RT @n1nj4sec: I recently found a blind FreeMarker SSTI on a bbp. It was not possible to RCE but I found some nice gadgets to enumerate acce….

RT @nullpt_rs: Reverse Engineering Vercel's BotID by @blastbots .

To kick off our Christmas and July research posts, we explain how we achieved persistent XSS on every Adobe Experience Manager Cloud instance, not twice, but thrice! This is now patched across all of AEM cloud, but what an interesting attack surface!

We’re celebrating Christmas in July this year, starting July 1st. We’ll release a security research post on Searchlight Cyber’s blog each week over the month. To be the first to know, subscribe to our RSS feed here:

RT @spaceraccoonsec: When I asked @infosec_au to write a foreword for "From Day Zero to Zero Day," I didn't anticipate how perfectly he wou….

RT @ITSecurityguard: Honestly a bit surreal, but I’ll be joining @assetnote as a Security Researcher soon🦆. Excited to be part of such a br….

How do we turn bad SSRF (blind) into good SSRF (full response)? The @assetnote Security Research team at @SLCyberSec used a novel technique involving HTTP redirect loops and incremental status codes that leaked the full HTTP resp. It may work elsewhere!

RT @TantoSecurity: The post is at and we hope you enjoy reading it as much as we enjoyed putting it together! ❤️.

RT @spaceraccoonsec: Sadly, other than the security team, nobody cares about the security tools you build. Here’s how to avoid getting suck….

RT @0xLupin: 2 AM in a Tokyo hotel room: @assetnote x Depi find a Dependency Confusion vuln that lands RCE on Netflix !. 🚀 Shout-out to @i….

@ryotkak @Geluchat @kevin_mizu I forgot to mention. @ajxchapman made an impossible RCE chain possible. His work was inspiring.

I won the Most Valuable Hacker award for the Salesforce H1-6102 live hacking event in Sydney (my hometown)! I enjoyed working with some very talented hackers, including @ryotkak, @Geluchat, and @kevin_mizu. This is my third MVH award, and I'm grateful to be able to compete.

This issue isn't just limited to ingress, but also egress traffic out. So next time you have an SSRF or out of bands based attack, give this technique a go! We plan to present this in more detail in the future. (end thread).

One reason this issue is widespread is that vendors and SaaS platforms ask you to broadly whitelist ranges. For example, Gitlab's official advice is to whitelist the entire GCP region that their shared runners are in, and doing so leaves you exposed.

From a single scan, we found around 7000 instances where traffic was different when coming from us-east-1, as compared to outside of us-east-1/AWS. Some of the largest companies in the world have borked their IP whitelisting rules.

We scanned 18,206,880 (us-east-1 AWS) hosts from outside of us-east-1 AWS on port 443, using masscan. This returned 2,574,114 hosts with port 443 open. We used zgrab2 to issue HTTP requests to all assets on port 443 (TLS) from outside AWS and inside AWS (us-east-1).

404 not found? Not when you’re coming from AWS

Mutual TLS? Not when you’re coming from AWS

Newtowner allows you to quickly spin up a GitHub action, Gitlab CI pipeline, Bitbucket pipeline, AWS API Gateway, or AWS EC2 instance to check a diff between your home connection and the remote connection for one or more URLs.

IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue: