Author: 001wp

Dynamic Library Injection into BurpSuite on MAC OSX

Roll-your-own dylib for injection to JavaApplicationStub Published February 13, 2021 Author: David Hoyt @h02332 tl;dr Inject a dylib Calculator to Burpsuite Summary This basic example of dynamic code injection for pwn fun details popping Calculator using a dylib injected to Burpsuite. In the past, Portswigger has fielded PoC’s showing Calculator being injected to BurpSuite as […]

Telugu Characters cause CoreText Crash on OSX and iOS. Comments using LLDB, Voltron, Lisa.py, Debugging, Backtrace, Register.

TL;DR: Apple has a Unicode Bug with Rendering Telugu Characters. Pictures below for those who enjoy using LLDB with a PoC. OSX 10.13.3 Unicode Bug – Causes a Crash when Rendered via CoreText Framework The CoreText Unicode Bug caught my attention with this Tweet from Taviso and this Gist from Manish Goregaokar. The 3 characters in the […]

CVE-2017-14620, Stored DOM XSS, SmarterStats V11.3.6347

CVE-2017-14620 SmarterStats V11.3.6347 Renders the Referer Version Identification TL;DR SmarterStats Version 11.3.6347, and possibly prior versions, will Render the Referer Field of HTTP Logfiles in URL /Data/Reports/ReferringURLsWithQueries Reporter David Hoyt | XSS.Cx Commentary This Vulnerability was identified back in 2010 when I Reported other Stored XSS Bugs to SmarterTools. Stored XSS is a powerful exploit […]

CVE-2017-5638, Vulnerability Reporter Notebook

TL;DR Manage Balance Sheet Risk with ISO 29147. InfoSec Industry is Broken. Vulnerability Reporters Notebook In the News is the Equifax Breach. Personally Identifying Information (PII) is a Public Interest Story when all Consumers are impacted. This commentary is based on my own Research which is Public Domain for annualcreditreport.com and experian.in. CVE-2017-5638 Discussion & […]

DOM XSS, location.hash, Stored XSS, Same Origin Policy, CoTS Scanners

Dear – Your CSP doesn’t report Stored XSS, its inside SOP. You append my location.hash to your Document and Save the URL in Dash. #DOMXSS TL;DR DOM XSS testing via location.hash is hard to Automate; Get a Bug Bounty or Publish a CVD XSS – Cross Site Scripting 101 DOM XSS begins at window.location.hash ‘#’ […]

Cisco ASA FIREPOWER Core Dump on FirstBoot with 9.7(1)

Updated: April 4, 2017: 9.7(1)2 is affected by Cisco bug ID CSCvd78303. TL;DR Cisco ASA-5506W-X FIREPOWER Appliances may Core Dump on FirstBoot with Firmware 1.1.8 and Software 9.6(x), and when using Firmware 1.1.8 and Software asa971-lfbff-k8.SPA while performing a Restore with asasfr-sys-6.1.0-330.pkg after Booting from asasfr-5500x-boot-6.1.0-330.img TL;DR Cisco ASA-5506W-X FIREPOWER Appliances may Core Dump on FirstBoot with Firmware […]

Stored DOM XSS, icloud.com, Javascript Injection, jQuery 1.7.2, User Agent Exploitation, May 2013

TL;DR In May 2013 XSS.Cx reported Stored XSS in www.icloud.com and all related applications due to the execution of the Javascript Protocol Handler. The Root Cause of the Issue was using Notes to inject the Code and then a Browser to View the Exploit. An Attacker could craft a malicious Note and then Share the […]

CVE-2016-10097, XXE, SSO, Open AM 10.1.0, XML Injection, SAML Request Parameter

CVE-2016-10097 – See Also Indicators of Compromise DORK: “Copyright © 2010 ForgeRock AS, Philip Pedersens vei 1, 1366 Lysaker, Norway” XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM – Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter. XXE Proof of Concept (PoC) Code for Exploit against Open AM 10.1.0 […]

CVE-2016-10097, Open AM 10.1.0, XML Injection, XXE, External Entity Resolution, SSO Data Exfiltration, PoC

TL;DR – Open AM 10.1 exploitable via XXE at /SSOPOST/metaAlias/%realm%/idpv2 XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM – Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter. XXE is a means to an RCE Endpoint. XXE provides visibility into the Target System. You may find old JBOSS, PHP, Tomcat, Apache or […]

AngularJS, XSS, NG-XSS, Coverage Envelope Expansion, Javascript Injection, PoC

AngularJS suffers from XSS {NG-XSS} TL;DR AngularJS is another broken Javascript Framework Portswigger recently released V.1.6.36 which contained an update for AngularJS Injection. A Blog Post by Portswigger Developer Gareth Hayes is available here detailing the identification and confirmation of AngularJS XSS (NG-XSS). Reviewing the Post by Gaz, its obvious that he’s proved a method to Identify […]