![Sonar_Research's tweet photo. 🧵 [1/4] Here is our DOMPurify 3.2.1 bypass, using a namespace confusion technique where each element is initially in a “correct” namespace.
When it was allowed, the ‘is’ attribute was not handled correctly, making the attribute content’s regex check obsolete.
#mXSS #XSS https://t.co/3sUBVRBnRR](https://pbs.twimg.com/media/GeXXId9WwAA-1V-.jpg)
Olivia
Online
Yaniv Nizry
@YNizry
Security researcher
Joined December 2020
144 Following
1.8K Followers
51 Posts
Can you trust the trust dialog?
We discovered that running Claude Code in malicious folders could have executed system commands before the trust dialog even appears! Learn about the details in our latest blog post:
https://t.co/tw1f6fWNrM
#appsec #security #vulnerability
Just published two new vulnerability write-ups:
💻FortiClient – Two-click RCE via code injection in the login window
https://t.co/ga7YeSpfwj
⚠️FortiGuard – “Access Blocked” page XSS
https://t.co/tHsBJLhIL2
TROOPERS talks are now live on YouTube!
Curious how attackers can turn endpoint protection into an entry point?
In my session, I break down exactly how these compromises happen - step by step.
🎥 Watch here: https://t.co/VpH0t9c7EC
🔄📦 GitHub Actions offer powerful automation capabilities for CI/CD, but they're not immune to attacks.
Take a look at how we tackle this risk with SonarQube Cloud by diving into real-world vulnerabilities.
https://t.co/V9m3HXtRQv
#appsec #security #vulnerability
🗒️✍️Taking a note on security: our latest blog post focuses on Go vulnerabilities, including Arbitrary File Write, XSS, and Misconfiguration. Showcasing our new support for the language in SonarQube Cloud!
https://t.co/7UkA5Z4XVI
#appsec #security #vulnerability
[2/2] Meaning that if you have a file write and can't control the extension and the extension doesn't correlate to any Content-Type (let's say .abc), you can add .html to the file name (https://t.co/OwiPnn2LEx) and httpd will serve it as text/html
[1/2] TL;DR: mod_mime, Apache httpd module that is responsible for assigning Content-Type, supports "Files with Multiple Extensions".
#bugbountytips
📁🫷🚧Can't control the extension of a file upload, but you want an XSS?
Read more on how we overcame this obstacle to further exploit entire organizations using Fortinet endpoint protection:
https://t.co/OM0OQvlwgF
#appsec #vulnerability #bugbountytips
[2/2] Meaning that if you have a file write and can't control the extension and the extension doesn't correlate to any Content-Type (let's say .abc), you can add .html to the file name (https://t.co/OwiPnn2LEx) and httpd will serve it as text/html
Great bug chain by @YNizry that can pwn a whole org, starting with a single user click! I was also able to contribute a bit by creating my first port of a Chrome n-day exploit :)
It was a pleasure to speak at #TROOPERS25 about my Fortinet findings. In case you missed it and don't want to wait for the recording, the first blog post is now live:
🕸️🏢Caught in the FortiNet: Exploiting Fortinet’s endpoint protection solution to compromise an entire organization using minimal user interaction.
Dive into our technical analysis of this interesting attack scenario:
https://t.co/PtpmvKkeui
#appsec #security #vulnerability
Catch our second talk at #TROOPERS25:
🕸️ Caught in the FortiNet: Compromising Organizations Using Endpoint Protection
@YNizry will tell you the story of multiple vulnerabilities in Fortinet products that can compromise an entire organization, starting with a single click
📁 Using polyglot file and RXSS to achieve one-click RCE on a Voyager instance.
Read more about how SonarQube Cloud detected CVE-2024-55417 in our latest blog post:
https://t.co/U9MfSxBuJI
#appsec #security #vulnerability
Recently, I had the opportunity to reverse engineer and debug binaries on macOS 🪲🔍
I faced some Apple limitations during setup and struggled to find good beginner resources, so I wrote a short blog post to help others.
https://t.co/NnlySH5Mqs
#macos #debugging #lldb
The reason most PHP-based HTML sanitizers are inherently vulnerable to bypasses is just the tip of the iceberg🥶.
Check out our latest blog post to learn why server-side sanitization is doomed to fail.
https://t.co/ricaduPHf7
#appsec #security #vulnerability #php
Join us at OWASP SF for our talk, "Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail" to discover why client-side sanitization is crucial for a secure web. Can't make it? Stay tuned for our upcoming blog post.
#OWASP #GlobalAppSecSanFran
Browsers don’t protect users from CSRF attacks when a website is using the convenient basic HTTP authentication method.
Take a look at how SonarCloud found vulnerabilities in pyspider:
https://t.co/Z7ftit5bWl
#appsec #security #vulnerability
The simple <script> XSS didn’t work? Don’t give up before trying some mXSS magic🪄.
Get to know the fundamentals of this bug class on your way to becoming a master of sanitizer bypasses:
https://t.co/ZBzN4g0o3s
#appsec #security #vulnerability #mXSS
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.6M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers