The criteria I used to rank:
- The level of complexity of the research. (How hard for me to do the same research?)
- The usefulness of the research to other security researchers.
- Novelty, scale of exploitation and impact
Top candidates
- Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization
- https://github.com/thezdi/presentations/blob/main/2023_Hexacon/whitepaper-net-deser.pdf
- This is the clear winner for me. The first reason is, that the documentation offers a lot of educational content and a lot of content to take and use in future exploitation.
- Has novelty, and a lot of highly impactful findings
- https://github.com/thezdi/presentations/blob/main/2023_Hexacon/whitepaper-net-deser.pdf
- Smashing the state machine: the true potential of web race conditions
- https://portswigger.net/research/smashing-the-state-machine
- A lot of educational content and tooling.
- The bugs are waiting to be found by someone to use this knowledge
- https://portswigger.net/research/smashing-the-state-machine
- Code Vulnerabilities Put Proton and Skiff Mails at Risk
- https://www.sonarsource.com/blog/code-vulnerabilities-leak-emails-in-proton-mail/
- https://www.sonarsource.com/blog/code-vulnerabilities-put-skiff-emails-at-risk/
- I consider these two as same research
- We see a lot of complex CTF client-side challenges, but we rarely see CTF-like bugs being exploited. These two are one of those rare bugs.
- One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images
- https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/
- I ranked this top because of the scale of exploitation.
- Side Note: This is one of those bugs where products with features involving dangerous warnings say “Use the feature securely”, but most of the developers don’t consider those warnings.
- Interestingly, the company that developed the product failed to follow their warning. How ironic.
- Also, https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/ introduced the issues with self-hosted runners before.
- https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/
- Chained to hit: Discovering new vectors to gain remote and root access in SAP Enterprise Software
- https://i.blackhat.com/BH-US-23/Presentations/US-23-Genuer-chained-to-hit-discovering-new-vectors-to-gain-remote-and-root-access-in-sap-enterprise-software-wp.pdf
- I don’t think it has one of those complex bugs but finding targets like this and exploiting them skill in itself
- mTLS: When certificate authentication is done wrong
- https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/
- Ranked in the top 10, because the research has new ideas for me to use in future audits or bug hunting.
- Three New Attacks Against JSON Web Tokens
- https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens-whitepaper.pdf
- Ranked in the top 10, because the research has new ideas for me to use in future audits or bug hunting.
- https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens-whitepaper.pdf
- can I speak to your manager? hacking root EPP servers to take control of zones
- https://hackcompute.com/hacking-epp-servers/
- Very basic bug, but you rarely see people exploiting highly impactful bugs in the depths of the internet.
- https://hackcompute.com/hacking-epp-servers/
- Compromising LLMs using Indirect Prompt Injection
- https://github.com/greshake/llm-security
- Ranked because of the novelty of the bug. :. Cookie Crumbles: Breaking and Fixing Web Session Integrity
- https://www.usenix.org/conference/usenixsecurity23/presentation/squarcina
- Also similar to similar research this year by Ankur https://blog.ankursundara.com/cookie-bugs
- https://github.com/greshake/llm-security
Some more very interesting stuff below.
- https://portswigger.net/research/blind-css-exfiltration
- https://portswigger.net/research/server-side-prototype-pollution
- https://medium.com/@renwa/you-are-not-where-you-think-you-are-opera-browsers-address-bar-spoofing-vulnerabilities-aa36ad8321d8
- https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/
TL;DR; A contributor can run code in runner via pull request and steal secrets. Don’t let arbitrary code run in the GitHub or self-hosted runners through pull requests, injections in workflows and maybe some supply chain issues on the built code itself.
You Are Not Where You Think You Are, Opera Browsers Address Bar Spoofing Vulnerabilities
TL;DR: Pretty cool Opera browser address bar spoofs.Interesting takeaway, from local file:/// you can use a renderer exploit to skip the renderer-side checks and read arbitrary files, not sure if it still works.
https://portswigger.net/research/smashing-the-state-machine
TL;DR: Performing race conditions without network jitter using single-packet attacks. Very hard to exploit as it is a black box, but I am pretty sure there are a lot of bugs waiting to be exploited.
Single packet idea based on usenix paper.
https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html
A subtle bug where an SSRF filter is not applied when a redirect is done from one protocol(HTTPs) to another (HTTP)
https://vulncheck.com/blog/juniper-cve-2023-36845
TL;DR: PHP RCE on some firewall software, PoC 1 by Watchtowr: uploads php.ini and sets PHPRC env variable to php.ini location, this PoC 2 by Vulncheck: file upload not working, so they used stdin and set PHPRC=/dev/fd/0 which effectively parses php.ini from stdin. Takeaway, Just two ASM companies scavenging the Ndays.
https://btlfry.gitlab.io/notes/posts/memcached-command-injections-at-pylibmc/
TL;DR: Flask session with Memcached store is vulnerable to command injection via pickle deserialization. if arbitrary user input(a key with Python pickle) can be set in the session which will be inserted into the Memcached store as key-value pairs.
