As promised: Smuggling an (Un)exploitable XSS It took me a couple of days to completely exploit this, but it was worth the effort. Thanks for the maximum #BugBounty! rcesecurity.com/2020/11/Smuggl…

Been a while - I discovered a shell injection in ImageMagick. Fixed in the latest release :) insert-script.blogspot.com/2020/11/imagem… I have no cool name or logo :/

This is a XSS challenge I made for HITCON CTF 2020. I guess the trick is not well-known and could be another upload-to-XSS vector! The Apache by default handles `.var` extension that allows you to specify arbitrary Content-Type to bypass security headers! github.com/orangetw/My-CT…

If anyone needs a referrer spoof in a GET request :) bugs.chromium.org/p/chromium/iss…

Portable Data exFiltration: XSS for PDFs by Gareth Heyes \u2028 #BHEU portswigger.net/research/porta…

Just Published a write-up. "The Secret Parameter, LFR, and Potential RCE in NodeJS Apps" blog.shoebpatel.com/2021/01/23/The… #bugbountytip #BugBounty #NodeJS #ctf

A short post to address an exploit chain I did in last year. Both slides and YouTube video are online now - A Journey Combining Web Hacking and Binary Exploitation in Real World! blog.orange.tw/2021/02/a-jour…

My first ever blog post: Anatomy of an Exploit: RCE CVE-2020-1350 #SIGRed. RCE PoC included, for research purposes. This was my first userland Windows heap exploit and I hope a deep dive into the process will help others. Patch or apply the workaround. graplsecurity.com/post/anatomy-o…

High-level approaches for finding vulnerabilities < a very well written vulnerability research primer written by @jackson_t in 2017 (but still 100% relevant today) jackson-t.ca/finding-vulner…

Hey all! first blog post. Are the popular fuzzers just for binary exploitation? In this blog post I outline how you can find logic issues in web-related regular expressions using differential fuzzing. (spoiler: 29 lines of python using Google Atheris) defparam.medium.com/finding-issues…

I found a zero click vulnerability in Apple Mail. Here are the details and story behind it: mikko-kenttala.medium.com/zero-click-vul… #infosec #vulnerability #apple

After several weeks of work, it's finally there!🔥 Introducing PPLdump, a tool for dumping PPL processes with a Userland exploit!😈 👉Post 1: itm4n.github.io/lsass-runasppl/ 👉Post 2: blog.scrt.ch/2021/04/22/byp… 👉Tool: github.com/itm4n/PPLdump Credit goes to James Forshaw for the technique.

Just published a remote shellcode loader I've been working on to show why we shouldn't rely solely on real-time injection alerting. Writeup in a few days :) My C sucks so it's a "PoC". github.com/xinbailu/DripL…

GitLab disclosed a bug submitted by William Bowling @[email protected]: hackerone.com/reports/1154542 - Bounty: $20,000 #hackerone #bugbounty

I developed a Remote Code Execution PoC exploit for the Exim Use-After-Free that was recently disclosed (as part of Qualys 21Nails advisory). Tested just on Exim 4.92. PoC available: github.com/lockedbyte/CVE…

I've built a PoC for CVE-2021-31166 the "HTTP Protocol Stack Remote Code Execution Vulnerability": github.com/0vercl0k/CVE-2… 🔥🔥

Here is my RCE exploit code and writeup for (CVE-2021-21974) VMware ESXi OpenSLP heap-overflow discovered by Lucas Leong. Thank you again for your write-up. [PoC] github.com/straightblast/… [writeup] straightblast.medium.com/my-poc-walkthr…

If anyone ever tells you XSS is lame and not a serious vulnerability, show them this video! youtube.com/watch?v=NZmZid…

After a bit of research it came out that it's possible to leverage Teams functionalities for a better phishing scenario. The idea is using it as an alternative way of initial access. Hope it can help some red team guys out there! posts.inthecyber.com/leveraging-mic…