Vote
Score
Submited by
Vulnerability Class
Title
Description
Link
Score: 14
Submitted by: phosphore
Vulnerability class:
Stored Cross Site Scripting
Stored Cross Site Scripting
Description:
A stored XSS found on Google Scholar leveraging polymorphic images
A stored XSS found on Google Scholar leveraging polymorphic images
Link to writeup:
https://blog.doyensec.com/2020/04/30/polymorphic-images-for-xss.html
https://blog.doyensec.com/2020/04/30/polymorphic-images-for-xss.html
Link to summary:
Summary
Summary
Score: 7
Submitted by: securityteacher
Vulnerability class:
Firewall Bypass
Firewall Bypass
Title:
unleashed firmware flipper
unleashed firmware flipper
Description:
unleashed firmware flipper zero
unleashed firmware flipper zero
Link to summary:
Summary
Summary
Score: 6
Submitted by: quas
Vulnerability class:
XXE
XXE
Description:
On a recent bug bounty adventure, I came across an XML endpoint that responded interestingly to attempted XXE exploitation.
On a recent bug bounty adventure, I came across an XML endpoint that responded interestingly to attempted XXE exploitation.
Link to summary:
Summary
Summary
Score: 4
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Description:
attackers can bypass the upload restriction on upload.twitter.com to cause XSS on ton.twitter.com and cache poisoning.
attackers can bypass the upload restriction on upload.twitter.com to cause XSS on ton.twitter.com and cache poisoning.
Link to writeup:
https://hackerone.com/reports/84601
https://hackerone.com/reports/84601
Link to summary:
Summary
Summary
Score: 3
Submitted by: Biscuit
Vulnerability class:
Information Disclosure
Information Disclosure
Description:
Iām excited to share the story of how I was able to temper a parameter in HTTP request leads to final price manipulation.
Iām excited to share the story of how I was able to temper a parameter in HTTP request leads to final price manipulation.
Link to writeup:
https://medium.com/p/356c07a571e5
https://medium.com/p/356c07a571e5
Link to summary:
Summary
Summary
Score: 3
Submitted by: quas
Vulnerability class:
XXE
XXE
Description:
In this vlog il walk you through a BLIND XXE OOB over DNS bug on a super hardened target and teach you how to exploit it.
In this vlog il walk you through a BLIND XXE OOB over DNS bug on a super hardened target and teach you how to exploit it.
Link to writeup:
https://www.youtube.com/watch?v=f3SXDBMGGb8
https://www.youtube.com/watch?v=f3SXDBMGGb8
Link to summary:
Summary
Summary
Score: 2
Submitted by: Biscuit
Vulnerability class:
Information Disclosure
Information Disclosure
Description:
verification code leaked in password reset request
verification code leaked in password reset request
Link to writeup:
https://medium.com/p/9dd075133dce
https://medium.com/p/9dd075133dce
Link to summary:
Summary
Summary
Score: 2
Submitted by: Biscuit
Vulnerability class:
Other
Other
Description:
If youāre a regular bug bounty hunter, you probably use Google Dorks to find juicy files or hidden directories. However, the main challenge with Google Dorks is the bulk variety and number of dorks available, which can be overwhelming and hard to remember. This complexity can make the process frustrating.
If youāre a regular bug bounty hunter, you probably use Google Dorks to find juicy files or hidden directories. However, the main challenge with Google Dorks is the bulk variety and number of dorks available, which can be overwhelming and hard to remember. This complexity can make the process frustrating.
Link to writeup:
https://medium.com/p/fd2612d7fde3
https://medium.com/p/fd2612d7fde3
Link to summary:
Summary
Summary
Score: 2
Submitted by: Biscuit
Vulnerability class:
Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR)
Description:
Today, Iām excited to share all the resource I documented and personally used to master IDOR Vulnerability, soo lessssss gooo!!!!!
Today, Iām excited to share all the resource I documented and personally used to master IDOR Vulnerability, soo lessssss gooo!!!!!
Link to writeup:
https://medium.com/p/84e44052f70c
https://medium.com/p/84e44052f70c
Link to summary:
Summary
Summary
Score: 2
Submitted by: Biscuit
Vulnerability class:
Other
Other
Description:
Today, Iām excited to share all the resource I documented and personally used to master WordPress Pentesting soo lessssss gooo!!!!!
Today, Iām excited to share all the resource I documented and personally used to master WordPress Pentesting soo lessssss gooo!!!!!
Link to writeup:
https://medium.com/p/8309cbbe3756
https://medium.com/p/8309cbbe3756
Link to summary:
Summary
Summary
Score: 2
Submitted by: Biscuit
Vulnerability class:
Other
Other
Description:
Today, Iām excited to share all the resource I documented and personally used to master WordPress Pentesting soo lessssss gooo!!!!!
Today, Iām excited to share all the resource I documented and personally used to master WordPress Pentesting soo lessssss gooo!!!!!
Link to writeup:
https://medium.com/p/423bc1e1ddef
https://medium.com/p/423bc1e1ddef
Link to summary:
Summary
Summary
Score: 2
Submitted by: Biscuit
Vulnerability class:
Other
Other
Description:
Bug bounty hunting requires focus and persistence, but procrastination can easily get in the way. In this article, weāll discuss how to overcome distractions and stay productive to succeed in your bug bounty journey.
Bug bounty hunting requires focus and persistence, but procrastination can easily get in the way. In this article, weāll discuss how to overcome distractions and stay productive to succeed in your bug bounty journey.
Link to writeup:
https://medium.com/p/66fadc0a3ace
https://medium.com/p/66fadc0a3ace
Link to summary:
Summary
Summary
Score: 2
Submitted by: Biscuit
Vulnerability class:
Other
Other
Title:
Bug Bounty VS Motivation
Bug Bounty VS Motivation
Description:
While many are inspired by stories of quick cash rewards, the reality can be challenging. This article looks at how motivation affects your success in this exciting field and why staying driven is key to achieving big wins.
While many are inspired by stories of quick cash rewards, the reality can be challenging. This article looks at how motivation affects your success in this exciting field and why staying driven is key to achieving big wins.
Link to writeup:
https://medium.com/p/27c3c37f2c28
https://medium.com/p/27c3c37f2c28
Link to summary:
Summary
Summary
Score: 2
Submitted by: Biscuit
Vulnerability class:
Firewall Bypass
Firewall Bypass
Description:
Top Browser Extensions Every Bug Bounty Hunter Needs
Top Browser Extensions Every Bug Bounty Hunter Needs
Link to writeup:
https://medium.com/p/f26d77bfc604
https://medium.com/p/f26d77bfc604
Link to summary:
Summary
Summary
Score: 2
Submitted by: Eduardo nuri
Vulnerability class:
Account Takeover
Account Takeover
Description:
Get the inside scoop on the NFT marketplace exploit that could have stolen your digital assets with just one click.
Get the inside scoop on the NFT marketplace exploit that could have stolen your digital assets with just one click.
Link to writeup:
https://www.permasecure.io/2023/03/03/how-your-nfts-could-have-been-stolen-in-just-one-click/
https://www.permasecure.io/2023/03/03/how-your-nfts-could-have-been-stolen-in-just-one-click/
Link to summary:
Summary
Summary
Score: 2
Submitted by: Hacklad
Vulnerability class:
Stored Cross Site Scripting
Stored Cross Site Scripting
Description:
I found a stored XSS bug that could allow an attacker to steal user email conversations, contacts in mail.ru and myMail iOS applications (version 12.2.1)
I found a stored XSS bug that could allow an attacker to steal user email conversations, contacts in mail.ru and myMail iOS applications (version 12.2.1)
Link to writeup:
https://medium.com/kminthein/story-of-stealing-mail-conversation-contacts-in-mail-ru-and-mymail-ios-applications-via-xss-1e49c4ed560
https://medium.com/kminthein/story-of-stealing-mail-conversation-contacts-in-mail-ru-and-mymail-ios-applications-via-xss-1e49c4ed560
Link to summary:
Summary
Summary
Score: 2
Submitted by: Hacklad
Vulnerability class:
Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR)
Description:
Second-order SQL injection arises when user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way.
Second-order SQL injection arises when user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way.
Link to writeup:
https://blog.usejournal.com/a-less-known-attack-vector-second-order-idor-attacks-14468009781a
https://blog.usejournal.com/a-less-known-attack-vector-second-order-idor-attacks-14468009781a
Link to summary:
Summary
Summary
Score: 2
Submitted by: stefano
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Link to writeup:
http://artsploit.blogspot.com/2016/08/pprce2.html
http://artsploit.blogspot.com/2016/08/pprce2.html
Link to summary:
Summary
Summary
Score: 2
Submitted by: quas
Vulnerability class:
Information Disclosure
Information Disclosure
Description:
An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked.
An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked.
Link to summary:
Summary
Summary
Score: 2
Submitted by: quas
Vulnerability class:
Information Disclosure
Information Disclosure
Description:
Two different cases of how I was able to exploit a CORS misconfiguration: The first case based on an XSS, and requires thinking outside of the scope, and the second is based on an advanced CORS exploitation technique.
Two different cases of how I was able to exploit a CORS misconfiguration: The first case based on an XSS, and requires thinking outside of the scope, and the second is based on an advanced CORS exploitation technique.
Link to writeup:
https://medium.com/@sandh0t/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397
https://medium.com/@sandh0t/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397
Link to summary:
Summary
Summary
Score: 2
Submitted by: quas
Vulnerability class:
Stored Cross Site Scripting
Stored Cross Site Scripting
Description:
In mid-2018, I found a stored XSS on Twitter in the least likely place you could think of. Yes, right in the tweet! But what makes this XSS so special is that it had the potential to be turned into a fully-fledged XSS worm.
In mid-2018, I found a stored XSS on Twitter in the least likely place you could think of. Yes, right in the tweet! But what makes this XSS so special is that it had the potential to be turned into a fully-fledged XSS worm.
Link to writeup:
https://www.virtuesecurity.com/tale-of-a-wormable-twitter-xss/
https://www.virtuesecurity.com/tale-of-a-wormable-twitter-xss/
Link to summary:
Summary
Summary
Score: 2
Submitted by: quas
Vulnerability class:
Remote File Inclusion
Remote File Inclusion
Description:
Exploiting Remote File Inclusion (RFI) vulnerability in PHP applications which is vulnerable to "File Inclusion attack". We will bypass the Remote URL inclusion restriction and perform the exploitation of RFI even if PHP environment is configured not to include files from remote HTTP/FTP URL.
Exploiting Remote File Inclusion (RFI) vulnerability in PHP applications which is vulnerable to "File Inclusion attack". We will bypass the Remote URL inclusion restriction and perform the exploitation of RFI even if PHP environment is configured not to include files from remote HTTP/FTP URL.
Link to writeup:
http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html
http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html
Link to summary:
Summary
Summary
Score: 1
Submitted by: Take your money napodargikot.blogspot.com YM
Vulnerability class:
DOM Cross Site Scripting
DOM Cross Site Scripting
Title:
PovertĆ nel mondo
PovertĆ nel mondo
Description:
Cosa stĆ facendo la chiesa realmente per le popolazioni ridotte in povertĆ , e nella fame assoluta, per quanto mi riguarda nulla, a sempre accumulato ricchezze, in gran segreto, con la consapevolezza che ci sono popoli che muoiono di fame, e sensa vergogma incitano alla pace ,e prosperitĆ nei confronti dei popoli che soffrono.
Cosa stĆ facendo la chiesa realmente per le popolazioni ridotte in povertĆ , e nella fame assoluta, per quanto mi riguarda nulla, a sempre accumulato ricchezze, in gran segreto, con la consapevolezza che ci sono popoli che muoiono di fame, e sensa vergogma incitano alla pace ,e prosperitĆ nei confronti dei popoli che soffrono.
