Lately, a path traversal bug was discovered in Grafana. There’s a really good blogpost about discovering the bug. https://j0vsec.com/post/cve-2021-43798/ You can also watch Nahamsec’s video about identifying and exploiting this bug:...
Writeups
Bonus: The best way to prove the impact😂
There’s quite a good report on Hackerone about account takeover in Flickr. But was there actually an account takeover? The triager kept insisting that the attacker logs to their own account thus it’s not a risk. The hunter claimed that he can log in to the victim’s...
Interesting bugs in Hubspot and Instapage
I’m a simple man - I see Sam Curry publishing writeup, I read the writeup. This time it’s a short one about a couple of interesting bugs found in Hubspot and Instapage. It’s definitely worth reading because there are tricks that can be used in many different contexts....
Tricks used to find SSRFs in Websphere Portal
There’s a great writeup on the Assetnote blog about SSRFs. I read the whole blogpost and I encourage you to do the same because we can learn a ton from hacker like Shubs. However, in case you don’t have the time, I extracted a few tricks from the article. To find the...
Most interesting bugs from Rails’ 18 years of history
Ruby on rails is a gift from developers to hackers. I don’t consider it to be true but it’s what I sometimes think when I see how ruby enables some attacks by processing things differently than other technologies. Examples include GETs with bodies or using ; as...
Finding a Ruby deserialization gadget
Finding gadgets for deserialization bugs is not an easy task. But if you want to see how it’s done, check out this article by HTTPVoid about finding a deserialization bug in a recent version of ruby and turning it into an RCE. Ruby Deserialization - Gadget on Rails
Prototype pollution in an XML-based format
Guilherme Keerok found a very interesting attack vector - prototype pollution inside an XML-based plist file. I don’t know how about you but I probably wouldn’t come up with this. When I’m thinking about prototype pollution, things that come to my mind are request...
Several critical vulnerabilities in GitHub Actions
A few issues ago, in BBRE Premium #22, in the article “Hacking GitHub actions ” I wrote “I think it’s quite a good niche to test GitHub Actions these days.” I’m happy to report that apparently I was right because in March, Cycode published an article about finding...
Hacking Google Drive integrations
Google Drive integrations are common among many apps that I use. Turns out that the integration is not so easy and it can lead to quite serious bugs, including this, $17,576 SSRF in Dropbox . Here’s a writeup by @httpvoid0x2f...
&& instead of || leads to an RCE
Assetnote blog is a gift that just keeps giving. This time, Shubs found a vulnerability that originated in a very simple mistake. In the if instruction, the AND operator was used instead of the OR operator. This simple mistake led to the RCE in the Dynamicweb...