More links
Here are some links to interesting cybersecurity articles from 2024.
- Better Exfiltration via HTML Injection, d0nut
- Bypassing DOMPurify with good old XML, Flatt Security Research
- COEP COOP CORP CORS CORB - CRAP that’s a lot of new stuff!
- Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection, Flatt Security Research
- CONFEDSS: Concolic execution and the puzzling practice of peripheral emulation, FOSDEM 2024
- Fighting cookie theft using device bound sessions, Chromium Blog
- Hacking Millions of Modems (and Investigating Who Hacked My Modem)
- Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform
- OAuth 2.0 for Browser-Based Applications
- Our audit of Homebrew, Trail of Bits Blog
- Resurrecting a dead Dune RTS game, wheybags’ blog
- Ruby-SAML pwned by XML signature wrapping attacks, SSOReady
- Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail, Sonar
- Source Code Disclosure in ASP.NET apps, PT SWARM
- The Firestore vulnerability found in Arc is likely widespread
- Tony Hawk’s Pro Strcpy, I Code 4 Coffee
- Unsafe Archive Unpacking: Labs and Semgrep Rules, Doyensec’s Blog
- We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
- When we say “security”, what do we mean?, Sensemaking by Shortridge
- Writeup for CVE-2023-39143: PaperCut WebDAV Vulnerability, Horizon3.ai
- XML Signatures are a bad idea executed even worse, SSOReady
- XS-Leaks Wiki
- YOLO is not a valid hash construction, Trail of Bits Blog