This story of escalating an XSS on a live hacking event is really good and holds the tension better than many Netflix series, with the event time running out quickly. What was interesting to me was this trick with nonce-based scripts. When the website already has some...
Writeups
SQL injection despite using prepared statements
Our main recommendation for developers to avoid SQL injections is to use prepared statements, ORMs or similar. However, just using them is not a guarantee of being secure. They must use them properly. In this post on the Sonarsource blog, researchers describe an SQL...
Encrypted Doesn’t Mean Authenticated: ShareFile RCE
A lot of you ask me how to learn code review. One of the best things you can do is to read all the blogposts on Assetnote and ask yourself “would I do the same in this situation?”. This time, Dylan Pindur described an RCE. However, the most time-consuming part was not...
Hunting for Nginx Alias Traversals in the wild
The off-by-slash vulnerability in nginx has been with us for many years. However, turns out that you can still find old bugs like this in open-source projects by scanning GitHub. In this blogpost Daniel Matsumoto describes how still, in 2023, he was able to find this...
Abusing Client-Side Desync on Werkzeug
Client-side desync bug class got a bit forgotten since it’s release one year ago. But it’s back in a great blogpost by Kevin Mizu. I liked how he also described the process of weaponizing the bug which included finding an open redirect....
Hacking root EPP servers to take control of zones
When you see four names like Sam Curry, Brett Buerhaus, Rhys Elsmore, and Shubham Shah collaborating together, you know their work will result in a serious threat to the Internet. It wasn’t different this time when got the ability to control DNS zones in all of the...
Story of an RCE on Apple Through Hot Jar Swapping by Frans Rosen
Frans Rosen is one of the hunters whose reports I love the most. They are always at least somewhat novel and crazy. This time, he found an RCE on Apple and used a technique called hot jar swapping - he replaced an already loaded JAR file and walked on a very thin...
Crazy client-side bug chain by @jub0bs
jub0bs wrote a blogpost with a crazy chain with almost every single client-side bug class. I especially liked how he was conscious of the permissive CORS policy so he stepped out-of-scope to find an XSS to exploit an in-scope domain. But you should definitely read the...
Booking.com Oauth account takeover writeup
Last year, my favorite vulnerability vectors were the new Oauth ones. I was quite surprised that we haven't seen more similar attacks. Recently, Aviad Carmel from Salt Security published a write-up of the Oauth account takeover in Booking which works similarly....
Two sides of cautiousness when looking for cache poisoning
This writeup I like and dislike at the same time. On a positive note, I’d like to highlight how AnkitCuriosity was cautious with not actually poisoning real users and invested several hours just to create a reliable cachebuster with which he could proove the bug...