Link to writeup:
https://wwwsaputelli.it
https://wwwsaputelli.it
Link to summary:
Summary
Summary
Score: 1
Submitted by: Take your money napodargikot.blogspot.com YM
Vulnerability class:
DOM Cross Site Scripting
DOM Cross Site Scripting
Description:
MENEFRECHISMO DELLA CASTA MONDIALE
MENEFRECHISMO DELLA CASTA MONDIALE
Link to writeup:
https://wwwsaputelli.it
https://wwwsaputelli.it
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Description:
If you have doubts about the Content-Type header, you are right. There is only a minor imperfection here: the header is missing a charset attribute. This does not sound like a big deal, however, this blog post will explain how attackers can exploit this to inject arbitrary JavaScript code into a website by consciously changing the character set that the browser assumes. This blog post's content was also presented at the TROOPERS24 conference. We will add a link to the recording as soon as it is available and let you know on X/Twitter and Mastodon.
If you have doubts about the Content-Type header, you are right. There is only a minor imperfection here: the header is missing a charset attribute. This does not sound like a big deal, however, this blog post will explain how attackers can exploit this to inject arbitrary JavaScript code into a website by consciously changing the character set that the browser assumes. This blog post's content was also presented at the TROOPERS24 conference. We will add a link to the recording as soon as it is available and let you know on X/Twitter and Mastodon.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Various Vulnerabilities
Various Vulnerabilities
Description:
ServiceNow is a platform for business transformation. Through their modules, ServiceNow can be used for anything ranging from HR and employee management, to automation workflows, or as a knowledge-base. We began security research into this platform for several reasons, which together make ServiceNow a potentially attractive target: Since most companies choose to go with ServiceNow's cloud offering, these cloud-based instances are typically externally accessible.ā With ServiceNow, customers can choose to host sensitive data, such as employee and HR records. Since ServiceNow is typically cloud-hosted but requires access to data from a company's internal network, it's common to configure ServiceNow with a proxy server. This proxy server is known as a "MID Server" and sits inside a company's internal network. Due to the design of ServiceNow, administrator access on a ServiceNow instance leads to command execution on the MID Server, so the impacts of an authentication bypass are typically quite serious. Through the course of three to four weeks, we were able to find a chain of vulnerabilities that allows full database access and full access to any MID servers configured. The following CVEs were assigned for these issues: ā CVE-2024-4879 CVE-2024-5178 CVE-2024-5217
ServiceNow is a platform for business transformation. Through their modules, ServiceNow can be used for anything ranging from HR and employee management, to automation workflows, or as a knowledge-base. We began security research into this platform for several reasons, which together make ServiceNow a potentially attractive target: Since most companies choose to go with ServiceNow's cloud offering, these cloud-based instances are typically externally accessible.ā With ServiceNow, customers can choose to host sensitive data, such as employee and HR records. Since ServiceNow is typically cloud-hosted but requires access to data from a company's internal network, it's common to configure ServiceNow with a proxy server. This proxy server is known as a "MID Server" and sits inside a company's internal network. Due to the design of ServiceNow, administrator access on a ServiceNow instance leads to command execution on the MID Server, so the impacts of an authentication bypass are typically quite serious. Through the course of three to four weeks, we were able to find a chain of vulnerabilities that allows full database access and full access to any MID servers configured. The following CVEs were assigned for these issues: ā CVE-2024-4879 CVE-2024-5178 CVE-2024-5217
Link to writeup:
https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
XXE
XXE
Description:
Magento is one of the most popular e-commerce solutions in use on the internet. It's estimated that there are over 140,000 instances of Magento running as of late 2023. Adobe's most recent advisory for Adobe Commerce / Magento, published on June 11th, 2024 highlighted a critical, pre-authentication XML entity injection issue (CVE-2024-34102) which Adobe rated as CVSS 9.8. It was quite surprising to us that no public proof-of-concept existed at the time of us reading the advisory. Given the criticality of this issue and in order to provide customers of our Attack Surface Management Platform certainty around the exploitability of this issue, our security research team developed a proof-of-concept, well before our customers could be exploited by malicious actors.
Magento is one of the most popular e-commerce solutions in use on the internet. It's estimated that there are over 140,000 instances of Magento running as of late 2023. Adobe's most recent advisory for Adobe Commerce / Magento, published on June 11th, 2024 highlighted a critical, pre-authentication XML entity injection issue (CVE-2024-34102) which Adobe rated as CVSS 9.8. It was quite surprising to us that no public proof-of-concept existed at the time of us reading the advisory. Given the criticality of this issue and in order to provide customers of our Attack Surface Management Platform certainty around the exploitability of this issue, our security research team developed a proof-of-concept, well before our customers could be exploited by malicious actors.
Link to writeup:
https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102
https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
JavaScript Analysis
JavaScript Analysis
Description:
Hacking the web often means you need data. A lot of that data is in JavaScript, but JavaScript is a hot mess. Let's take a look at some tools and tricks to make some sense of that mess, build hyper-focused wordlists, and find the deepest, darkest nooks and crannies of web applications without reading megabytes of source code.
Hacking the web often means you need data. A lot of that data is in JavaScript, but JavaScript is a hot mess. Let's take a look at some tools and tricks to make some sense of that mess, build hyper-focused wordlists, and find the deepest, darkest nooks and crannies of web applications without reading megabytes of source code.
Link to writeup:
https://www.youtube.com/watch?v=6zgMglfSZkI
https://www.youtube.com/watch?v=6zgMglfSZkI
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
AI Assisted Hacking
AI Assisted Hacking
Description:
There's a lot of hype around AI at the moment. Join Jason Haddix (@jhaddix) as he cuts through all the BS to show you 5 practical ways to use AI to supercharge your bounty hunting RIGHT NOW. Jason will cover AI for Recon, JavaScript analysis, Vulnerabilty Discovery, Payload Generation, and Reporting.
There's a lot of hype around AI at the moment. Join Jason Haddix (@jhaddix) as he cuts through all the BS to show you 5 practical ways to use AI to supercharge your bounty hunting RIGHT NOW. Jason will cover AI for Recon, JavaScript analysis, Vulnerabilty Discovery, Payload Generation, and Reporting.
Link to writeup:
https://www.youtube.com/watch?v=DqgterfPHzg
https://www.youtube.com/watch?v=DqgterfPHzg
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
JavaScript Analysis
JavaScript Analysis
Description:
I am a big fan of sticking to one program and learning as much as possible and diving in deep, so in this talk I will discuss the importance of hunting through .js files to look for more endpoints and interesting code which can potentially help you discover even more bugs.
I am a big fan of sticking to one program and learning as much as possible and diving in deep, so in this talk I will discuss the importance of hunting through .js files to look for more endpoints and interesting code which can potentially help you discover even more bugs.
Link to writeup:
https://www.youtube.com/watch?v=fQoxjBwQZUA
https://www.youtube.com/watch?v=fQoxjBwQZUA
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Various Vulnerabilities
Various Vulnerabilities
Description:
In this blog post, we will tell the tale of how we were able to chain two completely useless XSS vulnerabilities into a persistent nightmare, which allowed us to hijack user sessions by stealing authorization codes with OAuth Dirty Dancing, and hijack trusted browser permissions to silently turn on webcams and microphones on web-based Zoom. As a bonus denial of service technique, we will also show how it is possible to use a normal XSS to perform what we call a āWAF Frame-Upā, where we trick the WAF into identifying our victim as a malicious user. This finding, exploit and writeup was a thanks to a team-effort between Sudi, BrunoZero and H4R3L. We reported this vulnerability to Zoom via their bug bounty program on 10/02/23, and were rewarded with a $15k bounty. The vulnerability fully patched by Zoom and verified by our team on 01/01/2024.
In this blog post, we will tell the tale of how we were able to chain two completely useless XSS vulnerabilities into a persistent nightmare, which allowed us to hijack user sessions by stealing authorization codes with OAuth Dirty Dancing, and hijack trusted browser permissions to silently turn on webcams and microphones on web-based Zoom. As a bonus denial of service technique, we will also show how it is possible to use a normal XSS to perform what we call a āWAF Frame-Upā, where we trick the WAF into identifying our victim as a malicious user. This finding, exploit and writeup was a thanks to a team-effort between Sudi, BrunoZero and H4R3L. We reported this vulnerability to Zoom via their bug bounty program on 10/02/23, and were rewarded with a $15k bounty. The vulnerability fully patched by Zoom and verified by our team on 01/01/2024.
Link to writeup:
https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html
https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Insecure Deserialization / Jolokia RCE
Insecure Deserialization / Jolokia RCE
Title:
Descubriendo tesoros ocultos en el mundo Java - AndrĆ©s GĆ³mez // Bug Bounty Village - Ekoparty 2023
Descubriendo tesoros ocultos en el mundo Java - AndrĆ©s GĆ³mez // Bug Bounty Village - Ekoparty 2023
Description:
Descubriendo tesoros ocultos en el mundo Java Como Bonus, voy a estar liberando un repo de una tool, que sirve incluso a nivel corporativo. Hace todo el proceso de recon, detecciĆ³n y explotaciĆ³n de vulnerabilidades. Se integra a slack para notificaciones, a ELK para reportes e histĆ³ricos y a GitHub Actions con terraform para CI/CD disminuyendo tiempos de despliegue y costos de recursos (servidores, VPS, etc).
Descubriendo tesoros ocultos en el mundo Java Como Bonus, voy a estar liberando un repo de una tool, que sirve incluso a nivel corporativo. Hace todo el proceso de recon, detecciĆ³n y explotaciĆ³n de vulnerabilidades. Se integra a slack para notificaciones, a ELK para reportes e histĆ³ricos y a GitHub Actions con terraform para CI/CD disminuyendo tiempos de despliegue y costos de recursos (servidores, VPS, etc).
Link to writeup:
https://www.youtube.com/watch?v=sMfoCWLbTzY
https://www.youtube.com/watch?v=sMfoCWLbTzY
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
GenAI, LLM
GenAI, LLM
Description:
What happens in Vegas doesnāt always stay in Vegas, especially when it involves uncovering vulnerabilities in Google's systems. The story you are about to read starts in Las Vegas at the Venetian Hotel, travels to the heart of Tokyo, and finally ends in France. Joseph "rez0" Thacker, Justin "Rhynorater" Gardner and I, Roni "Lupin" Carta collaborated together to hack on Google's latest Bug Bounty Events, the LLM bugSWAT. Generative Artificial Intelligence (GenAI) and Large Language Models (LLM) have been the center of discussion for the past year. When GPT was released, OpenAI opened the gate for LLM usage in the tech ecosystem. Companies like Meta, Microsoft, and Google are all trying to compete in this brand new paradigm of LLMs. While some are skeptical on the usage of these technologies, others didn't hesitate to use their infrastructure for LLMs. New kind of assistants, classifiers etc... emerged trying to ease and automate a lot of human processes. However, it seems that in the journey, most of the companies forgot all their basic security principles, thus introducing new kinds of security issues. This new field of AI security testing is an interesting area of research, and Google understood that really early on. Their goal is to have an efficient Security Red Teaming process when using AIs in their product, and it is why their Bug Bounty team ran the event "LLM bugSWAT". They challenged researchers from all around the world to try to find vulnerabilities that they hadn't identified themselves.
What happens in Vegas doesnāt always stay in Vegas, especially when it involves uncovering vulnerabilities in Google's systems. The story you are about to read starts in Las Vegas at the Venetian Hotel, travels to the heart of Tokyo, and finally ends in France. Joseph "rez0" Thacker, Justin "Rhynorater" Gardner and I, Roni "Lupin" Carta collaborated together to hack on Google's latest Bug Bounty Events, the LLM bugSWAT. Generative Artificial Intelligence (GenAI) and Large Language Models (LLM) have been the center of discussion for the past year. When GPT was released, OpenAI opened the gate for LLM usage in the tech ecosystem. Companies like Meta, Microsoft, and Google are all trying to compete in this brand new paradigm of LLMs. While some are skeptical on the usage of these technologies, others didn't hesitate to use their infrastructure for LLMs. New kind of assistants, classifiers etc... emerged trying to ease and automate a lot of human processes. However, it seems that in the journey, most of the companies forgot all their basic security principles, thus introducing new kinds of security issues. This new field of AI security testing is an interesting area of research, and Google understood that really early on. Their goal is to have an efficient Security Red Teaming process when using AIs in their product, and it is why their Bug Bounty team ran the event "LLM bugSWAT". They challenged researchers from all around the world to try to find vulnerabilities that they hadn't identified themselves.
