Security Review #218

We hacked a bug bounty target using a novel HTTP Request Smuggling vector, part of a new smuggling class. We later discovered it affected affecting thousands of GCP-hosted websites that were using their Load Balancer.

You can access data from deleted forks, deleted repositories and even private repositories on GitHub. We are introducing a new term: Cross Fork Object Reference (CFOR). A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks).

This article is a world first reverse engineering analysis of AWS Session Tokens.

In this write-up, we explain how the API for thread descriptions can be abused to perform process injection while bypassing endpoint protection products.

In this article, I explain how simple is the integrity check logic of Electron JS ASR, and how it can be bypassed without using any reverse engineering.

In this article, I detail how a persistence feature in macOS I recently came across - and that is tied to Dock tile plugins - can be leveraged for privilege escalation.

DLL hijacking is a technique where an attacker exploits the way applications load Dynamic Link Libraries (DLLs) in Windows. In this article, we will review the main techniques that can be used to hijack a DLL.

In this article I propose a new tool oneshell to solve some of the problems with existing tooling.

We found a type confusion issue in ProseMirror's rendering process that leads to a stored Cross-Site Scripting (XSS) vulnerability in Outline (CVE-2024-40626). An authenticated user can create a document containing a malicious JavaScript payload. When other users view this document, the malicious Javascript can execute in the origin of Outline.

This blog aims to provide detailed information on the structure and function of MSI files, offering a comprehensive step-by-step guide to analyze these files for potential threats. It highlights the traditional tools and techniques used in the analysis process, ensuring analysts and researchers can effectively identify and mitigate risks associated with malicious MSI installers.

Electron Apps on macOS offer double integrity protection in the form of ElectronAsarIntegrity, which we should be aware of when trying to patch something in the app. This article will explain how to patch such applications.

This article explains how you can block EDR telemetry reaching its cloud servers by performing a Person-in-the-Middle (PitM) attack and filtering telemetry packets, effectively hiding alerts from the SOC team.

In this article, we demonstrate an entry level technique for penetration testers to get started using a different twist on a familiar technology to attack mainframes.

In this article, I demonstrate that system instructions continue to be suggestions, rather than a security boundary. Do not depend on system instructions alone to protect sensitive information, tool invocations or the "identity" of your LLM Applications.

This post will detail some of our research on the Phoenix Contact CHARX SEC-3100 and the bugs we discovered.

This article provides different techniques to prevent proxies, firewalls, and browsers from blocking sketchy files delivering payloads during phishing attempts.

We have recently identified several vulnerable HTTP requests that allow attackers to capture access keys and session tokens for a web application's AWS infrastructure. Attackers could use these keys and tokens to access back-end IOT endpoints and CloudWatch instances to execute commands.

In this article, I will be discussing a sample binary which features virtual machine obfuscation, an obfuscation technique where the source code is compiled to a custom bytecode language and executed by an interpreter for this language.

In this blog post, we'll explain how we discovered three critical vulnerabilities in Kafka UI and how they can be exploited.

In this article, we're going to present a new time-based attack scenario for obtaining an impact without needing to know the temporality.

This article details a simulated compromise of a set of Amazon Web Services (AWS) resources and a Windows system. We will walk through cloud forensic analysis of CloudTrail logs, analyze vertical (lateral) movement from the data plane to the control plane of AWS, and employ Windows forensics against malware and credential attacks.

In this series of articles, we will show you in a laboratory environment what kind of analysis you should perform against Windows machines that have been hacked or are somehow compromised in the system.

In this second part of the series on forensic analysis of a hacked windows machine, our aim is to reveal evidence of a structure that has infiltrated the system and to present methods.

In this article we are going to learn about Linux Shellcoding and go through with practical knowledges..

This article will try to present a few tricks that we use to inject an in-memory Java payload, illustrated with concrete examples by targeting well-known applications.

In this post, we will examine the Oyster backdoor infrastructure, focusing on HTML titles, body hashes, and TLS certificates.

This blog will cover the basics of an open directory, how you can discover them during hunting, and how to further your investigations into open directory infrastructure.

We identified an opportunity for malicious privilege escalation within Microsoft Azure. A threat actor who obtains the Avere Contributor role in the Azure role-based access control (Azure RBAC) system could obtain access keys for any storage account within an Azure tenant and could make backups of disk images for any virtual machine (VM) within the tenant.

CVE-2019-8805 is a privilege escalation vulnerability found in macOS. The issue arises due to validation problems in the entitlement verification for connected clients. By exploiting this vulnerability, any application can execute arbitrary code with system privileges.

In this article, we will examine how to inject JavaScript into a PDF file to download a file from a specific URL and establish a Command and Control (C2) connection using this method.

We provide a technical analysis of Gh0stGambit, an evasive dropper used to retrieve and execute encrypted payloads, in the context of a campaign aiming at deploying Gh0st RAT.

If you have an evil process you want to hide, use a bind mount to mount a different directory on top of the /proc/PID directory for the evil process. In this article, I explain how it can be done by using an existing /proc/PID directory from some other process.

This post summarizes some advanced techniques to perform SQL injections.

This blog details multiple vulnerabilities found in Deep Sea Electronics DSE855, a communications device that allows monitoring of a single DSE controller with USB connectivity over a wired network connection.

When it comes to API hacking, fuzzing JSON payloads can expose some interesting security vulnerabilities. In this article, I will demonstrate how to do this. From creating a custom wordlist to optimize the fuzzing to automating the detection of a mass assignment vulnerability within Burp Suite, it should be fun.

call-blockflow, is a near duplicate of the legitimate call-bind package. It contains all the functional code and tests from call-bind but with a weaponized package.json file and five additional files: shim.js, polyfill.js, implementation.js, callTo.js, and mod.json. In this article we will discuss each of these in detail.

This article presents the Bus Pirate, an open-source hardware hacking platform designed for interfacing with various protocols and hardware interfaces, serving as the "Swiss Army Knife" of hardware hacking.

The focus of this blog is to bring attention to a relatively new method of identifying the source host from which PsExec was executed from.

This series is about reverse engineering the ESP32 Wi-Fi networking stack, with the goal of building our own open-source MAC layer. In tthis first part, we will build static and dynamic analysis tools for reverse engineering. We will also start reverse engineering the transmit path of sending packets.

In this secont part, we'll continue reverse engineering, starting with the 'receiving packets' functionality. The goal is to have both transmitting and receiving working. To prove that our setup is working, we'll try to connect to an access point and send some UDP packets to a computer also connected to the network.

This article aims at demystigying how EDRs work building a custom one that will implement a few techniques used by real EDRs.

In this first part of the series we will analyse Brute Ratel, a lesser known command and control framework.

In this first part of the series, we will view some of the most efficient techniques used to detect C2 beacons.

In this blog post we will discuss strategies that can be used by defenders and threat hunters to detect Cobalt Strike across different configurations and across the network.

Unicode Compatibility is a form of Unicode Equivalence which ensures that between characters or sequences of characters which may have distinct visual appearances or behaviors, the same abstract character is represented. In this article, we will see how it can be used to bypass WAF filters.