Cool research post introducing a few ModSecurity rule bypasses abusing different parser errors in the ModSecurity Code Rule Set.While those specific to ModSecurity are probably patched by now...
Three vulns that were discovered in Netlify's Next.js lib, which is heavily used across many cryptocurrency sites due to it's web3 support. With that context in mind, CIA (confidentiality, integrity, availability) is interesting with web3, as integrity is critical; the data coming from a trusted site needs to be trustworthy, as most users won't go digging through the blockchain to verify a particular address or transaction matches.
Two argument injections that were found in Bitbucket server, though only one of them was exploitable.The first was in the `/rest/api/latest/projects/~USER/repos/repo1/browse` endpoint, where an `at` parameter could be provided...
Just what can be accomplished when webhooks are allowed to access internal services, Cider Security takes a look specifically at abusing GitHub and GitLab webhooks to access internally hosted Jenkin instances.
Honestly, this is a bit of a crazy issue to see, during Login, if the `LocalPasswordAuthAdapter` gets used, it will attempt to validate the login credentials with whatever host is in the `Host` header, an attacker can often control this header completely. And so by pointing the header to a domain the attacker controls they can setup a server that will respond with an `HTTP 200` to the authentication request allowing the attacker to login.
It seems that the syntax highlighting filter will read the `data-sourcepos` attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.
Inspired by HTTPVoid's February write-up about [Hacking Google Drive Integrations](https://github.com/httpvoid/writeups/blob/main/Hacking-Google-Drive-Integrations.md). They took a bit deeper look at how HelloSign patched the SSRF documented.
Funny bug in Glovo, which is a delivery platform for taking orders and dispatching deliveries.The bug is an integer overflow in the quantity parameter of the POST request for the order, which can affect the total price of the order...
Bug comes from GitLab's use of Rails UJS (Unobtrusive JavaScript).While known `data-*` attributes like `data-url` and `data-method` are stripped by DOMPurify, arbitrary `data-*` attributes aren't...
Authentication bug in Priceline through the use of Google OneTap.The problem is that they assume emails provided through Google OneTap are verified and authentic...
A chain of bugs starting with a "third party" information disclosure, and leading to an account takeover.The third-party aspect can be argued but as a vuln classification it feels like the best fit for the root of this issue...
Authentication bug for this sensitive `/mgmt/tm/util/bash` endpoint, which as the name suggests, will take commands and execute them.The endpoint was protected by authentication, but that authentication was vulnerable to a kind of desync...