Link to writeup:
https://www.landh.tech/blog/20240304-google-hack-50000/
https://www.landh.tech/blog/20240304-google-hack-50000/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Cache Poisoning
Cache Poisoning
Description:
In the world of software development, we often take for granted the security and reliability of the tools and platforms we rely on daily. We assume that the packages we download and the registries we use are safe and trustworthy. However, at Lupin & Holmes we've recently discovered a Cache Poisoning Attack on the npm registry, one of the largest package registry for JavaScript, potentially exposing the fragility of our Software Supply Chains and the potential for widespread disruption. The npm registry is a critical component of the JavaScript ecosystem, serving as a central repository for over 2.1 million packages and relied upon by more than 17 million developers worldwide. It has become an indispensable resource, enabling them to easily share, reuse, and manage dependencies in their projects. With millions of downloads per day, the npm registry is the backbone of countless applications and websites. In this article, we will discuss the details of the cache poisoning attack on npm and explore its potential impact on the broader software ecosystem. By disclosing publicly this vulnerability, we aim to show the importance of security and availability in our Software Supply Chains.
In the world of software development, we often take for granted the security and reliability of the tools and platforms we rely on daily. We assume that the packages we download and the registries we use are safe and trustworthy. However, at Lupin & Holmes we've recently discovered a Cache Poisoning Attack on the npm registry, one of the largest package registry for JavaScript, potentially exposing the fragility of our Software Supply Chains and the potential for widespread disruption. The npm registry is a critical component of the JavaScript ecosystem, serving as a central repository for over 2.1 million packages and relied upon by more than 17 million developers worldwide. It has become an indispensable resource, enabling them to easily share, reuse, and manage dependencies in their projects. With millions of downloads per day, the npm registry is the backbone of countless applications and websites. In this article, we will discuss the details of the cache poisoning attack on npm and explore its potential impact on the broader software ecosystem. By disclosing publicly this vulnerability, we aim to show the importance of security and availability in our Software Supply Chains.
Link to writeup:
https://www.landh.tech/blog/20240603-npm-cache-poisoning/
https://www.landh.tech/blog/20240603-npm-cache-poisoning/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Sandwich Attack
Sandwich Attack
Description:
In this article, I detail my research into time-based secrets. This research began for me a year ago, following a finding during a Bug bounty program, and enabled me to take the time to implement my Python tool: āReset Tolkienā.
In this article, I detail my research into time-based secrets. This research began for me a year ago, following a finding during a Bug bounty program, and enabled me to take the time to implement my Python tool: āReset Tolkienā.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Android Security
Android Security
Description:
Developers for Android do a lot of work with files and exchange them with other apps, for example, to get photos, images, or user data. Developers often make typical mistakes that allow an attacker to gain access to the appās internal files, which store sensitive data. This article describes the most typical mistakes developers make and gives the best advice on how to fix them. We will also show how Oversecured can discover all these types of errors. Do you want to check your mobile apps for these types of vulnerabilities? Oversecuredās mobile app scanner provides an automatic solution that helps to detect vulnerabilities in Android and iOS mobile apps. You can integrate Oversecured into your development process and check every new line of your code to ensure your users are always protected. Start securing your apps by starting a free 2-week trial from Quick Start, or you can book a call with our team or contact us to explore further. We also give all new users two free scans, so they can check any apps for vulnerabilities! You can do this on the New Scan page.
Developers for Android do a lot of work with files and exchange them with other apps, for example, to get photos, images, or user data. Developers often make typical mistakes that allow an attacker to gain access to the appās internal files, which store sensitive data. This article describes the most typical mistakes developers make and gives the best advice on how to fix them. We will also show how Oversecured can discover all these types of errors. Do you want to check your mobile apps for these types of vulnerabilities? Oversecuredās mobile app scanner provides an automatic solution that helps to detect vulnerabilities in Android and iOS mobile apps. You can integrate Oversecured into your development process and check every new line of your code to ensure your users are always protected. Start securing your apps by starting a free 2-week trial from Quick Start, or you can book a call with our team or contact us to explore further. We also give all new users two free scans, so they can check any apps for vulnerabilities! You can do this on the New Scan page.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Modem Hacking
Modem Hacking
Description:
Two years ago, something very strange happened to me while working from my home network. I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files, so I spun up an AWS box and ran a simple Python webserver to receive the traffic from the vulnerable server: python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... Once the webserver was running, I sent a cURL request from my home computer to make sure that it could receive external HTTP requests: curl "http://54.156.88.125:8000/test123" Just a few seconds later, I saw the following log: 98.161.24.100 - [16:32:12] "GET /test123 HTTP/1.1" Perfect, this meant that I was able to receive network traffic on the box. Everything seemed good to go, but right as I switched back to exploiting the vulnerability, something very unexpected appeared in my log file: 98.161.24.100 - [16:32:12] "GET /test123 HTTP/1.1" 159.65.76.209 - [16:32:22] "GET /test123 HTTP/1.1" An unknown IP address had replayed the exact same HTTP request just 10 seconds later. "Wow, thatās seriously weird," I thought. Somewhere, between my home network and the AWS box, someone had intercepted and replayed my HTTP traffic. This traffic should not be accessible. There is no intermediary between these two systems who should be seeing this. My immediate thought was that my computer had been hacked and that the hacker was actively monitoring my traffic. To check if the same behavior occured on a different device, I pulled out my iPhone and typed in the URL into Safari. I sent the request, then peaked at my log file: 98.161.24.100 - [16:34:04] "GET /uhhhh HTTP/1.1" 159.65.76.209 - [16:34:16] "GET /uhhhh HTTP/1.1" The same unknown IP address had intercepted and replayed both HTTP requests from my computer and iPhone. Somehow, someone was intercepting and replaying the web traffic from likely every single device on my home network. Panicked, I spun up a new AWS box running Nginx to make sure that the original instance hadn't been compromised somehow. sudo service nginx start tail -f /var/log/nginx/access.log I opened the URL once again from my iPhone and saw the exact same logs: 98.161.24.100 - [16:44:04] "GET /whatisgoingon1234 HTTP/1.1" 159.65.76.209 - [16:44:12] "GET /whatisgoingon1234 HTTP/1.1" Through what could only be my ISP, modem, or AWS being compromised, someone was intercepting and replaying my HTTP traffic immediately after I'd sent it. To eliminate the absurd idea that AWS had been compromised, I spun up a box on GCP instead and observed the same unknown IP address replaying my HTTP requests. It wasnāt AWS. The only real option left was that my modem had been hacked, but who was the attacker? I queried the owner of the IP address and found that it belonged to DigitalOcean. Strange. That definitely didn't belong to my ISP.
Two years ago, something very strange happened to me while working from my home network. I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files, so I spun up an AWS box and ran a simple Python webserver to receive the traffic from the vulnerable server: python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... Once the webserver was running, I sent a cURL request from my home computer to make sure that it could receive external HTTP requests: curl "http://54.156.88.125:8000/test123" Just a few seconds later, I saw the following log: 98.161.24.100 - [16:32:12] "GET /test123 HTTP/1.1" Perfect, this meant that I was able to receive network traffic on the box. Everything seemed good to go, but right as I switched back to exploiting the vulnerability, something very unexpected appeared in my log file: 98.161.24.100 - [16:32:12] "GET /test123 HTTP/1.1" 159.65.76.209 - [16:32:22] "GET /test123 HTTP/1.1" An unknown IP address had replayed the exact same HTTP request just 10 seconds later. "Wow, thatās seriously weird," I thought. Somewhere, between my home network and the AWS box, someone had intercepted and replayed my HTTP traffic. This traffic should not be accessible. There is no intermediary between these two systems who should be seeing this. My immediate thought was that my computer had been hacked and that the hacker was actively monitoring my traffic. To check if the same behavior occured on a different device, I pulled out my iPhone and typed in the URL into Safari. I sent the request, then peaked at my log file: 98.161.24.100 - [16:34:04] "GET /uhhhh HTTP/1.1" 159.65.76.209 - [16:34:16] "GET /uhhhh HTTP/1.1" The same unknown IP address had intercepted and replayed both HTTP requests from my computer and iPhone. Somehow, someone was intercepting and replaying the web traffic from likely every single device on my home network. Panicked, I spun up a new AWS box running Nginx to make sure that the original instance hadn't been compromised somehow. sudo service nginx start tail -f /var/log/nginx/access.log I opened the URL once again from my iPhone and saw the exact same logs: 98.161.24.100 - [16:44:04] "GET /whatisgoingon1234 HTTP/1.1" 159.65.76.209 - [16:44:12] "GET /whatisgoingon1234 HTTP/1.1" Through what could only be my ISP, modem, or AWS being compromised, someone was intercepting and replaying my HTTP traffic immediately after I'd sent it. To eliminate the absurd idea that AWS had been compromised, I spun up a box on GCP instead and observed the same unknown IP address replaying my HTTP requests. It wasnāt AWS. The only real option left was that my modem had been hacked, but who was the attacker? I queried the owner of the IP address and found that it belonged to DigitalOcean. Strange. That definitely didn't belong to my ISP.
Link to writeup:
https://samcurry.net/hacking-millions-of-modems
https://samcurry.net/hacking-millions-of-modems
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
XSS
XSS
Description:
"This is a writeup describing the solution to a small XSS challenge I posted on Twitter in May 2024" by Johan Carlsson. The challange page https://sandbox-iframe-ctf.glitch.me allows for arbitrary HTML in the search parameter xss as a Base64 encoded string. The HTML will be put inside a sandboxed iframe on the same page. The page will also add a flag to the hash portion of the URL upon visiting the site. The mission was to leak this flag in the hash and show the value in an alert box.
"This is a writeup describing the solution to a small XSS challenge I posted on Twitter in May 2024" by Johan Carlsson. The challange page https://sandbox-iframe-ctf.glitch.me allows for arbitrary HTML in the search parameter xss as a Base64 encoded string. The HTML will be put inside a sandboxed iframe on the same page. The page will also add a flag to the hash portion of the URL upon visiting the site. The mission was to leak this flag in the hash and show the value in an alert box.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
XSS
XSS
Description:
Mitigations assume that blocking dangerous tags & attributes stops XSS. Is this true when building an application with a modern JS framework?
Mitigations assume that blocking dangerous tags & attributes stops XSS. Is this true when building an application with a modern JS framework?
Link to writeup:
http://sebastian-lekies.de/slides/appsec2017.pdf
http://sebastian-lekies.de/slides/appsec2017.pdf
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
DOM Clobbering
DOM Clobbering
Description:
Do you know that things in the DOM can affect the window? This behavior is something I accidentally learned a few years ago in a front-end community on Facebook, that is, after you set an element with an id in HTML, you can directly access it in JS
Do you know that things in the DOM can affect the window? This behavior is something I accidentally learned a few years ago in a front-end community on Facebook, that is, after you set an element with an id in HTML, you can directly access it in JS
Link to writeup:
https://blog.huli.tw/2021/01/23/en/dom-clobbering/
https://blog.huli.tw/2021/01/23/en/dom-clobbering/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Stored Cross Site Scripting
Stored Cross Site Scripting
Description:
This post details CVE-2024-4367, a vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (<126) because PDF.js is used by Firefox to show PDF files, but also seriously impacts many web- and Electron-based applications that (indirectly) use PDF.js for preview functionality.
This post details CVE-2024-4367, a vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (<126) because PDF.js is used by Firefox to show PDF files, but also seriously impacts many web- and Electron-based applications that (indirectly) use PDF.js for preview functionality.
Link to writeup:
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
CORS / SOP
CORS / SOP
Description:
If you want to generate a new window on a webpage, there are probably only two options: one is to embed resources on the same page using tags such as iframe, embed, and object, and the other is to use window.open to open a new window. As a front-end developer, I believe that everyone is familiar with these. You may have used iframe to embed third-party web pages or widgets, or used window.open to open a new window and communicate with the original window through window.opener. However, from a security perspective, there are many interesting things about iframes, which often appear in the real world or in CTF competitions. Therefore, I want to record some of the features I learned recently through this article.
