This technical brief details the implementation of a Cgroup v2 eBPF device controller bypass. This method leverages the bpf() system call to detach the security programs governing device access.
First, locate the specific Cgroup v2 mount point for the current process. This is the filesystem target from which we will detach the eBPF programs.
A few weeks ago, I came across an interesting security vulnerability inside Google Cloud Shell. While analyzing how Cloud Shell Editor (Code OSS) loads projects, I observed that simply opening a specially crafted project within the editor triggers silent and automatic code execution. The user doesn't need to type any commands, or run any tasks manually. Simply open the project and the payload will be executed.
The root cause was that many components/processes executes inside the Cloud Shell Editor during workspace load. Tools like the Gradle language server, the Clang language server, and the VS Code tasks system evaluate config files or build scripts as soon as the folder is opened. This seems simple in a normal development workflow, but it breaks a very basic assumption/principle we all rely on: cloning a repo or opening a project in an editor will never execute a command without user action.
I understood this behavior, the attack scenario was
| Language | Example | What Happens | Impact |
|---|---|---|---|
| Java | // \u000d System.out.println("exec"); |
Unicode processed before comment → newline injected → code runs | Comment-bypass, hidden payload |
| JS/TS | var a\uFF0Eb = 1; |
Fullwidth dot makes variable look like a.b |
Identifier spoofing |
| Python | print("x") (EN QUAD) |
Invisible indentation → syntax changes | Hidden code flow |
| Go/Rust | var рassword (Cyrillic р) |
Identifiers look identi |
Many applications use inconsistent or custom parameter names to handle post-logout redirection, and this is where open redirect, forced navigation, and privilege-related issues often hide.
Whenever you encounter a /logout, /signout, /endSession, or similar endpoint — fuzz it with this list.
Burp Intruder / Turbo Intruder
/logout?§PARAM§=https://attacker.com
Google Colab (short for Colaboratory) is a powerful, browser-based platform that allows you to write and execute Python code with zero configuration.
At its core, Colab operates through Notebooks, where you can run code cells independently. Gain free access to powerful GPUs (like the T4) and TPUs, making it ideal for training heavy deep learning models. Read more at https://research.google.com/colaboratory/faq.html
ReconX is an end-to-end automated external security assessment framework designed for professional penetration testers, bug bounty hunters, and enterprise red teams.
It performs deep recon, enumeration, vulnerability scanning, OSINT, exposure discovery, and reporting across multiple targets at scale.
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
| #!/usr/bin/env python3 | |
| import urllib.request | |
| import urllib.error | |
| import socket | |
| BASE_URL = "http://metadata.google.internal/computeMetadata/v1" | |
| HEADER = {"Metadata-Flavor": "Google"} | |
| OUTPUT = "gcp_metadata_dump.txt" | |
| # ---- HTTP Helper ----------------------------------------------------------- |
| #!/usr/bin/env bash | |
| # cos_audit.sh | |
| # Container-Optimized OS (COS) guest audit script (read-only) | |
| # Produces a PASS / FAIL / INFO style report for many guest-side hardening checks. | |
| # | |
| # Usage: | |
| # sudo ./cos_audit.sh | tee cos_audit_$(date +%F_%T).log | |
| # | |
| # Author: Generated by ChatGPT for Bipin Jitiya (auditor) | |
| set -u |
| #!/usr/bin/env bash | |
| # container_recon.sh | |
| # A safe, non-destructive container reconnaissance script for advanced users. | |
| # Purpose: gather capability, namespace, cgroup, mount, device, network and quick secrets hints. | |
| # Usage: ./container_recon.sh [-o /path/to/output] [-d] [-v] | |
| # -o OUTPUT : write report to OUTPUT (default: /tmp/container_recon_<ts>.txt) | |
| # -d : deep scan mode (may take longer and search deeper for writable dirs and secrets) | |
| # -v : verbose (prints progress markers to stderr) | |
| # -h : help |