PT SWARM

2022-02-03 14:29:22 A Tip for SQL Injection WAF Bypass Open / Comment

2022-02-01 12:32:11 A story of leaking uninitialized memory from Fastly

by Emil Lerner

This post will go through a QUIC (HTTP/3) implementation bug in the H2O webserver. The bug is pretty interesting as it affected Fastly in a way that it allowed stealing random requests and responses from uninitialized memory of its’ nodes, somewhat similar to CloudBleed

Contents:
• Setting up a test environment
• Detecting which software is used
• QUIC streams
• Data transfer
• The bug
• The exploit plan
• Exploitation
• Disclosure
• Conclusion

https://medium.com/@emil.lerner/leaking-uninitialized-memory-from-fastly-83327bcbee1f Open / Comment

2022-01-27 16:21:51 The CFP for Positive Hack Days 2022 is open!

It's time to present your novel techniques/research.

This year the conference will be in a hybrid format (offline and online) both for speakers and participants.

Submit your proposal - https://cfp.phdays.com Open / Comment

2022-01-27 10:35:35 Hacking the Apple Webcam (again)

by Ryan Pickren

Gaining unauthorized camera access via Safari UXSS, this research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack.

Contents:
• Summary
• Background
• The Attack Plan
• Exploration of custom URI Schemes
• Exploit Requirements
• ShareBear Application
• Bonus Bug: Iframe Sandbox Escape
• Quarantine and Gatekeeper
• Shortcuts
• Full Chain
• Remediation
• Bonus Material (#1)
• Bonus Material (#2)
• Conclusion

https://www.ryanpickren.com/safari-uxss Open / Comment

2022-01-19 16:17:02 Our research "Fuzzing for XSS via nested parsers condition" is in the Top 10 Web Hacking Techniques of 2021 nomination list. Don't forget to vote for us if you enjoyed the technique

Link for voting: https://portswigger.net/polls/top-10-web-hacking-techniques-2021 Open / Comment

2021-12-29 17:03:45 New article "Fuzzing for XSS via nested parsers condition" by our researcher @Psych0tr1a.

This techniques allowed us to find a bunch of vulnerabilities in popular web products that no one had noticed before!

https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/ Open / Comment

2021-12-23 12:12:11 Cache Poisoning at Scale

by Youstin

Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper author will present the techniques that he used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs.


Contents:
• Backstory
• Incorrect Handling of the URL Fragment in Apache Traffic Server (CVE-2021-27577)
• GitHub CP-DoS
• GitLab CP-DoS
• X-Forwarded-Scheme - Rack Middleware
• CP-DoS on Hackerone.com static files
• Single request DoS of www.shopify.com
• Stored XSS on 21 subdomains
• Cloudflare and Storage Buckets
• S3 Bucket
• Azure Storage
• Fastly Host header injection
• Injecting Keyed Parameters
• User Agent Rules
• Illegal Header Fields
• Finding New Headers
• Common headers
• Conclusion

https://youst.in/posts/cache-poisoning-at-scale/ Open / Comment

2021-12-10 11:26:13 RCE 0-day exploit found in log4j, a popular Java logging package

by Free Wortley, Chris Thompson

0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. This post provides resources to understand the vulnerability and how to mitigate it.


Contents:
• Who is impacted?
• Affected Apache log4j Versions
• Temporary Mitigations
• How the exploit works
• Exploit Requirements
• Example Vulnerable Code
• Exploit Steps
• How you can prevent future attacks

https://www.lunasec.io/docs/blog/log4j-zero-day/ Open / Comment

2021-12-07 16:52:25 PoC for a stored XSS in MyBB < 1.8.25 (CVE-2021-27279). The vulnerability was found by our researcher Igor Sak-Sakovskiy.

Payload: [email]a@a.a?[email=a@a.a? onmouseover=alert(1) a]a[/email][/email]

Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w Open / Comment

2021-11-30 16:57:47 No CVE, because of: https://twitter.com/ptswarm/status/1463883088589692930 Open / Comment