If you want to generate a new window on a webpage, there are probably only two options: one is to embed resources on the same page using tags such as iframe, embed, and object, and the other is to use window.open to open a new window. As a front-end developer, I believe that everyone is familiar with these. You may have used iframe to embed third-party web pages or widgets, or used window.open to open a new window and communicate with the original window through window.opener. However, from a security perspective, there are many interesting things about iframes, which often appear in the real world or in CTF competitions. Therefore, I want to record some of the features I learned recently through this article.
Link to writeup:
https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/
https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
OSINT - Bug Bounty
OSINT - Bug Bounty
Description:
List of bug bounty targets and their scopes, subdomains and endpoints.
List of bug bounty targets and their scopes, subdomains and endpoints.
Link to writeup:
https://huntdash.xyz/
https://huntdash.xyz/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Server Side Request Forgery
Server Side Request Forgery
Description:
NextJS, which despite often being used for serving simple static content, has a plethora of server side features enabled by default. At Assetnote, we encounter sites running NextJS extremely often; in this blog post we will detail some common misconfigurations we find in NextJS websites, along with a vulnerability we found in the framework.
NextJS, which despite often being used for serving simple static content, has a plethora of server side features enabled by default. At Assetnote, we encounter sites running NextJS extremely often; in this blog post we will detail some common misconfigurations we find in NextJS websites, along with a vulnerability we found in the framework.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Firewall Bypass
Firewall Bypass
Description:
Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers websites, rendering the protection mechanism ineffective.
Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers websites, rendering the protection mechanism ineffective.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Firewall Bypass
Firewall Bypass
Description:
Donāt let a WAF stop you!
Donāt let a WAF stop you!
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Jasper JRXML Report Template Injection
Jasper JRXML Report Template Injection
Description:
The purpose of JasperReports is to pull in data from various sources (databases, xml, flat files, etcā¦), aggregate it in some way, and spit out a pretty report based on some sort of user-defined template. Templates in JasperReports are defined in āJRXMLā files that can be uploaded by any user allowed to create or edit reports.
The purpose of JasperReports is to pull in data from various sources (databases, xml, flat files, etcā¦), aggregate it in some way, and spit out a pretty report based on some sort of user-defined template. Templates in JasperReports are defined in āJRXMLā files that can be uploaded by any user allowed to create or edit reports.
Link to writeup:
https://foxglovesecurity.com/2016/10/14/hacking-jasperreports-the-hidden-shell-feature/
https://foxglovesecurity.com/2016/10/14/hacking-jasperreports-the-hidden-shell-feature/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Inspirational talk
Inspirational talk
Description:
There are a lot of illusions and misconceptions around the bug bounty industry. Is it too late to join? Are all the vulnerabilities already found? Is everything automated nowadays so there's no way to be late to the party? Frans and Mathias have been in the mythical world of bounties for a few years and will share their thoughts and ideas on how to actually approach it technically, methodologically and mentally. And also, how to use bug bounties for your own advantage, to improve your career and to increase your pentesting and vulnerability hunting skills.
There are a lot of illusions and misconceptions around the bug bounty industry. Is it too late to join? Are all the vulnerabilities already found? Is everything automated nowadays so there's no way to be late to the party? Frans and Mathias have been in the mythical world of bounties for a few years and will share their thoughts and ideas on how to actually approach it technically, methodologically and mentally. And also, how to use bug bounties for your own advantage, to improve your career and to increase your pentesting and vulnerability hunting skills.
Link to writeup:
https://www.youtube.com/watch?v=WTH6f0R7uzo
https://www.youtube.com/watch?v=WTH6f0R7uzo
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Various Vulnerabilities
Various Vulnerabilities
Description:
EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE
EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE
Link to writeup:
https://www.blackhat.com/docs/us-17/wednesday/us-17-Kettle-Cracking-The-Lens-Exploiting-HTTPs-Hidden-Attack-Surface.pdf
https://www.blackhat.com/docs/us-17/wednesday/us-17-Kettle-Cracking-The-Lens-Exploiting-HTTPs-Hidden-Attack-Surface.pdf
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Charset Blogpost
Charset Blogpost
Description:
Ever wonder about that mysterious Content-Type tag? You know, the one youāre supposed to put in HTML and you never quite know what it should be?
Ever wonder about that mysterious Content-Type tag? You know, the one youāre supposed to put in HTML and you never quite know what it should be?
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
OAuth Account Takeover
OAuth Account Takeover
Description:
Hackers could take over millions of accounts on Grammarly, Vidio and Bukalapak. The issue was fixed but users at other websites could still be at risk.
Hackers could take over millions of accounts on Grammarly, Vidio and Bukalapak. The issue was fixed but users at other websites could still be at risk.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Description:
We showcase an attack which leverages indirect prompt injection to trick Auto-GPT into executing arbitrary code when it is asked to perform a seemingly harmless task such as text summarization on an attacker controlled website
We showcase an attack which leverages indirect prompt injection to trick Auto-GPT into executing arbitrary code when it is asked to perform a seemingly harmless task such as text summarization on an attacker controlled website
Link to writeup:
https://positive.security/blog/auto-gpt-rce
https://positive.security/blog/auto-gpt-rce
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Description:
As discussed in many of our articles, you already know that WordPress and related plugins are taking up a large space in the global attack surface we are monitoring for our customers. Discovering always new methods and techniques to exploit potential flaws on these technologies allows us to be pro-active and try to maintain an advantage over potential attackers. The vulnerability described below is a perfect example of that proactivity: we promptly alerted all our customers who were using the vulnerable plugins, even before the fix for the vulnerability became available (in most cases, our clients either disabled the plugin or implemented a custom fix provided by us).
As discussed in many of our articles, you already know that WordPress and related plugins are taking up a large space in the global attack surface we are monitoring for our customers. Discovering always new methods and techniques to exploit potential flaws on these technologies allows us to be pro-active and try to maintain an advantage over potential attackers. The vulnerability described below is a perfect example of that proactivity: we promptly alerted all our customers who were using the vulnerable plugins, even before the fix for the vulnerability became available (in most cases, our clients either disabled the plugin or implemented a custom fix provided by us).
Link to writeup:
https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Description:
As I roam the city in my car, nearby players are attempting to play the music from the URL being broadcasted by my car. Since this "URL" is a maliciously crafted payload, they are instead connecting to my websocket awaiting further command.
As I roam the city in my car, nearby players are attempting to play the music from the URL being broadcasted by my car. Since this "URL" is a maliciously crafted payload, they are instead connecting to my websocket awaiting further command.
Link to writeup:
https://www.nullpt.rs/hacking-gta-servers-using-web-exploitation
https://www.nullpt.rs/hacking-gta-servers-using-web-exploitation
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Account Takeover due to use of UUIDv1
Account Takeover due to use of UUIDv1
Description:
In this article we are going to talk about a technique called the "Sandwich Attack" and how we used it to get a 0 Click Account Take Over (ATO). In fact, I have had the pleasure of presenting this vulnerability at the HacktivityCon 2022 in Las Vegas and on the French Channel Underscore_
In this article we are going to talk about a technique called the "Sandwich Attack" and how we used it to get a 0 Click Account Take Over (ATO). In fact, I have had the pleasure of presenting this vulnerability at the HacktivityCon 2022 in Las Vegas and on the French Channel Underscore_
Link to writeup:
https://www.landh.tech/blog/20230811-sandwich-attack/
https://www.landh.tech/blog/20230811-sandwich-attack/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Multiple Vulnerabilities
Multiple Vulnerabilities
Description:
Between March 2023 and May 2023, we identified multiple security vulnerabilities within points.com, the backend provider for a significant portion of airline and hotel rewards programs. These vulnerabilities would have enabled an attacker to access sensitive customer account information, including names, billing addresses, redacted credit card details, emails, phone numbers, and transaction records. Moreover, the attacker could exploit these vulnerabilities to perform actions such as transferring points from customer accounts and gaining unauthorized access to a global administrator website. This unauthorized access would grant the attacker full permissions to issue reward points, manage rewards programs, oversee customer accounts, and execute various administrative functions.
Between March 2023 and May 2023, we identified multiple security vulnerabilities within points.com, the backend provider for a significant portion of airline and hotel rewards programs. These vulnerabilities would have enabled an attacker to access sensitive customer account information, including names, billing addresses, redacted credit card details, emails, phone numbers, and transaction records. Moreover, the attacker could exploit these vulnerabilities to perform actions such as transferring points from customer accounts and gaining unauthorized access to a global administrator website. This unauthorized access would grant the attacker full permissions to issue reward points, manage rewards programs, oversee customer accounts, and execute various administrative functions.
Link to writeup:
https://samcurry.net/points-com/
https://samcurry.net/points-com/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Account Takeover
Account Takeover
Description:
During the recent Ambassador World Cup held by HackerOne, we identified an account takeover vulnerability in Shopify affecting a subset of Shopifyās Shop users. A successful exploit would have allowed attackers to takeover accounts of Shopās users in public Shopify stores allowing access to order history and shipping addresses. Shopify recently introduced Shop Pay within the Shop application. Shop Pay allows users to easily purchase items in most Shopify stores by storing their payment information in their Shop account. However, Shop accounts, by default, do not have Shop Pay enabled. Users must manually enable this feature in their Shop settings or when purchasing an item from a store that supports Shop Pay.
During the recent Ambassador World Cup held by HackerOne, we identified an account takeover vulnerability in Shopify affecting a subset of Shopifyās Shop users. A successful exploit would have allowed attackers to takeover accounts of Shopās users in public Shopify stores allowing access to order history and shipping addresses. Shopify recently introduced Shop Pay within the Shop application. Shop Pay allows users to easily purchase items in most Shopify stores by storing their payment information in their Shop account. However, Shop accounts, by default, do not have Shop Pay enabled. Users must manually enable this feature in their Shop settings or when purchasing an item from a store that supports Shop Pay.
Link to writeup:
https://ophionsecurity.com/blog/shopify-acount-takeover
https://ophionsecurity.com/blog/shopify-acount-takeover
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Description:
The ability to easily add own resources (like .css or .js) to a project is very important feature of many frameworks. Manual updates of sub-pages to insert correct relative paths (remembering how many '../' should be added to match the directory hierarchy) can really be a nightmare. Moreover, upon decision to change the file/directory structure, fixing all of those paths again would be a waste of time. Using absolute paths, however, doesnāt solve the problem either. Deploying an application to a sub-directory, instead of the root of the domain (or changing the deployment location), makes the absolute paths useless. Luckily for the developers ASP.NET takes responsibility for the above problems by offering app-root-relative URLs. Luckily for the attackers ā it also opens some new ways to attack web applications.
The ability to easily add own resources (like .css or .js) to a project is very important feature of many frameworks. Manual updates of sub-pages to insert correct relative paths (remembering how many '../' should be added to match the directory hierarchy) can really be a nightmare. Moreover, upon decision to change the file/directory structure, fixing all of those paths again would be a waste of time. Using absolute paths, however, doesnāt solve the problem either. Deploying an application to a sub-directory, instead of the root of the domain (or changing the deployment location), makes the absolute paths useless. Luckily for the developers ASP.NET takes responsibility for the above problems by offering app-root-relative URLs. Luckily for the attackers ā it also opens some new ways to attack web applications.
Link to writeup:
https://blog.isec.pl/all-is-xss-that-comes-to-the-net/
https://blog.isec.pl/all-is-xss-that-comes-to-the-net/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Race Condition
Race Condition
Description:
For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this paper, I'll introduce new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with. With these I'll exploit both multiple high-profile websites and Devise, a popular authentication framework for Rails.
For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this paper, I'll introduce new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with. With these I'll exploit both multiple high-profile websites and Devise, a popular authentication framework for Rails.
Link to writeup:
https://portswigger.net/research/smashing-the-state-machine
https://portswigger.net/research/smashing-the-state-machine
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Authentication Bypass
Authentication Bypass
Description:
In modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the URL. This method is useful to clients that do not support cookies.
In modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the URL. This method is useful to clients that do not support cookies.
Link to writeup:
https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/
https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Description:
In the last few days, threat actors have been exploiting a critical pre-authentication vulnerability within Progress MOVEIt Transfer. There have been several great blog posts covering the incident response, forensic artifacts, and detection engineering efforts when it comes to preventing compromise. Assetnote was successful at determining the full exploit chain for this vulnerability, including the SQL injection and the remote code execution attack vector.
