TL;DR: Basically, all multipart/form-data parsers fail to fully comply with the RFC, and when it comes to validating filenames or content uploaded by users, there are always numerous ways to bypass validation. We'll test various bypass techniques against…

Hello again,
This blog explains how i chained a CSRF and XSS on a POST request. So, lets get straight into it. One day i was hunting on a private program and i could see most of hacker’s were reporting CSRF. Almost 5 reports out of 10 were them. Lo...

Personal website and computer security blog.

The Prototype Pollution vulnerability is specific to the JavaScript programming language. It enables an attacker to add or alter any properties of global object prototypes. Once the property is changed, the code that inherits it will use the injected property…

🚩 Video walkthrough for the "Pizza Paradise" (web) challenge featured in our 1337UP LIVE (CTF) competition 2024! Players found themselves browsing a pizza delivery website, but in fact this was a front for a secretive government panel. The "secret" login…

Automatic SSTI detection tool with interactive interface - vladko312/SSTImap

EXPLORING AND EXPLOITING AN ANDROID "SMART POS" PAYMENT TERMINAL

Today, credit card terminals are undergoing a drastic evolution, moving from specialized hardware and custom-built operating systems to Android devices similar to ordinary smartphones. While…

Discover how reverse engineering led to a $5000 bounty by exploiting a critical vulnerability in a popular Android app

Hi HackerOne Team!

==**NOTE: I'm redoing the report because the last one wasn't looked at correctly #2705602 and the report was closed, so don't close it as duplicate, just see that the takeover...

We're excited to announce one of our latest public program offerings on the HackerOne platform, Capital One!

Contribute to secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices development by creating an account on GitHub.

Discover how fuzzing can identify critical vulnerabilities in native Android components, strengthening device security.

JP (Translated by ChatGPT) In this article, I'll explain the intended solution for the "Tanuki Udon" challenge presented in SECCON CTF 13. TL;DR An XS-Leaks att…

TruffleHog now automatically decodes Android Package Kit (APK) files and searches them for secrets. It runs ~9x faster than using an external decompiler before calling TruffleHog.

iOS and macOS Decompiler. Contribute to LaurieWired/Malimite development by creating an account on GitHub.