Hack.βlu CTF registration is open! Win great prizes from our sponsors:
π― 3x @offensivecon.bsky.social tickets by Binary Gecko
π΅οΈ 6x @burpsuite.bsky.social
π₯· 6x @binary.ninja
π¦ 80 months HackTheBox VIP+
πΈ $1000 by Zellic
π©πͺ DHM quals
flu.xxx
Hej!
We are thrilled to announce Hack.lu CTF 2025 starts on Friday, October 17.
Top teams can win prizes from our sponsors: OffensiveCon, Zellic, PortSwigger, Binary Ninja, and HackTheBox.
All information on flu.xxx
Unrelated question: Why does it say NO GLYPH at the end of each line when viewing your post in the Bluesky app? I saw this with multiple of your posts already π€
Looks like some Linux eBPF vulnerabilities presented at this year's Black Hat are made-up AI slop
www.openwall.com/lists/oss-se...
Last weekend, we took 1st place at #idekCTF and qualified for the #MaltaCTF finals!
Congrats to all the other teams, and thanks to the organizers β the CTF was a lot of fun!
We secured 3rd place at ENOWARS CTF - top team in the DACH region and now qualified for DHM (German Hacking Championship)!
Huge congrats to all participants and thanks to the organizers for an awesome CTF! π
2. should be the issue. I think innerText decides HTML entities, like < to <, which is then assigned to innerHTML.
πβ« After compromising every endpoint within an organization, our βCaught in the FortiNetβ blog series comes to an end with one more thing.
Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:
www.sonarsource.com/blog/caught-...
#appsec #security
Looks fine to me. Is there a pitfall with basename()?
"this case has been assessed as low severity and does not meet MSRCβs bar for immediate servicing due to RCE is no longer possible without extensive user interaction (i.e., accepting a save prompt to a location controlled by an attacker)"
We love to see it π«
It's actually free to register with a (burner) email and read the article, you don't have to pay.
πβ οΈ Data in danger!
We found an XSS vulnerability in Grafana with the help of SonarQube. Learn about the details in our latest blog post:
www.sonarsource.com/blog/data-in...
#appsec #security #vulnerability
ErgΓ€nzung zur Kiwi π₯: Es kΓΆnnte eine Anspielung auf das Kiwi Farms Forum sein, welches hauptsΓ€chlich aus extremen, organisierten harassment von trans Personen bestand.
en.m.wikipedia.org/wiki/Kiwi_Fa...
And here's the second part of my old JumpServer journey I presented at Insomni'hack24. After getting authenticated last week, this time we're abusing multiple design flaws to get RCE and escape the Docker container on the JumpServer host.
Surveillance contractors not choosing overly edgy sounding company names challenge (impossible)
Beanies sold out π«
I nominate @sonarresearch.bsky.social, now finally on bluesky :)
The Sonar research team just published a blog about my old JumpServer vulns I presented at Insomni'hack24. Check it out for some microservice shenanigans and stay tuned for part two that covers auth->RCE next week.
You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.
portswigger.net/research/sam...
The call expression check looks at the name of the variable, but not the runtime value of the called function, assuming that it is safe if named calc* We can abuse this to call the function constructor directly and not through calcCall which would block it
calcCall(calcPrint.constructor('alert(1)'))
The code tries to shadow all globals with local variables, but uses Object.keys to enumerate over window. Object.keys does not include non-enumerable properties, which includes globalThis. This leaves globalThis intact for us to use
You can use globalThis to get access to all globals again and call arbitrary global functions with the help of calcCall. Then just send innerText of the whole site to your server with fetch :)
Inspired by x.com/PaulosYibelo, I thought about what improvements I could make to trick users into pressing buttons that perform sensitive actions. Finding some vulnerable targets along the way!
Read the details in my latest blog post below:
jorianwoltjer.com/blog/p/hacki...
This calls for StoΓlΓΌften
www.huffpost.com/entry/luften...
Wow, thanks for 2nd place! Didn't expect this, maybe it's my sign to finally write it down in text form and tackle all the follow-up ideas π
D-Trust mΓΆchte gern von der eigenen Verantwortung fΓΌr ein groΓes Datenleck ablenken. Der CCC erklΓ€rt die HintergrΓΌnde und fordert Konsequenzen. (ja, es war mal wieder 1 von uns lol sorry)
www.ccc.de/de/updates/2...
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
They only fixed a bug that made it easier to abuse this caching info. The bug was with Cloudflare Workers and allowed to run a Cloudflare Worker at a specific data center. From there, the cache state could be retrieved.
The cache info can still be retrieved now using a VPN close to a CF datacenter
The voting form says that it closes on the first of February? π