In the last few days, threat actors have been exploiting a critical pre-authentication vulnerability within Progress MOVEIt Transfer. There have been several great blog posts covering the incident response, forensic artifacts, and detection engineering efforts when it comes to preventing compromise. Assetnote was successful at determining the full exploit chain for this vulnerability, including the SQL injection and the remote code execution attack vector.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Description:
In our last post we detailed our initial work reversing the recent Progress MOVEit Transfer remote code execution vulnerability as well as our proof-of-concept demonstrating the exploit. We implemented checks in our Attack Surface Management platform providing our customers with assurance on whether or not they are affected. However, we declined to post the full exploit chain as it was being actively exploited at the time. Since then, a public proof-of-concept has been posted and so we will now detail the steps we took to reverse the vulnerability.
In our last post we detailed our initial work reversing the recent Progress MOVEit Transfer remote code execution vulnerability as well as our proof-of-concept demonstrating the exploit. We implemented checks in our Attack Surface Management platform providing our customers with assurance on whether or not they are affected. However, we declined to post the full exploit chain as it was being actively exploited at the time. Since then, a public proof-of-concept has been posted and so we will now detail the steps we took to reverse the vulnerability.
Link to writeup:
https://blog.assetnote.io/2023/06/13/moveit-transfer-part-two/
https://blog.assetnote.io/2023/06/13/moveit-transfer-part-two/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Google Cloud
Google Cloud
Description:
GCP organizations can be used to easily manage resources (Such as projects, billing accounts, IAM roles, etc.) in one single place. Most resources cannot be detached from the organization they were created in, and even though they can be deleted, most of them can be restored within a month. Because of this, it is important that users pay attention to where they are putting their resources, for example: if for some reason they created a billing account on an organization they do not trust, they could end up being charged for the actions of someone else.
GCP organizations can be used to easily manage resources (Such as projects, billing accounts, IAM roles, etc.) in one single place. Most resources cannot be detached from the organization they were created in, and even though they can be deleted, most of them can be restored within a month. Because of this, it is important that users pay attention to where they are putting their resources, for example: if for some reason they created a billing account on an organization they do not trust, they could end up being charged for the actions of someone else.
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Description:
By using an internal (dogfood) version of the Google Cloud Deployment Manager, I was able to issue requests to some Google internal endpoints through Google's Global Service Load Balancer, which could have led to RCE.
By using an internal (dogfood) version of the Google Cloud Deployment Manager, I was able to issue requests to some Google internal endpoints through Google's Global Service Load Balancer, which could have led to RCE.
Link to writeup:
https://www.ezequiel.tech/2020/05/rce-in-cloud-dm.html
https://www.ezequiel.tech/2020/05/rce-in-cloud-dm.html
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Google Cloud SQL
Google Cloud SQL
Description:
This write-up covers vulnerabilities that we have discovered in the MySQL versions 5.6 and 5.7 of Cloud SQL.
This write-up covers vulnerabilities that we have discovered in the MySQL versions 5.6 and 5.7 of Cloud SQL.
Link to writeup:
https://www.ezequiel.tech/2020/08/dropping-shell-in.html
https://www.ezequiel.tech/2020/08/dropping-shell-in.html
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Authentication Bypass
Authentication Bypass
Description:
It was possible to list IAM service accounts of any Google Cloud Platform project, given its project number, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API. Due to the design of certain services in Google Cloud, this issue could lead to the leak of lots of Google Cloud Platform project IDs, which are considered PII, and which could be further used to scan for unsecured resources in the platform, such as App Engine apps, Container Registry repositories, etc.
It was possible to list IAM service accounts of any Google Cloud Platform project, given its project number, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API. Due to the design of certain services in Google Cloud, this issue could lead to the leak of lots of Google Cloud Platform project IDs, which are considered PII, and which could be further used to scan for unsecured resources in the platform, such as App Engine apps, Container Registry repositories, etc.
Link to writeup:
https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.html
https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.html
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Authentication Bypass
Authentication Bypass
Description:
Exploiting Authentication Bypass vulnerability in Codeigniter with a tricky technique.
Exploiting Authentication Bypass vulnerability in Codeigniter with a tricky technique.
Link to writeup:
https://eslam3kl.gitbook.io/blog/bug-hunting-findings/authentication-bypass-using-empty-parameters.
https://eslam3kl.gitbook.io/blog/bug-hunting-findings/authentication-bypass-using-empty-parameters.
Link to summary:
Summary
Summary
Score: 1
Submitted by: helich0pper
Vulnerability class:
Pivoting
Pivoting
Description:
Access devices on the internal network after gaining shell access to an environment with constraints such as low storage/memory (eg. a Linux-based microcontroller or a router).
Access devices on the internal network after gaining shell access to an environment with constraints such as low storage/memory (eg. a Linux-based microcontroller or a router).
Link to writeup:
https://helich0pper.github.io/router_rce/
https://helich0pper.github.io/router_rce/
Link to summary:
Summary
Summary
Score: 1
Submitted by: lukeberner
Vulnerability class:
Information Disclosure
Information Disclosure
Description:
Cloning internal Google repositories to find sensitive information
Cloning internal Google repositories to find sensitive information
Link to writeup:
https://medium.com/@lukeberner/cloning-internal-google-repos-for-fun-and-info-bf2c83d0ae00
https://medium.com/@lukeberner/cloning-internal-google-repos-for-fun-and-info-bf2c83d0ae00
Link to summary:
Summary
Summary
Score: 1
Submitted by: Jitendra chandel
Vulnerability class:
Client Side Request Forgery
Client Side Request Forgery
Title:
Account Takeover via CSRF
Account Takeover via CSRF
Description:
There is no protection against CSRF in changing email which lead to CSRF to account takeover
There is no protection against CSRF in changing email which lead to CSRF to account takeover
Link to writeup:
https://bugreader.com/_imjitendra_@account-takeover-via-csrf-260
https://bugreader.com/_imjitendra_@account-takeover-via-csrf-260
Link to summary:
Summary
Summary
Score: 1
Submitted by: Hacklad
Vulnerability class:
Authorization Bypass
Authorization Bypass
Title:
SAML AUTH BYPASS
SAML AUTH BYPASS
Description:
When using SAML authentication, responses are not checked properly. This allows attacker to inject/modify any assertions in the SAML response and thus, for example, authenticate as administrator.
When using SAML authentication, responses are not checked properly. This allows attacker to inject/modify any assertions in the SAML response and thus, for example, authenticate as administrator.
Link to writeup:
https://hackerone.com/reports/812064
https://hackerone.com/reports/812064
Link to summary:
Summary
Summary
Score: 1
Submitted by: securityteacher
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Title:
CSV Injection
CSV Injection
Description:
Run Commands On Company Machines
Run Commands On Company Machines
Link to writeup:
https://www.mubassirkamdar.com/2019/04/run-commands-on-company-machines-csv.html?m=1
https://www.mubassirkamdar.com/2019/04/run-commands-on-company-machines-csv.html?m=1
Link to summary:
Summary
Summary
Score: 1
Submitted by: maxsam4
Vulnerability class:
Denial of Service (DoS)
Denial of Service (DoS)
Description:
A bug in Substrate's FRAME runtime allowed anyone to store infinitely large data on the blockchain for free. It affected substrate chains including Polkadot, Kusama, and Polymesh.
A bug in Substrate's FRAME runtime allowed anyone to store infinitely large data on the blockchain for free. It affected substrate chains including Polkadot, Kusama, and Polymesh.
Link to writeup:
https://mudit.blog/free-blockchain-storage-bug-substrate/
https://mudit.blog/free-blockchain-storage-bug-substrate/
Link to summary:
Summary
Summary
Score: 1
Submitted by: stefano
Vulnerability class:
Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR)
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Recon
Recon
Title:
Live Hacking like a MVH
Live Hacking like a MVH
Description:
A walkthrough on methodology and strategies to win big
A walkthrough on methodology and strategies to win big
Link to writeup:
https://speakerdeck.com/fransrosen/live-hacking-like-a-mvh-a-walkthrough-on-methodology-and-strategies-to-win-big
https://speakerdeck.com/fransrosen/live-hacking-like-a-mvh-a-walkthrough-on-methodology-and-strategies-to-win-big
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Title:
XSS in Limited Input Formats
XSS in Limited Input Formats
Description:
Testing for XSS vulnerabilities requires knowing the data format of input. Usually the format is simply āstringā without any restrictions but sometimes the manipulation of XSS entry point is limited.
Testing for XSS vulnerabilities requires knowing the data format of input. Usually the format is simply āstringā without any restrictions but sometimes the manipulation of XSS entry point is limited.
Link to writeup:
https://brutelogic.com.br/blog/xss-limited-input-formats/
https://brutelogic.com.br/blog/xss-limited-input-formats/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Description:
As many of you reading this probably already know, in mid April, a good friend of mine (@Daley) and I located a Remote Code Execution vulnerability in EAās Origin client (CVE-2019-11354). Today Iām going to go in depth on how we discovered this vulnerability, along with a couple others we needed to chain along the way ;pp
As many of you reading this probably already know, in mid April, a good friend of mine (@Daley) and I located a Remote Code Execution vulnerability in EAās Origin client (CVE-2019-11354). Today Iām going to go in depth on how we discovered this vulnerability, along with a couple others we needed to chain along the way ;pp
Link to writeup:
https://zeropwn.github.io/2019-05-13-xss-to-rce/
https://zeropwn.github.io/2019-05-13-xss-to-rce/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Description:
This is a quick write up for a waf bypass on a private bbp, so i will keep hidden the name of the program.
This is a quick write up for a waf bypass on a private bbp, so i will keep hidden the name of the program.
Link to writeup:
https://medium.com/bugbountywriteup/jumping-to-the-hell-with-10-attempts-to-bypass-devils-waf-4275bfe679dd
https://medium.com/bugbountywriteup/jumping-to-the-hell-with-10-attempts-to-bypass-devils-waf-4275bfe679dd
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Description:
A few years ago I discovered a technique to call functions in JavaScript without parentheses using onerror and the throw statement. It works by setting the onerror handler to the function you want to call and the throw statement is used to pass the argument to the function
A few years ago I discovered a technique to call functions in JavaScript without parentheses using onerror and the throw statement. It works by setting the onerror handler to the function you want to call and the throw statement is used to pass the argument to the function
Link to writeup:
https://portswigger.net/blog/xss-without-parentheses-and-semi-colons
https://portswigger.net/blog/xss-without-parentheses-and-semi-colons
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Recon
Recon
Title:
Awesome Asset Discovery
Awesome Asset Discovery
Description:
Through this repository, we want to put out a list of curated resources which help during asset discovery phase of a security assessment engagement.
Through this repository, we want to put out a list of curated resources which help during asset discovery phase of a security assessment engagement.
Link to writeup:
https://github.com/redhuntlabs/Awesome-Asset-Discovery
https://github.com/redhuntlabs/Awesome-Asset-Discovery
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Blind Server Side Request Forgery (Blind SSRF)
Blind Server Side Request Forgery (Blind SSRF)
Description:
Before we doing pentesting we should know our target using any third party service.
Before we doing pentesting we should know our target using any third party service.
Link to writeup:
https://medium.com/@0ktavandi/blind-ssrf-in-stripe-com-due-to-sentry-misconfiguration-60ebb6a40b5
https://medium.com/@0ktavandi/blind-ssrf-in-stripe-com-due-to-sentry-misconfiguration-60ebb6a40b5
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR)
Title:
Facebook IDOR bug in GraphQL
Facebook IDOR bug in GraphQL
Description:
The vulnerability type "IDOR": allows any potential attacker to change the account settings for another user
The vulnerability type "IDOR": allows any potential attacker to change the account settings for another user
Link to writeup:
https://www.youtube.com/watch?v=lY_5FHhRVko&feature=youtu.be
https://www.youtube.com/watch?v=lY_5FHhRVko&feature=youtu.be
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
XXE
XXE
Description:
This little technique can force your blind XXE to output anything you want!
This little technique can force your blind XXE to output anything you want!
Link to writeup:
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Recon
Recon
Title:
Github OSINT
Github OSINT
Description:
When performing your initial recon on an organization dont forget about Github. Github is used by developers to maintain and share their code, most of the time they end up sharing much more though.
