Vulnerabilities tagged "web"

This is effectively a replay attack.Join a channel you can comment in, place a comment and capture that POST request...

A WAF bypass by confusing the Adobe Experience Manager Dispatcher (load balancer/waf/etc).Not a crazy idea but I don't think we've covered any WAF bypass quite like this on the podcast before...

For a GitLab bug, this one is nice and simple, stored XSS in the "default branch name" field.For a group you can setup what the group's default branch name should be for any new repositories created...

When SmugMug bought Flickr from Yahoo they had to move the authentication system away from Yahoo's authentication.A side-effect of this was that the account deletion process previously had used the Yahoo authentication code as the CSRF token so in the move the token was removed and not replaced with anything functionally equivalent...

A rather non-intuitive bug where sending `Content-Length: x` would result in source disclosure on Apache.

The idea here is that by overflowing the value containing the size of a header name you can cause the header to be misinterpreted.

Great exploit chain starts with a newline injection, leading to the ability to write "2" to any file culminating in a login and root code execution, all doable with remotely hosted javascript.

**tl;dr** A well positioned attacker (needs to be using the same IP as the victim) can hijack a successful authentication flow and take over the session victims session by polling the `get.cgi` endpoint after the victim's login was successful but before the victim has polled the same page (which happens every second)

Authentication bypass by including a magic string in the URL.The string isn't exactly magic, rather it seems like this page (setcup.cgi) has a single file that needs to be access without authentication...

The Shopify GraphQL endpoint has a mutation `appCreditCreate` for Shopify apps to issue credits to merchants that can be used towards future app purchases.While this mutation cannot be used through the GraphQL endpoint at `/admin/internal/web/graphql/core` the GraphiQL app provided by Shopify however does allow the mutation...