Facebook's SMS Captcha page would as you might expect, display a captcha, the user fills it out, and then it makes a POST request to the next page including the anti-CSRF token. The problem being that the next location was determined by the `next` url parameter which was entirely attacker controlled, and could be pointed to sensitive GraphQL endpoints.
At its core, a simple, yet odd Linux kernel issue, `__io_req_init_async` assumes that the new request (`req`) being submitted was submitted by its own worker, so it sets the `req->work.identity` to `current->io_uring`.
Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.
Great series of posts covering the authors research progress and eventual owning of a wireless scoreboard system.Unlike a lot of the attacks we cover, this had more of a hardware and even radio signal focus...
Cool research post introducing a few ModSecurity rule bypasses abusing different parser errors in the ModSecurity Code Rule Set.While those specific to ModSecurity are probably patched by now...
Two argument injections that were found in Bitbucket server, though only one of them was exploitable.The first was in the `/rest/api/latest/projects/~USER/repos/repo1/browse` endpoint, where an `at` parameter could be provided...
Just what can be accomplished when webhooks are allowed to access internal services, Cider Security takes a look specifically at abusing GitHub and GitLab webhooks to access internally hosted Jenkin instances.