Note: inspired by https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
https://codewhitesec.blogspot.com/2023/03/jmx-exploitation-revisited.htmlTL;DR: Novel JMX exploitation via using default MBean classes
https://joaxcar.com/blog/2023/10/06/cve-2022-4908-sop-bypass-in-chrome-using-navigation-api/
TL;DR: Chrome same-site(cross-origin) URL leak via navigation.entries()
https://0day.click/recipe/pash/
TL;DR: a command injection in Mozilla SCM, user email from ssh input is injected to LDAP but sanitized so no ldap injection but null bytes were used to truncate ldap query and inject command later which went to find command sink later
https://blog.sorcery.ie/posts/mybb_acp_rce/
TL;DR: preg_match(XXX, preg_replace(YYY, '', $input). preg_match can be bypassed if preg_replace hits backtrack limit via redos which returns empty string.
https://0x44.xyz/blog/cve-2023-4369/index.html
TL;DR: an old filesystem:// protocol which acts similar to file renders in chrome:// protocol. What can go wrong? xD
https://github.com/musana/fuzzuli
TL;DR: Not a research I think, just a tool which creates a dynamic wordlist based on the domain.
https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle
TL;DR: some php sorcery, elegant error-based oracle using iconv and dechunck filters to read file(input). Probably can only see it in a CTF challenge.
https://osec.io/blog/2023-11-01-metamask-snaps/
TL;DR: Pretty good intro to how snaps work and the bug is pretty clever TOCTOU, where they overwrite the toJSON property of an innocent-looking object to malicious value, and checks are performed on actual input but later JSON.stringify is called which returns a malicious toJSON data. Clever use of JS quirk
TL;DR: Contains an MXSS, clever CSS Exfil, and CSP bypass to steal email. Pretty cool chain.
https://www.usenix.org/conference/usenixsecurity23/presentation/squarcina
TL;DR: Academic research on cookie tossing for CSRF from the same-site, and cookie parsing issues by browsers and servers. Decent
https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=4
TL;DR: A presentation of various SAML attacks. Nothing new but good presentation on most of the SAML attacks.
https://sec-consult.com/blog/detail/dns-analyzer-finding-dns-vulnerabilities-with-burp-suite/
TL;DR: A Burp extension to help DNS Attacks specifically Kaminsky attack
https://www.intruder.io/research/split-second-dns-rebinding-in-chrome-and-safari
Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari
TL;DR: DNS Rebinding using both AAAA(attacker.com) and A(localhost) record, browser prioritizes AAAA first, if it returns connection reset, it will go A record.
tRPC Security Research: Hunting for Vulnerabilities in Modern APIs
TL;DR: Intro to tRPC, looks like similar to normal API testing to me.
https://blog.ryotak.net/post/dom-based-race-condition/
DOM-based race condition: racing in the browser for fun
TL;DR: Using connection poll filling technique to block a request to angular JS and bypass whitelist-based chrome copy-paste sanitized. I found a bypass on copy-paste sanitizer while working on a pentest at the same time xD
https://infosecwriteups.com/hacking-into-grpc-web-a54053757a45
Hacking into gRPC-Web
TL;DR: A nice tool for making gRPC-Web testing easier https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/
AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice
TL;DR: MSSQL has weird feature where you can execute batch queries without any kind of termination between queries, so they used it to bypass WAF.
https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/
State of DNS Rebinding in 2023
TL;DR: A good intro how browsers are stopping DNS rebinding attacks on local networks which is in WIP, and some ways to bypass the current mitigations
https://trufflesecurity.com/blog/of-cors/
Bypass firewalls with of-CORs and typo-squatting
TL;DR: Interesting, buy a typosquat domain run a mass CORS testing service worker on internal domains, and wait for some internal guy to navigate to typosquat domain.
https://blog.abdulrah33m.com/prototype-pollution-in-python/
Prototype Pollution in Python
TL;DR: Abusing special attributes(class, base, global) of an Object and pollute them when merges performed on a user-controlled JSON and an Object. But I think the exploitability is very less unlike JS PP.
https://portswigger.net/research/server-side-prototype-pollution
Server-side prototype pollution: Black-box detection without the DoS
TL;DR: A lot of interesting gadgets to perform blind Prototype pollution attacks on server-side applications without DoSing them.
https://github.com/thezdi/presentations/blob/main/2023_Hexacon/whitepaper-net-deser.pdf
Exploiting Hardened .NET Deserialization
TL;DR: Wow, 123 pages of Gold mine to exploit .NET Deserialization bugs. Several new deserialization/serialization gadgets in .NET Framework, third-party libraries.
