Here is part 2 of our Ghostscript research series. This is about CVE-2024-29511, a fun combination of logical bugs and features, in the end allowing to read and write files outside the SAFER sandbox. codeanlabs.com/blog/research/…

legalise port scanning

I'm hosting an in-person bug bounty meetup in Sydney at UNSW, and you can RSVP here: h1.community/events/details… I hope anyone in Sydney who is interested in bounties can make it. :) I'll be presenting and answering questions on hacking on bug bounties for the last ten years.

My blog post about several findings in Dynamics 365 Business Central. I tried writing in a .NET primer style for code audit beginners. frycos.github.io/vulns4free/202…

Super stoked to be giving a DEF CON talk about vulnerabilities in ISP infrastructure! This was originally a blog post, but the talk will include a lot more context and vulnerabilities affecting wider ISP ecosystem (see: defcon.org/html/defcon-32…) 🫡

Our security researcher hashkitten found one of the most critical exploit chains in the history of Assetnote. Affecting 40k+ instances of ServiceNow, we could execute arbitrary code, access all data without authentication. You can read our blog here: assetnote.io/resources/rese…

🔥 XSS on any website with missing charset information? 😳 Attackers may leverage the ISO-2022-JP character encoding to inject arbitrary JavaScript code into a website. Read more in our latest blog post: sonarsource.com/blog/encoding-… #appsec #security #vulnerability

#BSidesCbr24 Speaker Announcement: "Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall" by shubs and Michael Gianarakis cfp.bsidescbr.com.au/bsides-canberr…

Here's a teaser on something I've been working on for a while. It's a tool to inject malicious code into existing JAR files (Java apps or libraries). The implant is triggered when the JAR is used and runs in the background. The app/lib runs as usual. More on this later.

Time to retire some content! JNDI Injection Remote Code Execution via Path Manipulation in MemoryUserDatabaseFactory: srcincite.io/blog/2024/07/2…

If you're in Melbourne and interested in our recent ServiceNow disclosure, my very talented colleague hashkitten is presenting at Ruxmon on the 26th of July: meetup.com/en-AU/ruxmon/e…

This is really amazing research. I appreciate how well they articulated it, and I hope additional tooling is built to make this a more accessible attack in the future. The concurrent limit allowed for Node.js is worth noting too. Great work RyotaK!!

Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confus… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code

Just added support for multipart requests to nowafpls. You can grab the latest version from github.com/assetnote/nowa… Short video demo of the multipart request support :)

Super excited to be dropping “Surfacing Security” today, a new podcast from Assetnote. My co-host Michael and I dive deep into Attack Surface Management topics and beyond! Spotify: open.spotify.com/show/3zyCwP4S6… Apple Podcasts: podcasts.apple.com/us/podcast/sur… Youtube: youtube.com/playlist?list=…

For the Sydney bug bounty community: we're holding our second bug bounty meetup at UTS on Sept 6th (Friday) from 7PM to 8PM. RSVP here: h1.community/events/details…

In my fwd:cloudsec presentation on Getting into AWS Security Research as a N00bcake, I challenged folks to just go try it and publish the results. It took a little longer than a week but Sid did it, and the results are pretty awesome. plerion.com/blog/your-queu…

I had so much fun recording this ep. My requirement was for Justin Gardner not to see the slides prior so what you see in the video are his genuine reactions as they happen live, from WTF to FOMO to "why did I not think of this before". Enjoy!

In April, Sam Curry and I discovered a way to bypass airport security via SQL injection in a database of crewmembers. Unfortunately, DHS ghosted us after we disclosed the issue, and the TSA attempted to cover up what we found. Here is our writeup: ian.sh/tsa

later this month on the 27th of september, Michael Gianarakis and I are going to be demonstrating DNS poisoning related attacks across 30m+ domains at BSides Canberra. we will release a blog post alongside. I promise it doesn’t have any crazy preconditions and it has real impact :)