WordPress websites use many external plugins and themes. Importantly, they might be stored in the public WP plugins repository as well as in the private ones. It does remind me a bit the setup for dependency confusion vulnerability. That's pretty much what...
Server-side hacking techniques
Web Cache Poisoning – part 1 – basics
I feel like I see quite a few web cache poisoning writeups recently. That’s why I will tell you about it today and in the next issue, I will show you those recent writeups and examples. Enjoy! For clarity - there are a few kinds of caches - web cache, DNS cache,...
Web Cache Poisoning – part 2 – examples
In the last issue, we discussed the basics of web cache poisoning. Today, we’ll jump straight to the practice and see how are people making money and getting CVEs with this bug class. You should be familiar with the cache poisoning attack idea before jumping to this...
SQL injection in today’s web
Every once in a while, I get asked about whether vulnerabilities like SQL injection are still there. When pentesting, I was encountering this bug class regularly but to be honest, I wouldn’t test for this on any bug bounty target. However, I see that some people are...
Escaping shell arguments for command injection bugs
Command injection is usually a critical vulnerability. Even though it’s not very popular these days, it’s definitely still present and worth knowing. In this article, I will show you the potential vectors of attack and quirks I learned recently. We will consider a...
TOP 7 hacking technique 2021 – JSON interoperability bugs
Many vulnerabilities originate in inconsistencies in parsing input between different components of the same application. In simple words - sometimes parses make assumptions about how to parse a quirky value. In itself, it’s not a security bug. It becomes a serious...
Bypassing URL blocklists in Java
Java, like every language, has some quirks. One of them is that you can use url: before URLs to bypass potential filters. One of the replies to the tweet by Phith0n also mentions that leading spaces work, too. source tweet
Escaping iframe in headless browser for SSRF
HTTPVoid published a writeup about escaping an iframe in headless Chromium browser using an exploit to spoof the origin. This led to an SSRF in a website that generated screenshots from user-controlled data. It shows how sometimes you have to step away from web only...