Home
Recommended
Other Links
The other day, I worked on an XSS finding that required loading script content from an external source to load a proper POC. The limitations were
1. Stored XSS
2. Char limit 256
3. CSP `script-src` containing a bunch of company-owned sites but also `unsafe-inline`
4. CSP `connect-src` containing a...
Posted by Mateusz Jurczyk, Google Project Zero As previously mentioned in the second installment of the blog post series ( "A brief ...
Hacking Lab Hacking Lab Home People Publications CVEs Contact Light Dark Automatic Bridging the Gap between Real-World and Formal Binary Lifting through Filtered-Simulation (to appear) Jihee Park , Insu Yun , Sukyoung Ryu October 2025 Cite Publication Proceedings of the ACM SIGPLAN International...
Research is a constant process of failure and iteration. However, in most cases, you only see the one-in-a-thousand (successful) attempt. To normalize f*ck ups, and because I believe the behavior we identified in the course of this research is still relevant and interesting, this post is published for educational purposes.
Implementing secure Single-Sign-On (SSO) flows on mobile platforms is a continuos challenge. This post discusses an Android feature which potentially enabled a malicious Android app to hijack arbitrary SSO flows. As the feature existed on platform level (prior Android 12), it affected not only misconfigured apps, but also (web-)applications that follow OAuth best current practice1.
The vulnerability was reported to Google via the Android and Google Devices Security Reward Program on November, 29th 2024. Shortly after submission, Google highlighted a crucial thing that was missed before: Due to major rework of the App Link behavior, the reported issues do only work on Android versions prior to Android 12.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.
Large language model applications suffer from a few core novel issues that have been identified over the last two years. Let's see how Grok fares on those.
Posted by Seth Jenkins, Google Project Zero This blog post provides a technical analysis of exploit artifacts provided to us by Google's Thr...
# Diving into ADB protocol internals (2/2)
Our previous article laid the groundwork for understanding the ADB protocol and its usage scenarios. It primarily focused on the TCP/IP communication between the ADB Client and the ADB Server. However, this still required at this point an intermediate...
# Unsafe Archive Unpacking: Labs and Semgrep Rules
16 Dec 2024 - Posted by Michael Pastor
## Introduction
During my recent internship with Doyensec, I had the opportunity to research **decompression attacks** across different programming languages. As the use of archive file formats is...
Posted by James Forshaw, Google Project Zero This is a short blog post about some recent improvements I've been making to the OleView.NET ...
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.
Note: this is a rapidly-drafted post on an evolving topic - we'll update the post with more details as we discover more about the situation. Hit that F5 key regularly for updates!
We were having a nice uneventful Wednesday afternoon here at watchTowr, when we got news of some ransomware operators using a zero-day exploit in a bunch of Cleo software - LexiCom, VLTransfer, and Harmony - applications that many large enterprises rely on to securely share files.
Cleo have a (paywalled) advisory,
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
### Summary
A Out-Of-Bounds (OOB) read affecting KVM since v3.10 was discovered in `arch/x86/kvm/svm/nested.c`. The memory read is from the user-space process managing the associated KVM based Vir...
The article is informative and intended for security specialists conducting testing within the scope of a contract. The author is not responsible for any damage caused by the application of the provided information. The distribution of malicious programs, disruption of system operation, and violation of the confidentiality of correspondence are pursued by law.
Introduction In this article, I want to talk about a method for bypassing DOMPurify when it is used for sanitizing SVG files, which I recently discovered.
Discover how LLM apps can hijack your terminal with prompt injections and ANSI escape codes, exposing hidden vulnerabilities and real-world risks. Learn how to protect your tools with actionable security insights.
# Automated Network Security with Rust: Detecting and Blocking Port Scanners
Did you ever wonder how IDS/IPS like Snort or Suricata were able to interact with the network stack of the Linux kernel ?
Do you also happen to like Rust ?
Well dear reader, this article is for you !
# Introduction
In...
### Summary
During boot, the bootloader (cisco-grub) will enumerate all potential boot drives and probe for a menu.lst script file. If an adversary manages to place such a file on the system’s SSD...
It is not just APTs that like to target telephone systems, but ourselves at watchTowr too.
We can't overstate the consequences of an attacker crossing the boundary from the 'computer system' to the 'telephone system'. We've seen attackers realise this in 2024, with hacks against legal intercept systems widely reported in the news.