Serialization gadgets are pretty cool, calling an arbitrary getter while serializing user-controlled deserialized input.
Watch this later: https://www.youtube.com/watch?v=_CJmUh0_uOM
https://www.praetorian.com/blog/azure-b2c-crypto-misuse-and-account-compromise/
Azure B2C – Crypto Misuse and Account Compromise
TL;DR: Phew, Uses an RSA public key to sign a Refresh token, and somehow its possible to retrieve that public key and sign arbitrary refresh token. Interestingly, the tutorial says to use public key for signing 🤦. MICROSOFT wrong docs
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
SMTP Smuggling - Spoofing E-Mails Worldwide
TL;DR: SMTP smuggling between inbound and outbound SMTP servers has discrepancies on how the end of sequence (CRLF) is considered. Impact? Only for phishing? 🤔 but looks bad
https://github.com/greshake/llm-security
New ways of breaking app-integrated LLMs
TL;DR: Indirect prompt injection attacks. Have they introduced this thing or some one did it before? Looks interesting tho. You add hidden malicious prompts to the stuff LLM working on (website) and this hidden prompt controls LLM instead of prompt from user
https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/
Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory Leve
TL;DR: Similar to https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/, but Adnan exploited in the wild.
https://offzone.moscow/upload/iblock/11a/sagouc86idiapdb8f29w41yaupqv6fwv.pdf
HTTP Request Splitting vulnerabilities exploitation
TL;DR: nginx requesting splitting vulnerabilities when $uri or $document_uri and other things which allow CRLF. Nothing new but exploited on some nice targets.
https://asdqw3.medium.com/xss-in-gmail-dynamic-email-amp-for-email-3872d6052a0d
XSS in GMAIL Dynamic Email (AMP for Email)
TL;DR: Some sanitizer bypass by injecting HTML into properties inside style tag. Sadly csp blocked it, good find.
https://labs.hakaioffsec.com/nginx-alias-traversal/
Hunting for Nginx Alias Traversals in the wild
TL;DR: One more hunt for in the wild nginx misconfigs this time with misconfiguration in nginx alias
https://hackerone.com/reports/2089042
Yelp ATO via XSS + Cookie Bridge
TL;DR: A nice self XSS to ATO via abusing on of the site features
https://blog.ankursundara.com/cookie-bugs/
Cookie Bugs - Smuggling & Injection
TL;DR: One more cookie parsing issue in servers. Cookie smuggling: discrepancy in two versions of RFC allowed how quotes are parsed. Cookie injection: how few servers considers some characters such as space and comma as cookie separator
https://www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference/
Pretalx Vulnerabilities: How to get accepted at every conference
TL;DR: Bugs in a conference planning tool. Nothing new, just some usual bugs.
https://portswigger.net/research/blind-css-exfiltration
Blind CSS Exfiltration: exfiltrate unknown web pages
TL;DR: Nice CSS exfil technique using CSS variables and new :has selector.
https://www.paloaltonetworks.com/blog/prisma-cloud/github-actions-worm-dependencies/
The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
TL;DR: hmm taking over repos or npm packages which host actions and overwriting these actions to perform malicious actions. Its like taking over node package and getting rce but with actions
https://kapytein.nl/from-an-innocent-client-side-path-traversal-to-account-takeover
From an Innocent Client-Side Path Traversal to Account Takeover
TL;DR: Nice client side path traversal to ATO, using an open redirect to steal X-token header using path traversal
https://www.sonarsource.com/blog/teamcity-vulnerability/
Source Code at Risk: Critical Code Vulnerability in CI/CD Platform TeamCity
TL;DR: A subtle misconfiguration in spring request interceptor which validates path and check if auth should be applied for specific path. No auth for /**/RPC2, they found an API endpoint which allows creating api token ending with arbitrary name in the endpoint end so, you can create an api without auth
https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced/
EmojiDeploy: Smile! Your Azure web service just got RCE’d ._.
TL;DR: A misconfigured origin validation for CSRF requests in an Azure SCM. Same-site none
https://www.ambionics.io/blog/wrapwrap-php-filters-suffix
INTRODUCING WRAPWRAP: USING PHP FILTERS TO WRAP A FILE WITH A PREFIX AND SUFFIX
TL;DR: another php filter magic, this time create a valid json or xml using the filter by adding prefixes
https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration
BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover
TL;DR: One more unclear microsoft docs? Any azure ad directory - multi tenant should show an warning sign before configuring an app to use aad. The bug is any azure tenant can login to apps which configure multi tenant, funny enough ms is vulnerab le itself
Chained to hit: Discovering new vectors to gain remote and root access in SAP Enterprise Software
TL;DR: A nice chain of bugs to exploit SAP applications. A JNDI injection to enable arbitrary apps which gives access to an java based protocol called p4 which is also based on JNDI? and exploited and get root via a priv escalation on unauth service.
