Writeups

An interesting behaviour of nonce-based CSPs

This story of escalating an XSS on a live hacking event is really good and holds the tension better than many Netflix series, with the event time running out quickly. What was interesting to me was this trick with nonce-based scripts. When the website already has some...

SQL injection despite using prepared statements

Our main recommendation for developers to avoid SQL injections is to use prepared statements, ORMs or similar. However, just using them is not a guarantee of being secure. They must use them properly. In this post on the Sonarsource blog, researchers describe an SQL...

Encrypted Doesn’t Mean Authenticated: ShareFile RCE

A lot of you ask me how to learn code review. One of the best things you can do is to read all the blogposts on Assetnote and ask yourself “would I do the same in this situation?”. This time, Dylan Pindur described an RCE. However, the most time-consuming part was not...

Hunting for Nginx Alias Traversals in the wild

The off-by-slash vulnerability in nginx has been with us for many years. However, turns out that you can still find old bugs like this in open-source projects by scanning GitHub. In this blogpost Daniel Matsumoto describes how still, in 2023, he was able to find this...

Abusing Client-Side Desync on Werkzeug

Client-side desync bug class got a bit forgotten since it’s release one year ago. But it’s back in a great blogpost by Kevin Mizu. I liked how he also described the process of weaponizing the bug which included finding an open redirect....

Hacking root EPP servers to take control of zones

When you see four names like Sam Curry, Brett Buerhaus, Rhys Elsmore, and Shubham Shah collaborating together, you know their work will result in a serious threat to the Internet. It wasn’t different this time when got the ability to control DNS zones in all of the...

Crazy client-side bug chain by @jub0bs

jub0bs wrote a blogpost with a crazy chain with almost every single client-side bug class. I especially liked how he was conscious of the permissive CORS policy so he stepped out-of-scope to find an XSS to exploit an in-scope domain. But you should definitely read the...