RSS.Social

Spaceraccoon's Blog

follow: @[email protected]

Posts

Escaping the Matrix: Client-Side Deanonymization Attacks on Privacy Sandbox APIs

Getting a Shell on the LAU-G150-C Optical Network Terminal

Cybersecurity (Anti)Patterns: Frictionware

Cybersecurity (Anti)Patterns: Busywork Generators

Pwning Millions of Smart Weighing Machines with API and Hardware Hacking

Universal Code Execution by Chaining Messages in Browser Extensions

Cache Me If You Can: Local Privilege Escalation in Zscaler Client Connector (CVE-2023-41973)

Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140)

Hacking HP Display Monitors via Monitor Control Command Set (CVE-2023-5449)

Passing the New OSEE Exam After Forgetting Everything

Rule Writing for CodeQL and Semgrep

I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS

Challendar: Creating a Challenge for The Infosecurity Challenge 2022

Exploiting Improper Validation of Amazon Simple Notification Service SigningCertUrl

You Have One New Appwntment: Exploiting iCalendar Properties in Enterprise Applications

Embedding Payloads and Bypassing Controls in Microsoft InfoPath

Solving DOM XSS Puzzles

2Q21: New Year's Reflections

The InfoSecurity Challenge 2021 Full Writeup: Battle Royale for $30k

All Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021-38646)

All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021-33035)

Down the Rabbit Hole: Unusual Applications of OpenAI in Cybersecurity Tooling

ROP and Roll: EXP-301 Offensive Security Exploit Developer (OSED) Review and Exam

Life's a Peach (Fuzzer): How to Build and Use GitLab's Open-Source Protocol Fuzzer

Offensive Security Experienced Penetration Tester (OSEP) Review and Exam

Applying Offensive Reverse Engineering to Facebook Gameroom

Supply Chain Pollution: Hunting a 16 Million Download/Week npm Package Vulnerability for a CTF Challenge

Imposter Alert: Extracting and Reversing Metasploit Payloads (Flare-On 2020 Challenge 7)

Beat The Clock: The CSIT InfoSecurity Challenge

Open Sesame: Escalating Open Redirect to RCE with Electron Code Review

Closing the Loop: Practical Attacks and Defences for GraphQL APIs

Same Same But Different: Discovering SQL Injections Incrementally with Isomorphic SQL Statements

A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell

Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2

Low-Hanging Apples: Hunting Credentials and Secrets in iOS Apps

From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13