Vulnerabilities

[WebKit] UAF in DOMWindow::open

When the DOMWindow::open method receives a frame name of _top or _parent, they’re treated as special cases which get an immediate scheduling for a location change.The scheduleLocationChange function is usually invoked in a asynchronous manner if the URL is the same as the old one, but if the URL fragments differ, it’ll run synchronously and fire a popstate event…

 

‘Websocket Hijacking’ to steal Session_ID of victim users

web

Websockets have always been a little bit special when it comes to security considerations, they are a newer technology and the security concerns are often not well understood. Websocket Hijacking tends to occur because websocket connections are not protected by the usual Same-Origin-Policy (SOP) that more traditional resources would be, so malicious websites can by default connect to a foreign websocket using a victims cookies (assuming SameSite is not at play).

 

[Sony] SQL Injection Through User-Agent Header

web

The fundamental issue is as basic as it gets, one of the first attacks many budding hackers learn is ' or 1=1 in a login page.Well this was a SQLi in the username of a login form, taken a little further by enabling xp_cmdshell and gaining code execution…

 

IDOR + Account Takeover leads to PII leakage

web

The first issue was that the endpoint for changing a user’s password took as an argument a user id which was not validated against the currently logged in user allowing any user to change the password to any other account providing they knew the users unique id. These ID values were thankfully not easily guessed.

 

Bypassing required reviews using GitHub Actions

An attacker with write access to the repository could bypass branch protection rules that require all pull requests undergo a code-review before being merged.The issue is just a logic issue rooted in the fact that firstly, anyone with write access can create an unprotected branch and define GitHub Actions for it, and secondly that a GitHub action can perform code reviews (though restrictions can be added on who the approved reviewers are)…

 
1
2
3
4
5
6
7