A tool for domain bitflips and typosquats
A bitflip is a situation where a bit flips and, for example, google[.]com becomes coogle[.]com or woogle[.]com. Turns out this happens not that rarely and if you register a domain like this, you will receive a lot of traffic. This topic has been research material for...
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
Orange Tsai took a look a “glance” at Apache HTTP Server which resulted in 9 CVEs: CVE-2024-38472 - Apache HTTP Server on Windows UNC SSRF CVE-2024-39573 - Apache HTTP Server proxy encoding problem CVE-2024-38477 - Apache HTTP Server: Crash resulting in Denial of...
Things you wish you didn’t need to know about S3
If you thought you knew S3 buckets, I think you are underestimating them. In this article, Daniel Grzelak showed a lot of S3-related tricks I had no idea about. For example, when uploading an object, you can specify a file’s location in metadata which will give you an...