Security Review #297

In this blog post, I present the results of my research on an AI-based extension for Visual Studio Code. I demonstrate several techniques of prompt injection, further exploitation, and even human emotional manipulation to achieve maximum impact on its users.

How three overlooked flaws in a postMessage + MessageChannel login architecture in a major platform's SSO system combine into a zero-click, cross-origin account takeover.

This article walks through the major vulnerability classes in Chrome's attack surface: JIT compiler bugs in V8's tiered compilation pipeline, use-after-free patterns in Blink's DOM and rendering code, type confusion from speculative optimization, IPC validation failures across process boundaries, and concurrency bugs in Chrome's threading model.

We claimed unused Azure Blob Storage accounts that were still referenced by many live sites, uncovered that these abandoned buckets could deliver malicious PowerShell scripts, JavaScript, and expose secrets - effectively enabling remote code execution and supply‑chain attacks.

A Practical Walkthrough of Bypassing Windows Data Execution Prevention with Return-Oriented Programming Leveraging VirtualAlloc, applied to Buffer Overflow vulnerabilities in IBM Tivoli Storage Manager FastBack.

In this post, we'll document a Windows 11 elevation of privilege vulnerability triggered by the "Recall PolicyConfiguration" scheduled task which runs as NT AUTHORITY\SYSTEM chained with a junction/symlink and MSI‑rollback technique.

Three vulnerabilities in Avira Internet Security, from an arbitrary file delete primitive to two distinct paths to SYSTEM privileges: CVE-2026-27748: Arbitrary file delete, CVE-2026-27749: LPE via insecure deserialization, CVE-2026-27750: LPE via TOCTOU folder delete.

Windows has a rich set of security auditing capabilities built in - capabilities that are often either disabled entirely or only partially configured. In this second part, we will delve into the Windows Auditing system and highlight the key events to enable and look at.

As NTLM is phased out and protections around LSASS are tightened, the game is changing. Hackers are adapting, and defenders need to understand how. Our goal today is to walk through how hackers are pivoting to Kerberos-based techniques and, just as importantly, how defenders can disrupt lateral movement or catch attackers early in the process.

We are investigating in depth CVE-2025-59201, an elevation of privilege in the Windows "Network Connection Status Indicator", by bin diffing the patch.

We detail and provide a PoC for a critical authentication bypass in pac4j-jwt where an attacker can impersonate any user using only the RSA public key.

Technical analysis of Oblivion RAT Android malware, a MaaS platform with APK builder, AccessibilityService hijacking, and fake ZIP encryption.

A step-by-step guide to exploiting CVE-2025-38617, a use-after-free vulnerability in the Linux kernel's packet socket subsystem, caused by a race condition between packet_set_ring() and packet_notifier(). We achieve full privilege escalation and container escape, and provide a cool bug-hunting heuristic.

Deep dive into a TOCTOU vulnerability in Node.js's ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request Splitting.

The purpose of this article is to introduce the mitmproxy tool and how to use it, as well as the different techniques that can be implemented to effectively intercept these communications, while taking into account the specific characteristics of each environment.

The Delinea Protocol Handler suffers from a Remote Code Execution vulnerability in the sslauncher:// URL handler due to improper sanitisation of server-supplied launcher data. This could be exploited by a malicious actor to execute arbitrary processes on a victim’s machine.

In this post, I am going to go over a few high-level methodologies used to create all the rules on Hashcracky.com. I started making my own rule sets several years ago, and hopefully this documents some process of the common pitfalls and concepts for others to make their own.

I discovered a GitHub Actions misconfiguration that could have allowed a supply chain compromise of the Angular GitHub repository. Through a series of pivots, I was able to escalate no-impact code execution in a non-important repository into a supply chain compromise of the Angular flagship repository.

An analysis of CVE‑2026‑21902 a flaw in Juniper's PTX‑Series routers running Junos OS Evolved, where the on‑box anomaly‑detection service (listening on 0.0.0.0:8160) is exposed without authentication and allows an attacker to supply arbitrary commands that are executed via subprocess running as root.