When performing your initial recon on an organization dont forget about Github. Github is used by developers to maintain and share their code, most of the time they end up sharing much more though.
Link to writeup:
https://medium.com/@ghostlulzhacks/github-osint-1e8a96f9fdb8
https://medium.com/@ghostlulzhacks/github-osint-1e8a96f9fdb8
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Denial of Service (DoS)
Denial of Service (DoS)
Description:
While observing headers and response of the first request which was simple GET request to homepage WWW.EXAMPLE.COM, it came to my mind that why not check hidden get parameters?
While observing headers and response of the first request which was simple GET request to homepage WWW.EXAMPLE.COM, it came to my mind that why not check hidden get parameters?
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Description:
com.twitter.android.lite.TwitterLiteActivity is set to exported and doesn't validate data pass to intent due to which this activity vulnerable to steal users local files, javascript injection and open redirect.
com.twitter.android.lite.TwitterLiteActivity is set to exported and doesn't validate data pass to intent due to which this activity vulnerable to steal users local files, javascript injection and open redirect.
Link to writeup:
https://hackerone.com/reports/499348
https://hackerone.com/reports/499348
Link to summary:
Summary
Summary
Score: 1
Submitted by: quas
Vulnerability class:
Recon
Recon
Description:
Five things to test on the main app. And If you don't test for these, well then you're missing out!.
Five things to test on the main app. And If you don't test for these, well then you're missing out!.
Link to writeup:
https://www.youtube.com/watch?v=aNQg9mg4WNI
https://www.youtube.com/watch?v=aNQg9mg4WNI
Link to summary:
Summary
Summary
Score: 0
Submitted by: Take your money napodargikot.blogspot.com YM
Vulnerability class:
DOM Cross Site Scripting
DOM Cross Site Scripting
Title:
Cambiamento climatico
Cambiamento climatico
Description:
Quanto c'ĆØ di vero, quanto c'ĆØ che i popoli non sanno, e cosa ci aspetta.
Quanto c'ĆØ di vero, quanto c'ĆØ che i popoli non sanno, e cosa ci aspetta.
Link to writeup:
https://wwwsaputelli.it
https://wwwsaputelli.it
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
XXE
XXE
Description:
Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them. So why am I writing a blog post about an XXE? I have two reasons: Ā· It affects SharePoint, both on-prem and cloud instances, which is a nice target. This vulnerability can be exploited by a low-privileged user. Ā· This is one of the craziest XXEs that I have ever seen (and found), both in terms of vulnerability discovery and the method of triggering. When we talk about overall exploitation and impact, this Pwn2Own win by Chris Anastasio and Steven Seeley is still my favorite. The vulnerability is known as CVE-2024-30043, and, as one would expect with an XXE, it allows you to: Ā· Read files with SharePoint Farm Service account permission. Ā· Perform Server-side request forgery (SSRF) attacks. Ā· Perform NTLM Relaying. Ā· Achieve any other side effects to which XXE may lead. Let us go straight to the details.
Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them. So why am I writing a blog post about an XXE? I have two reasons: Ā· It affects SharePoint, both on-prem and cloud instances, which is a nice target. This vulnerability can be exploited by a low-privileged user. Ā· This is one of the craziest XXEs that I have ever seen (and found), both in terms of vulnerability discovery and the method of triggering. When we talk about overall exploitation and impact, this Pwn2Own win by Chris Anastasio and Steven Seeley is still my favorite. The vulnerability is known as CVE-2024-30043, and, as one would expect with an XXE, it allows you to: Ā· Read files with SharePoint Farm Service account permission. Ā· Perform Server-side request forgery (SSRF) attacks. Ā· Perform NTLM Relaying. Ā· Achieve any other side effects to which XXE may lead. Let us go straight to the details.
Link to writeup:
https://www.zerodayinitiative.com/blog/2024/5/29/cve-2024-30043-abusing-url-parsing-confusion-to-exploit-xxe-on-sharepoint-server-and-cloud
https://www.zerodayinitiative.com/blog/2024/5/29/cve-2024-30043-abusing-url-parsing-confusion-to-exploit-xxe-on-sharepoint-server-and-cloud
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Various Vulnerabilities
Various Vulnerabilities
Title:
One company: 262 bugs, 100% acceptance, 2.57 priority, millions of user details saved. | @zseano
One company: 262 bugs, 100% acceptance, 2.57 priority, millions of user details saved. | @zseano
Description:
Itās time to recap the last 6months of reporting bugs and to tally up just how much data iāve saved from criminal hands and outline some interesting facts..
Itās time to recap the last 6months of reporting bugs and to tally up just how much data iāve saved from criminal hands and outline some interesting facts..
Link to writeup:
https://blog.bugbountyhunter.com/one-company-262-bugs/
https://blog.bugbountyhunter.com/one-company-262-bugs/
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Oauth
Oauth
Description:
For many hackers, changing the redirect_uri to an attacker-controlled host is the only attack they know. But in 2024 it won't work. We have to work harder - exploit and chain multiple smaller bugs together to get the account takeover. Those chains will be the topic of this talk.
For many hackers, changing the redirect_uri to an attacker-controlled host is the only attack they know. But in 2024 it won't work. We have to work harder - exploit and chain multiple smaller bugs together to get the account takeover. Those chains will be the topic of this talk.
Link to writeup:
https://www.youtube.com/watch?v=n9x7_J_a_7Q
https://www.youtube.com/watch?v=n9x7_J_a_7Q
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Privilege Escalation
Privilege Escalation
Description:
The team recently encountered an interesting scenario where we were trying to escalate privileges from a compromised pod in AWS Elastic Kubernetes Service (EKS) and struggled with NodeRestriction, a security mechanism enabled by default on all EKS versions.
The team recently encountered an interesting scenario where we were trying to escalate privileges from a compromised pod in AWS Elastic Kubernetes Service (EKS) and struggled with NodeRestriction, a security mechanism enabled by default on all EKS versions.
Link to writeup:
https://blog.calif.io/p/privilege-escalation-in-eks
https://blog.calif.io/p/privilege-escalation-in-eks
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
GraphQL
GraphQL
Description:
n the talk "GraphQL is the New PHP," we dive into how to find bugs in GraphQL, similar to early PHP days. It's all about sharing tips and tricks for bug bounty hunters to spot security issues. This talk is like a collection of what I've learned, the mistakes I made, and some wins along the way.
n the talk "GraphQL is the New PHP," we dive into how to find bugs in GraphQL, similar to early PHP days. It's all about sharing tips and tricks for bug bounty hunters to spot security issues. This talk is like a collection of what I've learned, the mistakes I made, and some wins along the way.
Link to writeup:
https://www.youtube.com/watch?v=tIo_t5uUK50
https://www.youtube.com/watch?v=tIo_t5uUK50
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Stored Cross Site Scripting
Stored Cross Site Scripting
Description:
Disclaimer : this exploitation was realized in a legal context of a Bug Bounty. The disclosure of the information contained in this article was made with the agreement of pass Culture and comes after a patch. The Bug Bounty program is not public and participation is only possible after contracting with YesWeHack and invitation by pass Culture.
Disclaimer : this exploitation was realized in a legal context of a Bug Bounty. The disclosure of the information contained in this article was made with the agreement of pass Culture and comes after a patch. The Bug Bounty program is not public and participation is only possible after contracting with YesWeHack and invitation by pass Culture.
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Stored Cross Site Scripting
Stored Cross Site Scripting
Description:
Using the account creation mechanism, it was possible to obtain an account with privileged rights from a Mass Assignment. From this privileged account, the injection of a payload allowed to realize a Stored XSS within the administration panel impacting an administrator account.
Using the account creation mechanism, it was possible to obtain an account with privileged rights from a Mass Assignment. From this privileged account, the injection of a payload allowed to realize a Stored XSS within the administration panel impacting an administrator account.
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Hacker Methodology
Hacker Methodology
Description:
Santiago Lopez is one of the top Bug Bounty Hackers in the World. He has earned over 1 million dollars over his bug bounty career.
Santiago Lopez is one of the top Bug Bounty Hackers in the World. He has earned over 1 million dollars over his bug bounty career.
Link to writeup:
https://www.youtube.com/watch?v=U68hiSFxaVo
https://www.youtube.com/watch?v=U68hiSFxaVo
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
XSS
XSS
Description:
When it comes to XSS (Cross-site scripting), many people may only think of āinjecting code into a websiteā. However, if you think about it carefully, you will find that there are many aspects that can be further explored.
When it comes to XSS (Cross-site scripting), many people may only think of āinjecting code into a websiteā. However, if you think about it carefully, you will find that there are many aspects that can be further explored.
Link to writeup:
https://blog.huli.tw/2021/06/19/en/xss-attack-and-defense/
https://blog.huli.tw/2021/06/19/en/xss-attack-and-defense/
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
SQL Injection
SQL Injection
Description:
SQL Injection Tips & Tricks - YouTube video
SQL Injection Tips & Tricks - YouTube video
Link to writeup:
https://www.youtube.com/watch?v=MYsUhAgSgwc
https://www.youtube.com/watch?v=MYsUhAgSgwc
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Firewall Bypass
Firewall Bypass
Description:
As WAFs grow in complexity, they become increasingly resilient to attacks. However, although the level of determination required has greatly risen in recent years, WAFs are always bypassable. We will provide practical insight into how WAFs operate and introduce novel bypass techniques that can make it a piece of cake to demonstrate the impact of cross-site scripting (XSS) vulnerabilities when behind WAFs. Reflected XSS is a valid vulnerability regardless of the presence of a WAF.
As WAFs grow in complexity, they become increasingly resilient to attacks. However, although the level of determination required has greatly risen in recent years, WAFs are always bypassable. We will provide practical insight into how WAFs operate and introduce novel bypass techniques that can make it a piece of cake to demonstrate the impact of cross-site scripting (XSS) vulnerabilities when behind WAFs. Reflected XSS is a valid vulnerability regardless of the presence of a WAF.
Link to writeup:
https://www.youtube.com/watch?v=zhkCf8tldbk
https://www.youtube.com/watch?v=zhkCf8tldbk
Link to summary:
Summary
Summary
Score: 0
Submitted by: cambriakinkelaar
Vulnerability class:
SQL Injection
SQL Injection
Description:
Low-Security bWAPP SQL Injection Time-Based Blind Exploit
Low-Security bWAPP SQL Injection Time-Based Blind Exploit
Link to summary:
Summary
Summary
Score: 0
Submitted by: cambriakinkelaar
Vulnerability class:
SQL Injection
SQL Injection
Description:
Low-Security bWAPP SQL Injection POST/Search Exploit
Low-Security bWAPP SQL Injection POST/Search Exploit
Link to summary:
Summary
Summary
Score: 0
Submitted by: cambriakinkelaar
Vulnerability class:
SQL Injection
SQL Injection
Description:
Low-Security bWAPP SQL Injection GET/Search Exploit
Low-Security bWAPP SQL Injection GET/Search Exploit
Link to writeup:
https://medium.com/@crk2500/sql-get-search-injection-exploitation-on-bwapp-2cc5ffa74a4d
https://medium.com/@crk2500/sql-get-search-injection-exploitation-on-bwapp-2cc5ffa74a4d
Link to summary:
Summary
Summary
Score: 0
Submitted by: cambriakinkelaar
Vulnerability class:
Local File Inclusion
Local File Inclusion
Title:
bWAPP LFI & RFI Exploit
bWAPP LFI & RFI Exploit
Description:
Low-Security bWAPP LFI/RFI Exploit
Low-Security bWAPP LFI/RFI Exploit
Link to summary:
Summary
Summary
Score: 0
Submitted by: cambriakinkelaar
Vulnerability class:
Command Injection
Command Injection
Title:
bWAPP OS Command Injection
bWAPP OS Command Injection
Description:
Low-Security bWAPP OS Command Injection Blind Exploit
Low-Security bWAPP OS Command Injection Blind Exploit
Link to summary:
Summary
Summary
Score: 0
Submitted by: aks4803
Vulnerability class:
Remote & Local File inclusion
Remote & Local File inclusion
Description:
Exploiting Remote & Local File inclusion vulnerabilities in bWAPP which includes crafting a payload to include both remote and local files demonstrating potential data leakage or code execution.
