Vulnerability / CTF reports

Blog#

• jub0bs.com
• blog.ankursundara.com
• terjanq.medium.com
• mizu.re
• spaceraccoon.dev
• sekai.team
• org.anize.rs
• larry.sh
• brycec.me
• blog.arkark.dev
• blog.huli.tw
• labs.detectify.com
• ahmed-belkahla.me

XSS#

• GCP - XSS in POST Request & Markdown - XSS in POST request using CSRF attack. Using NEL to leak session token.
• html-janitor - Bypassing sanitization using DOM clobbering
• Microsoft Teams - XSS using a CSS class attribute inside AngularJS
• Ghost CMS - XSS in SVG profile picture

Client-Side#

• Article - Shadow DOM data exfiltration & CTF - shadow
• Article - The great SameSite confusion
• Article - CSP bypass on Wordpress using SOME
• Article - XSS with bypass on ProtonMail webclient
• Article - Fetch Diversion

Parser#

• Article - Exploiting HTTP Parsers Inconsistencies
• Exploring IPv6 Zone Identifier

PHP#

• Article - PHP filters chain: What is it and how to use it
  • Github - synacktiv/php_filter_chain_generator
• Article - PHP filter chains: file read from error-based oracle
  • Github - synacktiv/php_filter_chains_oracle_exploit

Ruby#

• Send()-ing Myself Belated Christmas Gifts - GitHub.com’s Environment Variables & GHES Shell

Insecure Deserialization#

• Article - Finding PHP Serialization Gadget Chain in PHP
• Article - Gadgets chain in Wordpress

XXE#

• CTF - Client-Side XXE to exfiltrate a page

Information leakage#

• Linkedin - Information disclosure by sending a GIF - The victim automatically requests a webhook (fake GIF URL) when opening a message. This allows an attacker to retrieve the victim’s UA and IP address.

Domains Takeover#

• Brave - S3 Bucket Takeover - An attacker can claim an S3 bucket that was previously used by Brave but now deleted.

SSRF#

• Imgur - SSRF Attack Surface - SSRF vulnerability which allows an attacker to craft connections originating from imgur servers.
• GCP - SSRF Host Check Bypass - SSRF host check bypass using an OPR on a google subdomain.

Misconfiguration#

• Article - NGINX alias misconfiguration

Prototype pollution#

• Huntr - Mongoose Prototype Pollution

Race Condition#

• PortSwigger -Single Packet Attack

Cache Deception#

• Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI’s ChatGPT
• ChatGPT Account Takeover - Wildcard Web Cache Deception

Cryptography#

• Unsecure time-based secret and Sandwich Attack

Others#

• Article - Detecting uBlock on Chrome Browser
• Article - Exploitation of iCalendar standard
• Article - Uncovering Flaws in Open-Source Vulnerability Disclosures