pspaul
@pspaul95.bsky.social
📤 72
📥 134
📝 8
reposted by
pspaul
OffensiveCon
13 days ago
SELECT shell FROM postgres: Digging up a 20-year-old bug for ZeroDay.Cloud by
@pspaul95.bsky.social
and Moritz Sanft
0
3
2
Pwning PostgreSQL was quite fun, excited to share our research at OffensiveCon!
www.offensivecon.org/speakers/202...
about 1 month ago
0
1
0
reposted by
pspaul
SonarResearch
2 months ago
📱 1-click RCE in the YTDLnis Android app! On Android, turning file writes into RCE is usually quite hard, but here the app had a nice gadget for us. Check out the details in our latest blog post:
www.sonarsource.com/blog/ytdlnis...
#appsec
#security
#vulnerability
loading . . .
From intent extra to RCE: Argument injection in YTDLnis
Discover a vulnerability our researchers found in the Android app YTDLnis, allowing attackers to execute code on victim devices.
https://www.sonarsource.com/blog/ytdlnis-argument-injection-rce?utm_medium=social&utm_source=bluesky&utm_campaign=research&utm_content=social-ytdlnis-rce-260324-&utm_term=---&s_category=Organic&s_source=Social%20Media&s_origin=social
0
2
1
reposted by
pspaul
SonarResearch
6 months ago
🧟 A fixed vulnerability that comes back to life? This could have happened in GitHub Actions until yesterday! Learn how attackers could have exploited seemingly fixed workflow vulnerabilities:
www.sonarsource.com/blog/zombie-...
#appsec
#security
#vulnerability
loading . . .
https://www.sonarsource.com/blog/zombie-workflows-a-github-actions-horror-story?utm_medium=social&utm_source=bluesky&utm_campaign=research&utm_content=social-zombie-workflows-251209-&utm_term=---&s_category=Organic&s_source=Social%20Media&s_origin=social
0
2
1
My TROOPERS25 talk has been uploaded! If you ever wondered if "style-src: 'unsafe-line'" in your CSP is bad, this one is for you. Scriptless Attacks: Why CSS is My Favorite Programming Language
www.youtube.com/watch?v=Owp-...
loading . . .
TROOPERS25: Scriptless Attacks - Why CSS is My Favorite Programming Language
YouTube video by TROOPERS IT Security Conference
https://www.youtube.com/watch?v=Owp-mHUyg9I
6 months ago
0
0
0
This was pretty fun to exploit! Even though I didn't manage to pwn the version used for Pwn2Own Berlin, I still learned a ton about LLMs. Maybe I can get my revenge in future competitions 🤞
add a skeleton here at some point
7 months ago
0
5
1
reposted by
pspaul
SonarResearch
8 months ago
Using SonarQube to solve a CTF challenge? Done! ✅ Learn how we detected a 0-day vulnerability during
#KalmarCTF
, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading:
www.sonarsource.com/blog/code-se...
#appsec
#CTF
#vulnerability
loading . . .
https://www.sonarsource.com/blog/code-security-for-conversational-ai-uncovering-a-zip-slip-in-eddi?utm_medium=social&utm_source=bluesky&utm_campaign=research&utm_content=blog-eddi-zip-slip-250916-&utm_term=---all&s_category=Organic&s_source=Social%20Media&s_origin=social
0
3
1
reposted by
pspaul
SonarResearch
11 months ago
🔓⏫ After compromising every endpoint within an organization, our “Caught in the FortiNet” blog series comes to an end with one more thing. Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:
www.sonarsource.com/blog/caught-...
#appsec
#security
loading . . .
Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (3/3)
In the last blog of this series, we will focus back on FortiClient and learn how the inner workings of this application work, and what crucial mistake happened that led to us uncovering a local privil...
https://www.sonarsource.com/blog/caught-in-the-fortinet-how-attackers-can-exploit-forticlient-to-compromise-organizations-3-3?utm_medium=social&utm_source=bluesky&utm_campaign=research&utm_content=blog-caught-in-the-fortinet-080725-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=social
0
3
2
reposted by
pspaul
SonarResearch
11 months ago
📁🫷🚧Can't control the extension of a file upload, but you want an XSS? Read more on how we overcame this obstacle to further exploit entire organizations using Fortinet endpoint protection:
www.sonarsource.com/blog/caught-...
#appsec
#vulnerability
#bugbountytips
loading . . .
Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (2/3)
We recently discovered critical vulnerabilities in Fortinet’s endpoint protection solution that enable attackers to fully compromise organizations with minimal user interaction. In this second article...
https://www.sonarsource.com/blog/caught-in-the-fortinet-how-attackers-can-exploit-forticlient-to-compromise-organizations-2-3?utm_medium=social&utm_source=bluesky&utm_campaign=research&utm_content=blog-caught-in-the-fortinet-260625-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=social
0
1
1
Great bug chain by my team mate Yaniv that can pwn a whole org, starting with a single user click! I was also able to contribute a bit by creating my first port of a Chrome n-day exploit :)
add a skeleton here at some point
11 months ago
0
0
0
reposted by
pspaul
SonarResearch
11 months ago
Catch our second talk at
#TROOPERS25
: 🕸️ Caught in the FortiNet: Compromising Organizations Using Endpoint Protection Yaniv Nizry will tell you the story of multiple vulnerabilities in Fortinet products that can compromise an entire organization, starting with a single click
0
4
1
reposted by
pspaul
SonarResearch
11 months ago
Coming to
#TROOPERS25
this week? We'll be there too, presenting our research! 🎨 Scriptless Attacks: Why CSS is My Favorite Programming Language
@pspaul95.bsky.social
will convince you why CSS should not be overlooked in client-side web attacks and what is possible without JavaScript today
0
4
2
This was a fun one to discover! SQL syntax can be ambiguous, and MySQL anticipated this a long time ago. Other SQL dialects stuck to the spec, leading to SQL injection when the right stars align:
add a skeleton here at some point
12 months ago
0
1
0
reposted by
pspaul
SonarResearch
about 1 year ago
📊⚠️ Data in danger! We found an XSS vulnerability in Grafana with the help of SonarQube. Learn about the details in our latest blog post:
www.sonarsource.com/blog/data-in...
#appsec
#security
#vulnerability
loading . . .
Data in Danger: Detecting Cross-Site Scripting in Grafana
Learn how SonarQube detected a Cross-Site Scripting (XSS) vulnerability in Grafana, a popular open-source data observability platform.
https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/?utm_medium=social&utm_source=bluesky&utm_campaign=research&utm_content=blog-grafana-xss-2404-&utm_term=---all&s_category=Organic&s_source=Social%20Media&s_origin=social
0
3
2
reposted by
pspaul
Rebane
about 1 year ago
"wow, this css property would be amazing for my css crime, i wonder what the browser support is looking like"
1
42
4
Ever wondered what the Alt-Svc header is used for? Well, it can make you a MitM if you control it! I can finally publish the writeup to my GymTok challenge: control the header, become MitM, and perform a cross-protocol attack!
blog.pspaul.de/posts/gymtok...
loading . . .
GymTok: Breaking TLS Using the Alt-Svc Header
Ever wondered what the Alt-Svc response header is used for? Turns out it can be used to become a Man-in-the-Middle and attack TLS!
https://blog.pspaul.de/posts/gymtok-breaking-tls-with-alt-svc/
over 1 year ago
0
2
2
Wow, thanks for 2nd place! Didn't expect this, maybe it's my sign to finally write it down in text form and tackle all the follow-up ideas 👀
add a skeleton here at some point
over 1 year ago
1
8
1
you reached the end!!
feeds!
log in
