SSRF 1 This SSRF allowed me to view local files on the host as well as port scan internal hosts. Reading /etc/passwd using the file protocol. Brute-forcing for log files using BurpSuite Intruder: S…

This XSS was via embedly which controls the content-type response to image types. Luckily .svg was allowed. I used this blog to help create a .svg that contained XSS.   PoC: <?xml version=&…

JFrog Artifactory XXE

In Facebook Graph API as defined by the developer documentation, there are several access tokens, to authenticate against various API endpoints. User Access Tokenmake requests on behalf of the user, normally obtained via OAuth facebook.com/dialog/oauth Page…

Meta Rayban Stories has lower-level settings to change via the View (Assistant app) for example enable Assistant change inner LED notification level change volume Since the method for these settings are shared for other options defined in the firmware, it…

There is a XController that allows information to be returned about an Instagram user. This feature discloses the country of a private account. Even if this feature is an ad tool, this does not support the privacy of a private account. Additionally the owner…

There is a root GraphQL query that gives one access to numerous CrowdTangle API calls including one that lists the deleted objects for popular Facebook entities by date. Regular users shouldn’t have access to CrowdTangle this way. The data was of the form…

Facebook allows a user or page (gaming creator) to delegate users as community managers (CM) for moderating comments on live gaming videos. When a user invites a person as a CM, this will add the person to a pending community manager list. It’s assumed that…

Facebook campus is a special group that needs an .edu styled email to gain access.It is possible to list members of a campus because the child groups list members. Timeline Jul 14, 2021 – Report sentJul 23, 2021 – Fixed by Facebook

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

1) Intro & Motivations

At the start of of this year, I set myself a personal goal of finding 365 bugs in 365 days.

This was entirely motivated by wanting to challenge myself to find more security issues as I felt I'd been slacking off.

I thought back to…

When gaining shell access to a machine on a network, a promising attack vector is to check the internal network for web applications and services that may be accessible from the machine that has been compromised.

Often, internal web applications are found…

As of late, a fair few companies and startups have been using dedicated URL shortner services to use for tracking and social media purposes. An example link from such URL shortners look like this invent.ge/1j1QxGo or invent.ge/DNATool. Note that both custom…

As of late, I have been pentesting more and more applications that use some sort of mechanism to prevent unauthorized access to directories based on client IP addresses. In many cases, this has proven to be a weak method of protection if implemented incorrectly.…

Security for young people is something I care about. We need to make an investment whether it be time, money or support or university outreach, to get younger people (preferrably students) to see security as a viable, exciting and worthwhile career. The real…

Exploiting Markdown Syntax

Markdown is wonderful. In fact, this blog post itself is written in Markdown. I don't need to use lengthy uneccessary HTML for simple things like links, tables, code blocks and lists. Nor do I need to go out of my way to do simple…