Exploiting Remote & Local File inclusion vulnerabilities in bWAPP which includes crafting a payload to include both remote and local files demonstrating potential data leakage or code execution.
Link to writeup:
https://placeholder.url/file-inclusion-exploitation
https://placeholder.url/file-inclusion-exploitation
Link to summary:
Summary
Summary
Score: 0
Submitted by: aks4803
Vulnerability class:
OS Command Injection
OS Command Injection
Description:
Demonstrates the exploitation of an OS Command Injection vulnerability in bWAPP using a search input field by injecting a malicious payload ';ls -la' where an attacker can list files on the server and view them.
Demonstrates the exploitation of an OS Command Injection vulnerability in bWAPP using a search input field by injecting a malicious payload ';ls -la' where an attacker can list files on the server and view them.
Link to writeup:
https://placeholder.url/os-command-injection-exploitation
https://placeholder.url/os-command-injection-exploitation
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Reverse Engineering (RE)
Reverse Engineering (RE)
Description:
While searching for fun CVEs in Wordpress Plugins, CVE-2023ā2834 caught our eye. The plugin Bookit was vulnerable to an Authentication Bypass. As per Patchstack, this was a CVSS 9.8 issue, meaning it was quite impactful! Hence, me and Arpeet Rathi decided to take a look.
While searching for fun CVEs in Wordpress Plugins, CVE-2023ā2834 caught our eye. The plugin Bookit was vulnerable to an Authentication Bypass. As per Patchstack, this was a CVSS 9.8 issue, meaning it was quite impactful! Hence, me and Arpeet Rathi decided to take a look.
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Description:
In the ever-evolving landscape of web security, Cross-Site Scripting (XSS) stands as one of the most pernicious vulnerabilities. XSS allows attackers to inject malicious scripts into web pages which then run on another userās browser. These injected scripts can lead to a variety of malicious actions, such as stealing session cookies or defacing web pages. To counteract these vulnerabilities, developers deploy multiple techniques. But as developers fortify defenses, attackers refine their techniques to bypass these security measures. This article will explore some techniques used to bypass XSS filters and how developers can stay vigilant.
In the ever-evolving landscape of web security, Cross-Site Scripting (XSS) stands as one of the most pernicious vulnerabilities. XSS allows attackers to inject malicious scripts into web pages which then run on another userās browser. These injected scripts can lead to a variety of malicious actions, such as stealing session cookies or defacing web pages. To counteract these vulnerabilities, developers deploy multiple techniques. But as developers fortify defenses, attackers refine their techniques to bypass these security measures. This article will explore some techniques used to bypass XSS filters and how developers can stay vigilant.
Link to writeup:
https://infosecwriteups.com/bypassing-xss-filters-techniques-and-solutions-d6674029f1e9
https://infosecwriteups.com/bypassing-xss-filters-techniques-and-solutions-d6674029f1e9
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR)
Description:
Mostly I do hunting on weekends so while hunting on one program letās consider the program as a redacted.com so while hunting on a platform within a three hours I got 3ā4 IDOR vulnerabilities with full account takeover (Regarding account takeover I will write about it later in detail). Letās see how was the approach in discovering it, so after creating the account I started looking for vulnerabilities while going through the website features and functionalities.
Mostly I do hunting on weekends so while hunting on one program letās consider the program as a redacted.com so while hunting on a platform within a three hours I got 3ā4 IDOR vulnerabilities with full account takeover (Regarding account takeover I will write about it later in detail). Letās see how was the approach in discovering it, so after creating the account I started looking for vulnerabilities while going through the website features and functionalities.
Link to writeup:
https://infosecwriteups.com/gone-in-a-click-idor-vulnerabilities-in-image-upload-function-6c4817b44d8c
https://infosecwriteups.com/gone-in-a-click-idor-vulnerabilities-in-image-upload-function-6c4817b44d8c
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Title:
XSS Intigriti challenge
XSS Intigriti challenge
Description:
Hello hunters, let me explain how did I overcome this XSS challenge set up by the bug bounty platform Intigriti.
Hello hunters, let me explain how did I overcome this XSS challenge set up by the bug bounty platform Intigriti.
Link to writeup:
https://infosecwriteups.com/xss-intigriti-challenge-dae2dba1cb4c
https://infosecwriteups.com/xss-intigriti-challenge-dae2dba1cb4c
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR)
Title:
Story of a very lethal IDOR.
Story of a very lethal IDOR.
Description:
If I didnāt even try to find that IDOR vulnerability I couldnāt have achieved this account takeover.
If I didnāt even try to find that IDOR vulnerability I couldnāt have achieved this account takeover.
Link to writeup:
https://infosecwriteups.com/idor-that-allowed-me-to-takeover-any-users-account-129e55871d8
https://infosecwriteups.com/idor-that-allowed-me-to-takeover-any-users-account-129e55871d8
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Cross-Account, Cross-Region Replication of Encrypted Objects
Cross-Account, Cross-Region Replication of Encrypted Objects
Description:
In todayās digital landscape, data protection is paramount for organizations handling sensitive information. Amazon Simple Storage Service (S3) offers a robust solution for storing and managing data in the cloud. One of the powerful features provided by S3 is Cross-Region Replication, which allows for automatic and asynchronous replication of objects between different AWS regions.
In todayās digital landscape, data protection is paramount for organizations handling sensitive information. Amazon Simple Storage Service (S3) offers a robust solution for storing and managing data in the cloud. One of the powerful features provided by S3 is Cross-Region Replication, which allows for automatic and asynchronous replication of objects between different AWS regions.
Link to writeup:
https://infosecwriteups.com/seamless-cross-account-cross-region-replication-of-encrypted-objects-in-aws-s3-simplified-data-4e3972b63618
https://infosecwriteups.com/seamless-cross-account-cross-region-replication-of-encrypted-objects-in-aws-s3-simplified-data-4e3972b63618
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Server Side Request Forgery
Server Side Request Forgery
Description:
n this blog post weāre going to explain what an SSRF attack is, how to test for it, and some basic guidelines on how to fix it. We will be using a real-world example, exploiting a vulnerability we discovered in a commercial Business Intelligence product called Dundas BI.
n this blog post weāre going to explain what an SSRF attack is, how to test for it, and some basic guidelines on how to fix it. We will be using a real-world example, exploiting a vulnerability we discovered in a commercial Business Intelligence product called Dundas BI.
Link to writeup:
https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/
https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/
Link to summary:
Summary
Summary
Score: 0
Submitted by: Liam
Vulnerability class:
Other
Other
Description:
This article shows you how to perform recon on targets across different social media websites
This article shows you how to perform recon on targets across different social media websites
Link to summary:
Summary
Summary
Score: 0
Submitted by: ife
Vulnerability class:
SQL Injection
SQL Injection
Title:
bWAPP GET/Search
bWAPP GET/Search
Description:
Using the buggy web application with Docker, you can exploit the URL by searching through the bWAPP database to find user information, including login and password!
Using the buggy web application with Docker, you can exploit the URL by searching through the bWAPP database to find user information, including login and password!
Link to writeup:
http://www.itsecgames.com/
http://www.itsecgames.com/
Link to summary:
Summary
Summary
Score: 0
Submitted by: Santosh bobade
Vulnerability class:
DNS
DNS
Description:
Subdomain takeover at harvard university : A Subdomain Takeover is defined as Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organizationās subdomain via cloud services like AWS or Azure. ā¦ The potential for a subdomain takeover occurs when the webpage hosted at the cloud provider is deleted but the DNS entry is kept.
Subdomain takeover at harvard university : A Subdomain Takeover is defined as Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organizationās subdomain via cloud services like AWS or Azure. ā¦ The potential for a subdomain takeover occurs when the webpage hosted at the cloud provider is deleted but the DNS entry is kept.
Link to writeup:
https://santoshdbobade.medium.com/how-i-got-an-appreciation-letter-from-harvard-university-a3d19de69701
https://santoshdbobade.medium.com/how-i-got-an-appreciation-letter-from-harvard-university-a3d19de69701
Link to summary:
Summary
Summary
Score: 0
Submitted by: Santosh bobade
Vulnerability class:
DNS
DNS
Description:
Subdomain takeover at harvard university :
Subdomain takeover at harvard university :
Link to writeup:
https://santoshdbobade.medium.com/how-i-got-an-appreciation-letter-from-harvard-university-a3d19de69701
https://santoshdbobade.medium.com/how-i-got-an-appreciation-letter-from-harvard-university-a3d19de69701
Link to summary:
Summary
Summary
Score: 0
Submitted by: Santosh bobade
Vulnerability class:
Recon
Recon
Description:
You can create a telegram bot for recon and your own methodology for automation
You can create a telegram bot for recon and your own methodology for automation
Link to writeup:
https://santoshdbobade.medium.com/creating-your-own-telegram-bot-for-recon-bug-bounty-8c3fd3dfcbcf
https://santoshdbobade.medium.com/creating-your-own-telegram-bot-for-recon-bug-bounty-8c3fd3dfcbcf
Link to summary:
Summary
Summary
Score: 0
Submitted by: Santosh bobade
Vulnerability class:
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Title:
An Accidental XSS on uu.nl
An Accidental XSS on uu.nl
Description:
An attacker can use XSS to send a malicious script to an unsuspecting user. The end userās browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end userās browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
Link to summary:
Summary
Summary
Score: 0
Submitted by: Santosh bobade
Vulnerability class:
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Description:
An attacker can use XSS to send a malicious script to an unsuspecting user. The end userās browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end userās browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
Link to writeup:
https://link.medium.com/BRQtX1baupb
https://link.medium.com/BRQtX1baupb
Link to summary:
Summary
Summary
Score: 0
Submitted by: securityteacher
Vulnerability class:
Host Header Injection
Host Header Injection
Link to writeup:
https://www.mubassirkamdar.com/2020/07/account-takeover-poc.html
https://www.mubassirkamdar.com/2020/07/account-takeover-poc.html
Link to summary:
Summary
Summary
Score: 0
Submitted by: Yurii Sanin
Vulnerability class:
Server Side Request Forgery
Server Side Request Forgery
Description:
More than a year ago I discovered a misconfiguration that leads to SSRF in YouTrack, and here are detailed steps on how I did it.
More than a year ago I discovered a misconfiguration that leads to SSRF in YouTrack, and here are detailed steps on how I did it.
Link to writeup:
https://mitmlab.com/cve-2020-15823-server-side-request-forgery-ssrf-in-jetbrains-youtrack-74543a86a248
https://mitmlab.com/cve-2020-15823-server-side-request-forgery-ssrf-in-jetbrains-youtrack-74543a86a248
Link to summary:
Summary
Summary
Score: 0
Submitted by: Hacklad
Vulnerability class:
Information Disclosure
Information Disclosure
Description:
Today I am going to explain one of the coolest and easiest bugs which I accidentally found on Instagram a few months ago
Today I am going to explain one of the coolest and easiest bugs which I accidentally found on Instagram a few months ago
Link to writeup:
https://medium.com/infosec/deleted-data-stored-permanently-on-instagram-facebook-bug-bounty-2020-26074c229955
https://medium.com/infosec/deleted-data-stored-permanently-on-instagram-facebook-bug-bounty-2020-26074c229955
Link to summary:
Summary
Summary
Score: 0
Submitted by: Hacklad
Vulnerability class:
Denial of Service (DoS)
Denial of Service (DoS)
Description:
In this article, we will discuss Denial-of-Service vulnerabilities, how to find one, and present 25 disclosed reports based on this issue.
In this article, we will discuss Denial-of-Service vulnerabilities, how to find one, and present 25 disclosed reports based on this issue.
Link to writeup:
https://medium.com/swlh/top-25-denial-of-service-dos-bug-bounty-reports-4aaeb4e9a052
https://medium.com/swlh/top-25-denial-of-service-dos-bug-bounty-reports-4aaeb4e9a052
Link to summary:
Summary
Summary
Score: 0
Submitted by: Hacklad
Vulnerability class:
Server Side Request Forgery
Server Side Request Forgery
Description:
This is my first write-up, and in this write-up iām gonna share with you my recent exciting finding which led me to extract aws metadata !
