I recently ran across an application that allowed access to a ClickHouse DB for my user. The access was allowed, so that isn’t an issue. However, when we as pentesters or bug bounty hunters get acc...

The other day I received an email saying I was eligible for some swag for getting my 25th valid P1 submission on BugCrowd. I don’t do too much BB hunting these days, and also not too much on BugCro...

Welcome! I was sick of ‘maintaining’ (not that it was a lot of work) my previous blog that ran a wordpress stack on ec2 instance, so I decided to migrate to Jekyll and the Chirpy theme. The migra...

That’s in quotes, because this is seemingly a self-HTML injection with little to no security impact, but it does allow for you to change your reMarkable’s sleep screen in a different way. Maybe it’...

A while back the illustrious team over at Project Discovery wrote about the discovery of an SQLi in Masa/Mura CMS. It’s a good writeup, so go check it out for the technical details. Recently, I ra...

If you’re a pentester or bug bounty hunter that is trying to do some iOS mobile application testing, half the battle is getting a phone properly jailbroken so you can proxy HTTP requests. Nowadays,...

As mentioned in a previous post, I was the July RotM for the DoD VDP program. I decided I’d try and win again in August, despite not usually focusing on VDPs. I ended up finding RAMADDA running on ...

I was recently awarded the DoD Researcher of the Month for July, 2023. Between moving across the country and other hacking duties, I still had time to hammer away at a particular subdomain and foun...

PyMedusa is a well-known video library manager that many of us self-hosted types may use to organize our libraries. I decided to give it a spin one day and found a classic OS command injection as s...

I found a textbook SQLi in the Eufy Security application. Don’t mind the heavy use of red blocks to redact. The first, normal request. Everything looks fine. Notice the response time at 35 millise...