Just a few issues this week, a Mastodon normalization issue leading to the potential to impersonate another account. Then we have a more complex chain starting again with a normalization leading to a fairly interesting request smuggling (CL.0 via malformed content-type header) and cache poisoning to leak credentials. Finally a crypto issue with a signature not actually being a signature.
Kicking off the week with a bit of Pwn2Own drama, then taking a look at an OAuth attack against Grammarly and a couple other sites, a fun little polyglot file based attack, and Citrix Bleed, a snprintf information disclosure vulnerability on the web.
We've got a mix of topics this week, started with a bit of discussion around the recent Rapid Reset denial of service attack, before diving into a few vulnerabilities. A Node "permissions" module escape due to having a fail-open condition when unexpected but supported types are passed in. Then we talk about some common AWS Cognito issues, a fun little privilege escalation in Confluence, and a log injection bug leading to RCE.
This week we've got some fun issues, including a WinRAR processing bug that results in code execution due (imo) to a filename adjustment when extracting that isn't performed consistently. A MyBB admin-panel RCE, fairly privileged bug but I think the bug pattern could appear elsewhere and is something to watch out for, And several silly issues in a "next-gen" firewall, including source disclosures and RCEs from the login page.
We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue.
Another bug bounty podcast, another set of vulnerabilities. Starting off with a desktop info-disclosure in KeePass2 that discloses master passwords to attackers (with a high-level of access). A couple Jellyfin bugs resulting in an RCE chain, and a pretty classic crypto issue that allowed for renting luxury cars for extremely cheap.
More bug bounty style bugs, but you'd be forgiven reading that title thinking we had a low-level focus this episode. We got some awesome bugs this week though from tricking Dependabot and abusing placeholder values, an IIS auth bypass. Ending off with a kernel bug (OverlayFS) and a VM escape (Parallels Desktop)
We open up this weeks bug bounty podcast with a discussion about Google's recent support for passkeys, tackling some misunderstanding about what they are and how open the platform is. Also some talk towards the end about potential vulnerabilities to look out for. Then we dive into the vulnerabilities for the week, involving bypassing phone validation in OpenAI, a bad origin check enabling abuse of a permissive CORS policy, and an order of operations issue breaking the purpose of sanitization in Oracle's Opera.
On this weeks bug bounty podcast we take a look at a few interesting issues. While they are all patched, there is reason to believe they'd all creep up in other applications too. First up is an RCE due to nested use of an escaped string. Second a fgets loop that doesn't account for long lines. A XML signature verification tool with a deceptive interface, and last a look at how Bash's privileged mode can backfire.
For this week's bug bounty podcast We start off with a bit of a unique auth bypass in a firewall admin panel. We've also got a couple desktop-based software bugs, with a Docker Desktop privilege escalation on windows, and a chfn bug. We've also got a couple escalation techniques, one for Azure environments, and another trick for exploiting semi-controlled file-writes.
Some fun issues this week as we explore code execution in Synthetics Recorder stemming from a comment in the code. An auth bypass in Pentaho leading to RCE via SSTI, car theft via CAN bus message injection, and how to become a cluster admin from a compromised pod in AWK Elastic Kubernetes Service.
Some audio issues this week, sorry for the ShareX sound. But we have a few interesting issues. A curl quirk that it might be useful to be aware of, Azure Pipelines vulnerability abusing attacker controlled logging. A look at a pretty classic Android/mobile bug, and a crazy auth misconfiguration (BingBang).
We are back with more discussion about applying AI/ChatGPT to security research, but before that we have a few interesting vulnerabilities. An OTP implementation that is too complex for its own good, a directory traversal leading to a guest to host VM escape, and server-side mime-sniffing.
Recovering data from a cropped image (thanks to an undocumented API change, bypassing an origin check with an emoji, and a trivial SSRF filter bypass all in this week's bug bounty podcast.