https://www.sonarsource.com/blog/code-vulnerabilities-put-skiff-emails-at-risk/
Code Vulnerabilities Put Skiff Emails at Risk
TL;DR: One more nice DOM bugs to exploit email, an MXSS, sandbox bypass and csp bypass
https://codewhitesec.blogspot.com/2023/04/java-exploitation-restrictions-in.html
Java Exploitation Restrictions in Modern JDK Times
TL;DR: fixing deserialization gadgets for latest JDK as there are some restrictions/changes in latest versions.
https://security.lauritz-holtmann.de/post/xss-ato-gadgets/
SSO Gadgets: Escalate (Self-)XSS to ATO
TL;DR: XSS to ATO by exploiting OAuth and OIDC flows
Cookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP.NET Framework (CVE-2023-36899 & CVE-2023-36560)
TL;DR: Path validation confusion via cookieless feature. Lol didn’t there exist a feature called cookieless. Also this is one funny looking url https://[targetdomain]/(S(aaaaaaaaaaaaaaaaaaaaaaaa))/default.aspx
Thirteen Years On: Advancing the Understanding of IIS Short File Name (SFN) Disclosure!
TL;DR: I also dont know about FAT filesystem only supporitng file length of 12. Latest Windows shortens if it support short file name. Using this infor, we can leak files from iis servers. Not sure how relevant it is now
https://hackcompute.com/hacking-epp-servers/
can I speak to your manager? hacking root EPP servers to take control of zones
TL;DR: XXE on EPP servers. EPP servers are responsible for communication between registrar and registries, EPP is typically implemented as an API between the registrar’s web interface and the Registry. A pretty impactful bug
Note: https://github.com/google/nomulus registry service used by google
Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747
TL;DR: HTTP request smuggling in apache httpd ajp protocol found by some guy used to exploiut f5 which is using unpatched version, to access internal resources unauth
https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
Oh-Auth - Abusing OAuth to take over millions of accounts
TL;DR: Abusing lack of token validation in apps, apps not checking if token provided by the user is actually generated for them, so attacker can provide X app token to Y app and Y app requests fb graph api asking if its valid token, it says valid and returns email and also say it belongs to X, but our Y doesn’t check it and accepts.
https://dl.acm.org/doi/pdf/10.1145/3627106.3627140
OAuth 2.0 Redirect URI Validation Falls Short, Literally
TL;DR: Academic paper concentrating on redirect uri, I don’t see anything remarkable just some usual issues with how redirect_uri is passed
https://bountyplz.xyz/bugbounty/2023/07/30/HTML-Over-The-Wire.html
What is HTML Over the Wire? A brief history of web app tech.
TL;DR: A blog explaining HTML over the wire is just a bad idea in terms of security.
https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html
A New Vector For “Dirty” Arbitrary File Write to RCE
TL;DR: ah an idea to escale arb file write in uWSGI to RCE, nothin much
https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/
mTLS: When certificate authentication is done wrong
TL;DR: A very good blog on intro to MTLs bugs Notes might be useful while auditing mtls libraries If you’re developing an mTLS system or performing a security assessment, I suggest:
Pay attention when extracting usernames from the mTLS chain, as the servers only verify the first certificate in the chain. Use Certificate Stores with caution, as it can lead to LDAP and SQL injections. Certificate revocation can lead to SSRF or even to RCE in the worst case. So, do the revocation check only after all other checks and do not rely on URLs taken from the certificate extensions.
https://blog.sicuranext.com/aws-waf-bypass/
AWS WAF Bypass: invalid JSON object and unicode escape sequences
TL;DR: Some WAF bypasses on AWS WAF, I am pretty sure AWS Waf has so many bypasses with experience.
https://lude.rs/h4ck1ng/draw.io_cves.html
draw.io CVEs
TL;DR: usual bugs in software
https://blog.ostorlab.co/one-scheme-to-rule-them-all.html
One Scheme to Rule Them All: OAuth Account Takeover
TL;DR: lol one more oauth blog, exploiting mobile apps not using verifiable app links and using scheme based redirects on oauth
https://www.descope.com/blog/post/noauth
nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover
TL;DR: One more Azure AAD bug?? This time you can modify OAUTH claim (email) to arbitrary emails and login 🤦
Three New Attacks Against JSON Web Tokens
TL;DR: oh good stuff, issues in JWT validations
- If library auto detects JWE or JWS, it is possible to substitute a [..] signed JWS with a JWE that is encrypted with the public key that is normally used for signature validation."
- How JSON is parsed similar to json interporabilitiy issues by bishopfox
- A dos when PBES algo used
https://positive.security/blog/ransack-data-exfiltration
Ransacking your password reset tokens
TL;DR: an interesting bug in an ruby library allowing to leak db info. Sounds like similar to blind sqli