This is my first write-up, and in this write-up iām gonna share with you my recent exciting finding which led me to extract aws metadata !
Link to writeup:
https://infosecwriteups.com/an-exciting-journey-to-find-ssrf-bypass-cloudflare-and-extract-aws-metadata-fdb8be0b5f79
https://infosecwriteups.com/an-exciting-journey-to-find-ssrf-bypass-cloudflare-and-extract-aws-metadata-fdb8be0b5f79
Link to summary:
Summary
Summary
Score: 0
Submitted by: Hacklad
Vulnerability class:
Information Disclosure
Information Disclosure
Description:
First of all, just learn to recon and improve your methodology in recon donāt just follow another oneās recon tip if you do so there is no difference between you and them
First of all, just learn to recon and improve your methodology in recon donāt just follow another oneās recon tip if you do so there is no difference between you and them
Link to writeup:
https://medium.com/techiepedia/misconfigured-3-bucket-a-semi-opened-environment-9cfb9dee782d
https://medium.com/techiepedia/misconfigured-3-bucket-a-semi-opened-environment-9cfb9dee782d
Link to summary:
Summary
Summary
Score: 0
Submitted by: Hacklad
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Description:
In brief, you may be able to escalate your attacks by using APIās, javacript workarounds, a misconfiguration on a domain that isnāt under the program scope.
In brief, you may be able to escalate your attacks by using APIās, javacript workarounds, a misconfiguration on a domain that isnāt under the program scope.
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Client Side Request Forgery
Client Side Request Forgery
Description:
I was hunting on Bugcrowd private program. The program has 4 different kinds of roles Like Admin, H-User, L-User, and Guest.
I was hunting on Bugcrowd private program. The program has 4 different kinds of roles Like Admin, H-User, L-User, and Guest.
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Pastejacking
Pastejacking
Title:
Pastejacking
Pastejacking
Description:
Browsers now allow developers to automatically add content to a user's clipboard, following certain conditions. Namely, this can only be triggered on browser events. This post details how you can exploit this to trick a user into running commands they didn't want to get ran, and gain code execution.
Browsers now allow developers to automatically add content to a user's clipboard, following certain conditions. Namely, this can only be triggered on browser events. This post details how you can exploit this to trick a user into running commands they didn't want to get ran, and gain code execution.
Link to writeup:
https://github.com/dxa4481/Pastejacking
https://github.com/dxa4481/Pastejacking
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Description:
A few weeks ago I found an issue which initially looks like unexploitable, it was Self XSS again, this time in Search Box where users can search for books/documents, XSS get triggered once we type/paste our payload in search box via Applications AutoSuggestion feature, but once search get completed it gets blocked by WAF at the backend, so only way to trigger XSS was AutoSuggestion feature which only can be done by user himself, so we cant do anything fancy here like THIS.
A few weeks ago I found an issue which initially looks like unexploitable, it was Self XSS again, this time in Search Box where users can search for books/documents, XSS get triggered once we type/paste our payload in search box via Applications AutoSuggestion feature, but once search get completed it gets blocked by WAF at the backend, so only way to trigger XSS was AutoSuggestion feature which only can be done by user himself, so we cant do anything fancy here like THIS.
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Server Side Request Forgery
Server Side Request Forgery
Description:
Recently i discovered a semi responded SSRF on Vimeo with code execution possibility. This blog post explains how i found & exploited it. So lets get started.
Recently i discovered a semi responded SSRF on Vimeo with code execution possibility. This blog post explains how i found & exploited it. So lets get started.
Link to writeup:
https://medium.com/@rootxharsh_90844/vimeo-ssrf-with-code-execution-potential-68c774ba7c1e
https://medium.com/@rootxharsh_90844/vimeo-ssrf-with-code-execution-potential-68c774ba7c1e
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Title:
The pitfalls of postMessage
The pitfalls of postMessage
Description:
The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities.
The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities.
Link to writeup:
https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/
https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Authorization Bypass
Authorization Bypass
Description:
TL;DR: Setting up access control of AWS S3 consists of multiple levels, each with its own unique risk of misconfiguration. We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies.
TL;DR: Setting up access control of AWS S3 consists of multiple levels, each with its own unique risk of misconfiguration. We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies.
Link to writeup:
https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/
https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Authorization Bypass
Authorization Bypass
Description:
If youāre unfamiliar with GraphQL, hereās a quick refresher: In its most basic use case, GraphQL allows you to call specific fields on objects ā but thatās just the beginning.
If youāre unfamiliar with GraphQL, hereās a quick refresher: In its most basic use case, GraphQL allows you to call specific fields on objects ā but thatās just the beginning.
Link to writeup:
https://labs.detectify.com/2018/03/14/graphql-abuse/
https://labs.detectify.com/2018/03/14/graphql-abuse/
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
UI Redressing
UI Redressing
Description:
Why X-FRAME-OPTIONS matters on API endpoints
Why X-FRAME-OPTIONS matters on API endpoints
Link to writeup:
https://medium.com/intigriti/gotcha-taking-phishing-to-a-whole-new-level-72eda9e30bef
https://medium.com/intigriti/gotcha-taking-phishing-to-a-whole-new-level-72eda9e30bef
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Server Side Request Forgery
Server Side Request Forgery
Description:
I found a form for uploading my videos in the userās personal account. But in such a simple action for uploading video, I found two critical security issues.
I found a form for uploading my videos in the userās personal account. But in such a simple action for uploading video, I found two critical security issues.
Link to writeup:
https://medium.com/@valeriyshevchenko/ssrf-vulnerability-via-ffmpeg-hls-processing-f3823c16f3c7
https://medium.com/@valeriyshevchenko/ssrf-vulnerability-via-ffmpeg-hls-processing-f3823c16f3c7
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR)
Description:
After digging around in Facebook looking for possible bugās, I watched Facebook recently added a feature that allows fans to allow them to submit requests to be categorized in their favorite pages as their āTop Fansā. Facebook has made this optional.
After digging around in Facebook looking for possible bugās, I watched Facebook recently added a feature that allows fans to allow them to submit requests to be categorized in their favorite pages as their āTop Fansā. Facebook has made this optional.
Link to writeup:
https://medium.com/@UpdateLap/idor-facebook-malicious-person-add-people-to-the-top-fans-4f1887aad85a
https://medium.com/@UpdateLap/idor-facebook-malicious-person-add-people-to-the-top-fans-4f1887aad85a
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR)
Description:
I said what if I change my āfbidā number with other userās āfbidā attached photo :)
I said what if I change my āfbidā number with other userās āfbidā attached photo :)
Link to writeup:
https://medium.com/@JubaBaghdad/how-i-was-able-to-delete-any-image-in-facebook-community-question-forum-a03ea516e327
https://medium.com/@JubaBaghdad/how-i-was-able-to-delete-any-image-in-facebook-community-question-forum-a03ea516e327
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Description:
How to achieve a full reflected XSS attack which includes the ability to run a complete script and not just an alert popup with the least amount of characters?
How to achieve a full reflected XSS attack which includes the ability to run a complete script and not just an alert popup with the least amount of characters?
Link to writeup:
https://brutelogic.com.br/blog/shortest-reflected-xss-possible/?utm_source=ReviveOldPost&utm_medium=social&utm_campaign=ReviveOldPost
https://brutelogic.com.br/blog/shortest-reflected-xss-possible/?utm_source=ReviveOldPost&utm_medium=social&utm_campaign=ReviveOldPost
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Description:
There are cases where the injection point lands in the middle of a more complex JS code: inside functions and conditionals (if or if+else), nested inside each other.
There are cases where the injection point lands in the middle of a more complex JS code: inside functions and conditionals (if or if+else), nested inside each other.
Link to writeup:
https://brutelogic.com.br/blog/advanced-javascript-injections/
https://brutelogic.com.br/blog/advanced-javascript-injections/
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Server Side Template Injection (SSTI)
Server Side Template Injection (SSTI)
Description:
Las aplicaciones modernas utilizan plantillas para agilizar tiempos, mostrar contenido de forma ordenada y estructurada para hacer mĆ”s sencilla la vida de los desarrolladores, sin embargo, algunos motores e implementaciones son vulnerables a inyecciones, permitiendo interactuar de forma directa con el motor o inclusive la ejecuciĆ³n remota de cĆ³digo.
Las aplicaciones modernas utilizan plantillas para agilizar tiempos, mostrar contenido de forma ordenada y estructurada para hacer mĆ”s sencilla la vida de los desarrolladores, sin embargo, algunos motores e implementaciones son vulnerables a inyecciones, permitiendo interactuar de forma directa con el motor o inclusive la ejecuciĆ³n remota de cĆ³digo.
Link to writeup:
https://slides.com/artssec/explotacion-y-prevencion-de-ssti#/
https://slides.com/artssec/explotacion-y-prevencion-de-ssti#/
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Description:
I first got to this subdomain via the usual subdomain enumeration. It looked unpromising: a 404 page that said āthis website is not in use,ā a little picture, and nothing else. Running path discovery for the usual pages turned up nothing, not even a useful robots.txt. However, I took a closer look at the footer.
I first got to this subdomain via the usual subdomain enumeration. It looked unpromising: a 404 page that said āthis website is not in use,ā a little picture, and nothing else. Running path discovery for the usual pages turned up nothing, not even a useful robots.txt. However, I took a closer look at the footer.
Link to writeup:
https://hackerone.com/reports/502758
https://hackerone.com/reports/502758
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Description:
SSRF->Telnet->RCE chain in Scrapy, found by @alertot
SSRF->Telnet->RCE chain in Scrapy, found by @alertot
Link to writeup:
https://medium.com/alertot/web-scraping-considered-dangerous-exploiting-the-telnet-service-in-scrapy-1-5-2-ad5260fea0db
https://medium.com/alertot/web-scraping-considered-dangerous-exploiting-the-telnet-service-in-scrapy-1-5-2-ad5260fea0db
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Server Side Request Forgery
Server Side Request Forgery
Description:
I was looking for server side issue i see there box for adding url for job advertise first thing come in my mind try for SSRF here
I was looking for server side issue i see there box for adding url for job advertise first thing come in my mind try for SSRF here
Link to writeup:
https://medium.com/@w_hat_boy/server-side-request-forgery-ssrf-port-issue-hidden-approch-f4e67bd8cc86
https://medium.com/@w_hat_boy/server-side-request-forgery-ssrf-port-issue-hidden-approch-f4e67bd8cc86
Link to summary:
Summary
Summary
Score: 0
Submitted by: quas
Vulnerability class:
Recon
Recon
Description:
How To Shot Web :- @jhaddix Domain Discovery Theg HuntersMethodology v2.1 & v3 It's the Little Things II :-@Nahamsec Recon Like A Boss BUG BOUNTY FUNSHOP:- @prateek_0490 Journey to the top on:- @yappare
How To Shot Web :- @jhaddix Domain Discovery Theg HuntersMethodology v2.1 & v3 It's the Little Things II :-@Nahamsec Recon Like A Boss BUG BOUNTY FUNSHOP:- @prateek_0490 Journey to the top on:- @yappare
Link to summary:
Summary
Summary
Score: -1
Submitted by: Take your money napodargikot.blogspot.com YM
Vulnerability class:
DOM Cross Site Scripting
DOM Cross Site Scripting
Title:
Politica parassitaria
Politica parassitaria
Description:
Politici corooti e famelici traditori nei confronti die propri cittadini e paesi
Politici corooti e famelici traditori nei confronti die propri cittadini e paesi
Link to writeup:
https://wwwsaputelli.it
https://wwwsaputelli.it
Link to summary:
Summary
Summary
Score: -1
Submitted by: quas
Vulnerability class:
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Title:
Drag Drop XSS in Google ;)
Drag Drop XSS in Google ;)
Description:
It was started with a tweet from Dr. Mario here https://twitter.com/0x6D6172696F/status/558346300790276096
It was started with a tweet from Dr. Mario here https://twitter.com/0x6D6172696F/status/558346300790276096
Link to writeup:
https://blog.yappare.com/2016/04/drag-drop-xss-in-google.html
https://blog.yappare.com/2016/04/drag-drop-xss-in-google.html
Link to summary:
Summary
Summary