Bug Bounty Platforms vs. GDPR: A Case Study
What Do Bug Bounty Platforms Store About Their Hackers? I do care a lot about data protection and privacy things. I’ve also been in the situation, where a bug bounty platform was able to track me down...
View ArticleCVE-2020-16171: Exploiting Acronis Cyber Backup for Fun and Emails
You have probably read one or more blog posts about SSRFs, many being escalated to RCE. While this might be the ultimate goal, this post is about an often overlooked impact of SSRFs: application logic...
View ArticleSmuggling an (Un)exploitable XSS
This is the story about how I’ve chained a seemingly uninteresting request smuggling vulnerability with an even more uninteresting header-based XSS to redirect network-internal web site users without...
View ArticleAWAE Course and OSWE Exam Review
Introduction This is a review of the Advanced Web Attacks and Exploitation (WEB-300) course and its OSWE exam by Offensive-Security. I’ve taken this course because I was curious about what secret...
View ArticleWordPress Transposh: Exploiting a Blind SQL Injection via XSS
Introduction You probably have read about my recent swamp of CVEs affecting a WordPress plugin called Transposh Translation Filter, which resulted in more than $30,000 in bounties: [CVE-2021-24910]...
View ArticleFrom Zero to Hero Part 1: Bypassing Intel DCM’s Authentication by Spoofing...
This small series of two blog posts covers an entire vulnerability chain to go from unauthenticated user to full remote code execution against Intel's Data Center Manager (up to version...
View ArticleFrom Zero to Hero Part 2: From SQL Injection to RCE on Intel DCM...
Introduction You’ve probably enjoyed my previous post about bypassing Intel DCM’s authentication mechanism to gain unauthorized access. This gave us the lowest possible “Guest” privileges in the DCM...
View ArticleSecurePwn Part 1: Bypassing SecurePoint UTM’s Authentication (CVE-2023-22620)
While working on a recent customer engagement, I discovered two fascinating and somewhat weird bugs in SecurePoint’s UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an...
View ArticleSecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897)
While my last finding affecting SecurePoint’s UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. The following exploit works against both the...
View ArticlePatch Diffing CVE-2023-28121 to Compromise a WooCommerce
Back in March 2023, I noticed an interesting security advisory that was published by Wordfence about a critical “Authentication Bypass and Privilege Escalation” (aka CVE-2023-28121) affecting the...
View Article
