Some fun issues this week as we explore code execution in Synthetics Recorder stemming from a comment in the code. An auth bypass in Pentaho leading to RCE via SSTI, car theft via CAN bus message injection, and how to become a cluster admin from a compromised pod in AWK Elastic Kubernetes Service.
Posts tagged 'Bounty Podcast'
Some audio issues this week, sorry for the ShareX sound. But we have a few interesting issues. A curl quirk that it might be useful to be aware of, Azure Pipelines vulnerability abusing attacker controlled logging. A look at a pretty classic Android/mobile bug, and a crazy auth misconfiguration (BingBang).
We are back with more discussion about applying AI/ChatGPT to security research, but before that we have a few interesting vulnerabilities. An OTP implementation that is too complex for its own good, a directory traversal leading to a guest to host VM escape, and server-side mime-sniffing.
Recovering data from a cropped image (thanks to an undocumented API change, bypassing an origin check with an emoji, and a trivial SSRF filter bypass all in this week's bug bounty podcast.
A few varied issues this week, exploiting an apparently unexploitable CRLF injection, organization secrets exposure in GitHub, and a Jenkins XSS.
This episode covers a lot of ground, from an insecure OAuth flow (Booking.com) to a crazy JSON injection and fail-open login system (DataHub) to hacking Bluetooth smart locks (Megafeis-palm). And even a new ImageMagick trick for a local file read.
Parameter pollution for an auth bypass, SQL injection in an ORM, CRLF injection for a WAF bypass...this episode has a great mix of issues.
A variety episode this week with some bad cryptography in PHP and Azure, information disclosure in suid binaries, request smuggling in HAProxy, and some research on testing for server-side prototype pollution.
Bit slow this week, so we talk about the Top Web-hacking techniques of 2022, and some TruffleSec/XSS Hunter drama before so we cover a blockchain verification bug, and a simple path traversal to SSTI and RCE chain.
Is it possible to escalate a self-XSS into an account takeover? Perhaps, we take a look at some potential options by abusing single-sign on. Then we take a look at a few Facebook/Meta authentication issues, and a deserialization trick to increase the usable classes in PHP.