If you are curious about what writing a CVE exploit looks like, this blogpost describes the process really well. Not only the exploit itself but all the preceding steps too like setting up the environment. More specifically, it’s about the CVE 2022 1471 YAML...
Server-side hacking techniques
3 Nginx tricks for auth bypass
Understanding Nginx and its potential misconfigurations can lead you to find many vulnerabilities. In this article, I’ll show you Nginx tricks I learnt from a CTF I played at the 37C3 conference. It’s not a task writeup - I’ll focus on parts of the task that can be...
Hunting For Amazon Cognito Security Misconfigurations by @Yassineaboukir
AWS Cognito is a cloud solution to handle authentication and authorization for developers. I’m sure not having to handle this part sounds awesome for them because there are many mistakes you can commit in this functionality. But while AWS Cognito handles a lot of...
Severe HTTP request smuggling bug chain
I always read and watch James Kettle’s presentations about request smuggling to understand the new attacks. However, a lot of times I then don’t see how they are exploited in the wild. That’s why I liked this article by D3D where showed how he was able to send all...
mTLS When Certificate Authentication Done Wrong
I remember the first time I was about to test the mTLS authentication. I had no idea what to do! I wish back then there was a talk like this one, by Michael Stepankin, about some bugs that can occur in the mTLS authentication mechanism. I watched it and now I...
EJS Vulnerabilities
As you know, I’m a big fan of CTFs. I think we can learn a great deal from them. At the very least, they give us a lot of cool writeups. In this one, for example, Huli described a way to turn this, at first, securely-looking code, into an RCE. The reason is that, in...
The true potential of web race conditions
For a long time, we were thinking of race conditions as bugs like reusing a promo code multiple times or something related to the checkout functionality. When testing any website with purchasing, I’ve tried these things but honestly, I don’t think it ever worked. I...
Novel ways of HTTP request splitting
CRLF is a commonly known vulnerability type - you send a request with CRLF characters and you look if you can they are reflected without sanitisation in the response. Whereas this scenario is the easiest to detect, it’s not the only one. There’s also a possibility...
Smashing the state machine: the true potential of web race conditions
James Kettle’s research is a yearly must-read for every web hacker. This time, he took a look at race condition bugs, discovered interesting ways of finding them and created tooling that will make hunting race conditions easier for us. After reading the article, I...
Exploiting HTTP Parsers Inconsistencies
I feel like I say it over and over again but it’s just because it’s true. Inconsistencies are the origins of many bugs. In the modern web, with so many things to be parsed by so many different parsers, they are everywhere. Thus, I love blogposts highlighting them like...