I've finally published the advisories regarding the Trend Micro bugs that I shared at #HITCON! Do check them out at starlabs's advisory page: starlabs.sg/advisories/ 🏌️‍♂️CVE-2023-32530 is an interesting case of SQLi to RCE: starlabs.sg/advisories/23/…

Check out this detailed n-day writeup by Ocean, a former web security intern at STAR Labs I mentored, and how it led to two other bugs hidden in plain sight being discovered!

Special thanks to @chudypb, Rocco Calvi, itsmehi, Ngo Wei Lin, starlabs, Claroty & #team82, and Trend Zero Day Initiative for finding & responsibly disclosing security vulnerabilities in Ignition. Fixes & full credits: bit.ly/4aytnlq

This is one of the most insane bugs I've discovered, but it all happened at a really inopportune time. 😥 Shoutout to all the Hubbers who got involved and had been working tirelessly on this since the Christmas/New Year period! 🙏

👀

Off-by-One 2024 Conference CFP is now opened! Be part of a historical event and shape the future of offensive security in this region. Submission and speaker benefits offbyone.sg/cfp/ If you like to talk to us, drop us a line at [email protected]

Route to Safety: Navigating Router Pitfalls is the swansong from Daniel Lim starlabs.sg/blog/2024/rout… We hope everyone enjoyed his informative post and wish him all the best in his future endeavours.

Earlier this year I found a pretty cool vuln, an arbitrary file write in GitLab. Here’s the details gitlab-com.gitlab.io/gl-security/se…

Send()-ing Myself Belated Christmas Gifts - GitHub's Environment Variables & GHES Shell starlabs.sg/blog/2024/04-s… Read about how one of our talented researchers, Ngo Wei Lin , found it, exploited it and reported it in a fast and professional manner:

Here is my deep-dive post on #github Actions cache poisoning. This is a powerful build pipeline lateral movement and privilege escalation technique and I used it to earn several thousand💰in #bugbounty rewards. adnanthekhan.com/2024/05/06/the…

My colleague hashkitten and I discovered a full-read SSRF vulnerability in Next.js (CVE-2024-34351). We published our research today on Assetnote's blog: assetnote.io/resources/rese…. Thank you to the Vercel team for a smooth disclosure process.

🚨 New Blog Alert! 🚨 Can an attacker execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities in Ruby can be exploited and how they can be detected with CodeQL. 🔗 Read the full post: github.blog/2024-06-20-exe… Stay safe and code responsibly! 🛡️💻

Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confus… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code

I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby! It builds on the work of others, including Leonardo Giovanni, Peter Stöckli GitHub Security Lab and William Bowling @[email protected] nastystereo.com/security/ruby-…

Happy to announce that I'll be speaking alongside Dennis Pacewicz at RubyKaigi next week! We'll be sharing some secret stories on how I gained access to production GitHub credentials using CVE-2024-0200 as well as GitHub Security's remediation efforts. rubykaigi.org/2025/presentat…