Check out my write-up on a seemingly harmless and limited send() in GitHub (CVE-2024-0200) and how it could be used to obtain environment variables from a production container and to achieve remote code execution in GitHub Enterprise Server: https://t.co/jmjTTOxEGY

Happy to announce that I'll be speaking alongside @DennisPacewicz at @rubykaigi next week! We'll be sharing some secret stories on how I gained access to production GitHub credentials using CVE-2024-0200 as well as @GitHubSecurity's remediation efforts. https://t.co/zIHyfJ7vqZ

I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby! It builds on the work of others, including Leonardo Giovanni, Peter Stöckli @GHSecurityLab and @wcbowling https://t.co/mzXQnA691O

Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! https://t.co/YzYcwxOGBn Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code

🚨 New Blog Alert! 🚨 Can an attacker execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities in Ruby can be exploited and how they can be detected with CodeQL. 🔗 Read the full post: https://t.co/tdumVwrfKC Stay safe and code responsibly! 🛡️💻

My colleague @hash_kitten and I discovered a full-read SSRF vulnerability in Next.js (CVE-2024-34351). We published our research today on @assetnote's blog: https://t.co/pUXGG64B0O. Thank you to the Vercel team for a smooth disclosure process.

Here is my deep-dive post on #github Actions cache poisoning. This is a powerful build pipeline lateral movement and privilege escalation technique and I used it to earn several thousand💰in #bugbounty rewards. https://t.co/7S5MjdP2Wc

Send()-ing Myself Belated Christmas Gifts - GitHub's Environment Variables & GHES Shell https://t.co/g9d3kOA04o Read about how one of our talented researchers, @Creastery , found it, exploited it and reported it in a fast and professional manner:

Huge thanks to @GitHubSecurity for coordinating, investigating and fixing!

Earlier this year I found a pretty cool vuln, an arbitrary file write in GitLab. Here’s the details

Route to Safety: Navigating Router Pitfalls is the swansong from @daniellimws https://t.co/QOqAkOhHMz We hope everyone enjoyed his informative post and wish him all the best in his future endeavours.

Off-by-One 2024 Conference CFP is now opened! Be part of a historical event and shape the future of offensive security in this region. Submission and speaker benefits https://t.co/96khe0PVR2 If you like to talk to us, drop us a line at info@offbyone.sg

👀

This is one of the most insane bugs I've discovered, but it all happened at a really inopportune time. 😥 Shoutout to all the Hubbers who got involved and had been working tirelessly on this since the Christmas/New Year period! 🙏

Special thanks to @chudypb, @TecR0c, @mr_me, @Creastery, @starlabs_sg, @Claroty & #team82, and @thezdi for finding & responsibly disclosing security vulnerabilities in Ignition. Fixes & full credits:

Notably, CVE-2023-3368 I discovered is a patch bypass of CVE-2023-34960 (unauthenticated command injection bug exploited in-the-wild found by @RandoriSec/@Aituglo), and CVE-2023-3533 is another unauthenticated file write RCE found in the same code location that was overlooked!🙈

Unauthenticated RCE: https://t.co/97Mi49tF89 https://t.co/1O7uldVv72 https://t.co/88MJwszEDT https://t.co/7mmpILtEJB Authenticated RCE: https://t.co/cxEMOi4br3 https://t.co/PLRLXGOg8X https://t.co/TSYH5uoTv3 https://t.co/wWPJ8kzeei https://t.co/GHIfsRqMB7 https://t.co/eqALGosQPC

Check out the technical analysis of 10 remote code execution bugs I discovered in Chamilo LMS below⬇️.

Check out this detailed n-day writeup by @oceankex, a former web security intern at STAR Labs I mentored, and how it led to two other bugs hidden in plain sight being discovered!

I've finally published the advisories regarding the Trend Micro bugs that I shared at #HITCON! Do check them out at @starlabs_sg's advisory page: https://t.co/kKLXy8oQKa 🏌️‍♂️CVE-2023-32530 is an interesting case of SQLi to RCE: