XSS delivered via profile image upload of an SVG containing the XSS.Fairly common situation where SVG support allows XSS because the SVG's scripts are not sanitized but also one we have basically never talked about on the podcast...
Authentication Bypass in Apache's OFBiz by including a the GET param `requirePasswordChange=Y` using this will simply bypass the need to authenticate due to some mishandling of errors.
This one starts off with a fun mass-assignment issue.Early on in the processing chain of a HTTP request to CrushFTP's web interface it will parse all the HTTP headers into a Java `Properties`object...
What happens when you don't properly validate OAuth access tokens? Account takeovers.
Bit of an odd bug in the SecurityPoint UTM Firewall admin and user panels.During the normal login flow a user starts off with an empty `sessionID` value, once they authenticate successfully the server returns a filled in `sessionID`...
A stupid auth bypass (for the app, great find by the researcher), and a service-side template injection in Pentaho.Starting with the SSTI, Pentaho has a few endpoints to configure and test LDAP connections, to do so it creates an XML-based bean definition and properties file containing all the user-provided data...
At its core, we have a simple mistake that can be made pretty easily on all of the cloud platforms though this post focuses in on Azure App Services and Azure Functions.Being able to easily add authentication to your apps on either is nice, but they can easily be misconfigured...
A fairly classic mobile issue, the McAfee Security: Antivirus VPN is a highly privileged app and it exports a fairly generic `MainActivity`.The `MainActivity` is rather dynamic in terms of what type content it'll load, basically acting as a wrapper to load whatever the real intent was...
This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...
A long, fairly beginner friendly post about attacking a Bluetooth lock, there is a lot of process information here as it was an intern's research project. What the vulnerability comes down to though is a lack of any real authoization checking instead only validating the integrity (poorly!) of the request and trusting the app did all the heavy lifting.