In this really extensive blogpost, adnanthekhan describes how he found multiple instances of cache poisoning in GitHub Actions. The takeaway is that if any workflow uses GitHub Actions caching and we can run untrusted code in the context of the main branch, we likely...
Server-side hacking techniques
Digging for SSRF in NextJS apps
To be honest, I run out of things to write about Assetnote blogposts. They are always quality, always clear, and always useful so you should read them no matter what I say. The recent one is interesting in that not only it describes a zero day in NextJS but also...
Discovering SSRF by cross-protocol redirection
A redirect is one of the basic tests to bypass SSRF protection. But we should make sure it is a cross-protocol redirect. It’s because in some libraries, like request, you can specify an agent that will only make a request to a whitelisted resource. However, there was...
Pretalx Vulnerabilities: How to get accepted at every conference
This blogpost describes two path traversal bugs in Pretalx. One thing to note is the transformations through which the path went before being saved on disk. Another interesting fact is the way to exploit a file write to an RCE in Python environments....
Ruby send leads to disclosing 1220 GitHub env variables
Ruby’s send function allows to dynamically call method with a particular name. And while this sounds great, there’s usually not much fun things you can do without controlling method’s arguments. But in GitHub, Ngo Wei Lin found a way to leak all the environment...
ALB auth bypass by using untrusted JWT token
Usually, JWT tokens do not contain information about the signing secret used. In most cases, a web application uses a single signing secret that is not included in the JWT header. However, as per specification, JWT tokens are much more complex. Even though developers...
3 unauth RCEs in Lucee and $20k bounty from Apple
This writeup by Harsh Jaiswal & Rahul Maini is incredible! Maybe, you remember my video from 2021 about a $50,000 RCE in Apple via a 0day in Lucee. It was by the same pair of hunters. And they decided to find another RCE there. And they found it. But it wasn't...
Exploiting Hardened .NET Deserialization by Piotr Bazydło
I didn’t know about this research until the Portswigger’s TOP 10 list came out. It’s about finding deserialisation gadgets in .NET but also, about a new way of exploiting these bugs as deserialisation-serialisation chains in cases where you don’t have gadgets good...
Breaking HTTP parsers using HTTP garden
Smaller and bigger inconsistencies in HTTP parsing occur all the time. However, there are infinite combinations of servers and reverse proxies but some of those inconsistencies are only dangerous in very specific contexts. And the trick is to be able to find them when...
ChatGPT Account Takeover – Wildcard Web Cache Deception
It might not be the first time I’m writing this but every time I read a cache deception writeup, I feel like I should be paying more attention to this bug class. Because, for example, Harel found a ChatGPT account takeover by forcing the server to cache victim’s...