VoIP platforms, which handle telephone calls for an organization, are a really juicy target for an APT. Imagine being able to listen in on the phone calls of your ta
HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known
The 2nd of July 2024, Sonar
disclosed some unpatched RCE in
Gogs, and it
sparked an interesting albeit pedantic discussion on an obscure IRC channel
somewhere on the internet that might be of interest to a broader
audience nerds.
The vulnerabilities in question are:
> Argument Injection in the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Executive Summary Introduction Earlier this year, Talos published an update on the ongoing evolution of Akira ransomware-as-a-service (RaaS) that has become one of the more prominent players in the current ransomware landscape. According to this update, for a while in early 2024, Akira affiliates experimented with promoting a new cross-platform variant of the ransomware called […]
# CSPT the Eval Villain Way!
03 Dec 2024 - Posted by Dennis Goodlett
Doyensec’s Maxence Schmitt recently built a playground to go with his CSPT research. In this blog post, we will demonstrate how to find and exploit CSPT bugs with Eval Villain. For this purpose, we will leverage the second...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
### Summary
There is a Time-of-Check / Time-of-Use issue in the Linux kernel in the exec system calls. The executability permissions are checked at a different time than the set-user-ID bit is app...
This post discusses how I found and responsibly disclosed a Cross Site Scripting in DeepSeek and it was possible to trigger it via Prompt Injection to achieve complete account takeover. The issue was fixed within a day.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Key Points Introduction Cybercriminals constantly try to evolve their tactics and techniques, aiming to increase infections. Their need to stay undetected pushes them to innovate and discover new methods of delivering and executing malicious code, which can result in credentials theft and even ransomware encryption. Check Point Research discovered a new undetected technique that uses […]
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Posted by Ivan Fratric, Google Project Zero Recently, one of the projects I was involved in had to do with video decoding on Apple pla...
# Disclosure of 7 Android and Google Pixel Vulnerabilities
We continually refine and enhance the Oversecured Mobile Application Vulnerability Scanner through regular analysis of mobile applications. This helps us to optimize our analysis techniques and proactively mitigate potential...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
# Relaying Kerberos over SMB using krbrelayx
Kerberos authentication relay was once thought to be impossible, but multiple researchers have since proven otherwise. In a 2021 article, James Forshaw discussed a technique for relaying Kerberos over SMB using a clever trick. This topic has recently...
Threat actors just love popping those SSLVPN appliances. There’s a new bug (well, two of them) that’re being exploited in the Palo Alto offering, and as ever, we’re here to locate it and give you the low-down on what’s happening. Here's a quick teaser to whet your appetite:
Analysing bugs under active exploitation is more than a requirement at watchTowr, its a passion, and a calling. We are no strangers to reviewing SSLVPN’s and Firewalls, particularly Palo Alto - which we raced to analyse earl
Recently, I've been trying to improve the sorry state of PHP's heap
implementation, small step by
small step since my free time significantly shrunk this year. Anyway,
one of the low-hanging fruits is
to makes parts of the `_zend_mm_heap` read-only, since it contains function
pointers that are...
It’s been a tricky time for Fortinet (and their customers) lately - arguably, even more so than usual. Adding to the steady flow of vulnerabilities in appliances recently was a nasty CVSS 9.8 vulnerability in FortiManager, their tool for central management of FortiGate appliances.
As always, the opinions expressed in this blog post are of the watchTowr team alone. If you don't enjoy our opinions, please scream into a paper bag.
Understandably, for a vulnerability with such consequences as ‘all
Key Findings: Introduction On October 30th, the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory regarding recent activities of the Iranian cyber group Emennet Pasargad.The group recently operated under the name Aria Sepehr Ayandehsazan (ASA) and is affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The […]
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Hamas-affiliated WIRTE group has expanded beyond espionage to conduct disruptive attacks
Well, we’re back again, with yet another fresh-off-the-press bug chain (and associated Interactive Artifact Generator). This time, it’s in Citrix’s “Virtual Apps and Desktops” offering.
This is a tech stack that enables end-users (and likely, your friendly neighbourhood ransomware gang) to access their full desktop environment from just about anywhere, whether they’re using a laptop, tablet, or even a phone.
It’s essentially the ‘thin client’ experience that people were very excited about some
### Summary
The default configuration of authentication component of Wallstreet WebSuite application does not
validate the SAML response from the identity provider (e.g. Microsoft login) which ca...