The workshop gather examples I came accross in various assesments of the last few years. Testers (including myself) tend to go for the more complex techniques. I am hoping it will help put the spotlight on ideas that are not encoding related.
h3xStream's blog
Monday, December 5, 2022
Hackfest 2022: Web Application Firewall (Bypasses) Workshop
Thursday, March 17, 2022
6 Privacy Pitfalls for Developers to Avoid
While tech-savvy people are very concerned about privacy, knowing where to find metadata leaks can be nebulous even for developers. In this blog post, we will explore examples of unexpected user information leakage. We hope that the information shared in this blog will help developers assess and address potential privacy issues with their applications, as well as educate end-users about potential risks to their privacy that can result from information leaks.
We picked six examples based on design flaws that are often overlooked. We recognize that common vulnerabilities such as SQL injection and memory corruption often lead to confidentiality and privacy issues as well. We feel that these issues also pose a significant risk to privacy and can compromise personal data if not addressed properly.
Tuesday, December 21, 2021
TOCTOU Vulnerability in Log4J 2.15
JndiManager
).Monday, October 25, 2021
Bypassing ModSecurity WAF
Being able to bypass Web Application Firewall (WAF) depends on your knowledge about their behavior. Here is a cool technique that involve expressions that are ignored in MySQL SQL parser (MySQL <= 5.7). This post summarizes the impact on libinjection. The libinjection library is used by WAF such as ModSecurity and SignalScience. For more details on AWS Cloudfront impact, read the original GoSecure article.
Tuesday, April 13, 2021
Creating A Custom View for WebSocket in ZAP
When we were looking at the interactions between the Outlook and the LinkedIn APIs, we encountered WebSocket communications that used some additional encoding. The encoding was nothing too complex, but it was uncommon. It turned out to be LZip compression. However, the inability to read the content of the requests with Burp, ZAP or Web developer consoles in real-time made it difficult to analyze the API.
While our proxy of choice is usually Burp Suite, it did not allow us to extend WebSocket views. We turn ourselves to the open-source project Zed Attack Proxy. It reveals to be easily extendable for custom WebSocket tooling. In this blog post, we will explain how you can implement your own custom view to display complex WebSocket messages.
Wednesday, April 7, 2021
Deanonymizing LinkedIn Users
This short article is not exactly about a vulnerability. It is about documenting risks that LinkedIn is aware of. Our goal is to educate users about it. Meanwhile, we are going to go over technical details that are not explicitly described in LinkedIn’s online documentation and terms and conditions.
The impact in a nutshell: Your LinkedIn email and phone number can be found by users beyond your first-degree connections.
Tuesday, March 16, 2021
6 ways to enumerate WordPress Users
install a security plugin which disables the specific route or block specific request paths.
After evaluating hundreds of websites, we can say that rare are the sites that have totally blocked the feature.