Kicking off 2024 with a longer episode as we talk about some auditing desktop applications (in the context of some bad reports to Edge). Then we've got a couple fun issues with a client-side path traversal, and a information disclosure due to a HTTP 307 redirect. A bunch of issues in PandoraFSM, and finally some research about parser differentials in SMTP leading to SMTP smuggling (for effective email spoofing).
A mix of issues this week, not traditionally bounty topics, but there are some lessons that can be applied. First is a feature, turned vulnerability in VS Code which takes a look at just abusing intentional functionality. Several XOS bugs with a web-console. A Sonos Era 100 jailbreak which involves causing a particular call to fail, a common bug path we've seen before, and some discussion about doing fast DNS rebinding attacks against Chrome and Safari.
This week brings up a pretty solid variety of issues. Starting off with some cookie smuggling (and other cookie attacks) which presents some interesting research I hadn't really looked for before that has some potential. Then an AI alignment evasion to leak training data. Not the most interesting attack but it appears to open up some other ideas for further research. A MacOS desktop issue (for a $30k bounty), and some home assistant issues.
This week we've got a few relatively simple bugs to talk about along with a discussion about auditing and manually analysis for vulnerabilities.
This week has an interesting mix of issues, starting with a pretty standard template inject. Then we get into a Windows desktop issue, a TOCTOU in how the Mark-of-the-Web would be applied to file extracted from an archive, a privilege escalation from a Chrome extension, and a bit of a different spin on what you could do with a prompt injection.
Just a few issues this week, a Mastodon normalization issue leading to the potential to impersonate another account. Then we have a more complex chain starting again with a normalization leading to a fairly interesting request smuggling (CL.0 via malformed content-type header) and cache poisoning to leak credentials. Finally a crypto issue with a signature not actually being a signature.
Kicking off the week with a bit of Pwn2Own drama, then taking a look at an OAuth attack against Grammarly and a couple other sites, a fun little polyglot file based attack, and Citrix Bleed, a snprintf information disclosure vulnerability on the web.
We've got a mix of topics this week, started with a bit of discussion around the recent Rapid Reset denial of service attack, before diving into a few vulnerabilities. A Node "permissions" module escape due to having a fail-open condition when unexpected but supported types are passed in. Then we talk about some common AWS Cognito issues, a fun little privilege escalation in Confluence, and a log injection bug leading to RCE.
This week we've got some fun issues, including a WinRAR processing bug that results in code execution due (imo) to a filename adjustment when extracting that isn't performed consistently. A MyBB admin-panel RCE, fairly privileged bug but I think the bug pattern could appear elsewhere and is something to watch out for, And several silly issues in a "next-gen" firewall, including source disclosures and RCEs from the login page.
We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue.