Bypassing an authentication check in AWS AppSync by changing the case of a JSON key.
Multiple static functions in`InetAddress` like `getByName` and `getAllByName` can be used both to resolve a name string to an IP address, and to validate the format of an address.The problem is that the OpenJDK implementation does not properly validate the format of an IP address string...
This vulnerability builds on/is complicated by two past issues.The first being an RCE via caching of remote font files, we discussed this vulnerability on [Episode 129](https://dayzerosec.com/vulns/2022/03/21/from-xss-to-rce-dompdf-0day.html)...
Cool research post introducing a few ModSecurity rule bypasses abusing different parser errors in the ModSecurity Code Rule Set.While those specific to ModSecurity are probably patched by now...
The vulnerability as reported was closed as not a vulnerability, but it did uncover a bug in the Sanitizer API.