An extension on the recent Richfaces 4.x 0-day CVE-2018-12532. Thanks a ton Markus Wulftange for the research :) tint0.com/when-el-inject…

At least one potential RCE in every instance of Zimbra. blog.tint0.com/2019/03/a-saga…

I made some research on Java remote protocols i.blackhat.com/eu-19/Wednesda…

An attack vector in xmlsec and exploiting it on PingFederate. blog.tint0.com/2021/09/pingin…

Great usage of the xpath attack vector in xmlsec. A powerful deserialization bug and an ssrf in the public interface to break yet another SSO product. Beautiful stuff!

Great work Khoa! Neat trick exploiting the content handler feature. Always love the feeling a research being appreciated and more research made.

Calif Inc: Privilege escalation in AWS Elastic Kubernetes Service blog.calif.io/p/privilege-es…

Calif: Redash SAML Authentication Bypass blog.calif.io/p/redash-saml-…

In a recent engagement, we encountered a target running CraftCMS, and discovered a Remote Code Execution vulnerability that allowed us to compromise the target. blog.calif.io/p/craftcms-rce CC yeuchimse

New blog post: in a recent engagement, we turned a simple XSRF in Argo CD to a shell with cluster admin privileges. No fix is available. We recommend hosting Argo CD on an isolated domain. Details: blog.calif.io/p/argo-cd-csrf

Type confusion attacks in ProseMirror editors blog.calif.io/p/type-confusi…

Wormable Substack XSS: blog.calif.io/p/wormable-sub… It must have been years since the last time a wormable XSS was found in a major social media website. This beautiful type confusion XSS attack vector is a gift that keeps on giving. But most of all, samy kamkar is our hero!