We demonstrate how an AI‑enabled Ghidra MCP workflow can automatically decompile a stripped Go HTTP server, reconstruct its source‑like code, enumerate API routes and spot real vulnerabilities (e.g., path traversal), delivering useful high‑level insight despite occasional small errors.

We discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables.

We vibe-hacked vinext, the Ntext.js replacement by Cloudflare, and uncovered dozens of critical flaws - race‑condition session hijacking, cache‑poisoning, middleware bypasses, open redirects, and missing auth on API routes.

This post will focus on an alternative method of using Kali Linux, moving beyond direct terminal command execution. Instead, we will leverage a Large Language Model (LLM) to translate “natural language” descriptions of desired actions into technical commands.

This blog post explains how to to use Zeek’s network traffic analysis capabilities in AWS environment, using the recently published UDP-based packet source plugin to consume VXLAN encapsulated mirrored traffic and forwarding Zeek logs directly to Kafka.

I detail 11 vulnerabilities in Better-Hub, an alternative GitHub frontend - a richer, more opinionated UI layer built on Next.js that sits on top of the GitHub API. The vulnerabilities range from low risk (Open Redirect via Query Parameter) to critical (Cache Deception - Private File Access), through high risk XSS and authorization bypass.

The Cortex XDR agent includes an incident response feature called "Live Terminal". We demonstrate that it can be abused by attackers as a pre-installed, EDR-trusted C2 channel, and providing an unexpected "Living off the Land" technique.

We review typosquatting, a deceptive technique in which threat actors register misspelled or look-alike domains of legitimate organizations to trick users into visiting fraudulent sites, and how to defend against it.

We provide a technical analysis of SURXRAT, an actively developed Android Remote Access Trojan (RAT) , and now downloading large LLM modules signaling an expansion of its operational capabilities.

Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. In this blogpost I will introduce what I perceive to be the flaws of the mutational coverage-guided grammar fuzzing approach. I will also describe a very simple but effective technique I use in my fuzzing runs to counter these flaws.

We found a WebSocket hijacking vulnerability in Storybook's dev server (CVE-2026-27148) that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise.

A threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server, then performed post-exploitation activities, moved laterally across the network and deployed a ransomware.

We found a novel method to get around phishing security controls. Actors are abusing the .arpa top-level domain (TLD), in conjunction with IPv6 tunnels, to host phishing content on domains that should not resolve to an IP address., but do because of the special .darpa domain role in the domain name system.

We detail how to browse log entries for an event that occurred many days after its entries have been removed from the active log, by discovering its exact time and the processes involved.

We investigated a malicious npm package found in the npm public registry, that employs various detection evasion techniques and deploys various powerful types of open-source malware.

Technical analysis and exploit reproduction of CVE-2024-5242/5243/5244 chain targeting TP-Link ER605 router's cmxddnsd daemon. Details BSS overflow for ASLR bypass and stack overflow for ROP-based RCE.

The definitive red team guide to persistence across every platform: 50+ techniques across Windows, Linux and macOS. We also provide real-life case studies from Volt Typhoon, Salt Typhoon, Turla, Lazarus, APT29, APT28, APT41 and UNC3944/Scattered Spider.

In this first part, we will introduce Chrome exploitation techniques by analyzing a complete functional full-chain relying on an initial memory corruption, and sandbox escape vulneribilities.

The AppsIndex.db database offers forensic investigators a useful lens into user activity, specifically the execution of applications present in the Windows Start Menu. It can reveal which Start Menu applications were launched and how frequently they were launched, providing a valuable data point for user behavioural analysis.

This article shows how misconfigured Spring Boot Actuator endpoints can be exploited in penetration tests. It covers discovery methods beyond /actuator/, the use of special headers, path traversal and semicolon bypasses, and access to critical endpoints such as mappings, metrics, httptrace, or heapdump.