When using curl, if the `--data-raw` argument starts with a `@` it will be treated as a filename and the file itself will be included as the data of the request. This sort of bug would be hard to exploit in the context of Burp and Chrome, requiring a victim to "Copy as cURL" a malicious request in the first place, and then run it...
A look at how logging attacker controlled data can be problematic in Azure Pipelines to potentially gain code execution and access to sensitive environment variables.
At its core, we have a simple mistake that can be made pretty easily on all of the cloud platforms though this post focuses in on Azure App Services and Azure Functions.Being able to easily add authentication to your apps on either is nice, but they can easily be misconfigured...
A directory traversal vulnerability in Parallels Desktop for MacOS has been identified, leading to a guest-to-host VM escape.Parallels ToolGate, a virtual PCI device, facilitates communication between the guest and host operating systems...
The vulnerability is a Server-Side MIME Sniff issue in the answerdev/answer project (a Q&A platform) that leads to a stored XSS vulnerability. What is really interesting is that the bug primarily only appears when running the application under Docker.
A curious account takeover and one-time-password (OTP) bypass vulnerability has been identified.During the signup process, users receive an OTP sent to their email address...
When using the `ssrfFilter` library in conjunction with the Request library in JavaScript there is a bug that can result in the SSRF filter being disabled.The way the anti-SSRF library, `ssrfFilter` works is that is creates its own object that cna be used in=place of Node's default request agent for http/http requests...
Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android's parcel API, without going into details about parcels you can think about this as similar to just opening a file.You usually need to provide a `mode`, like `w` for write, or `r` for read access...
A lot of wrong turns, eventually leading to some parameter brute forcing and the discovery of an `href` param when submitting a Forgot Password request.The `href` value would be used to craft the forgot password link with the actual token appended to it that is reflected in the Forgot Password email...
A nice use of the a CRLF Injection to exploit a seemingly unexploitable injection because the browser wouldn't render the page when a `Location` header was present.Basically just used the CRLF injection ot inject a `Connection: Location` header, telling the proxy to treat the `Location` header as a hop-by-hop header and drop it before passing it on to the end-user...
The XSS here is fairly basic, attacker controlled data reflected without sanitization, whats a bit more interesting is the input source, plugin metadata processed by the global Jenkin's Update Center.There is a bit of a process to getting plugins listed in the Update Center, submitted a PR and the first plugin needs to be manually approved, though the authors note that this is mostly a procedural thing...
Relatively straight forward oauth hijack/account takeover flow with one interesting aspect in actually performing the login with the hijacked OAuth code.
A long, fairly beginner friendly post about attacking a Bluetooth lock, there is a lot of process information here as it was an intern's research project. What the vulnerability comes down to though is a lack of any real authoization checking instead only validating the integrity (poorly!) of the request and trusting the app did all the heavy lifting.
In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword `profile` is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.