par Alexandre Zanni | Mai 26, 2023 | Articles techniques EN, Challenges
The vulnerability to be detected for this challenge was an SSRF due to inconsistent processing of values between the security control and the business operation. Solving the challenge does not necessarily require knowledge of the language (Ruby) or the web framework...
par Alexandre Zanni | Avr 24, 2023 | Articles techniques EN, Challenges
The vulnerability to be detected for this challenge was an access control flaw due to improper handling of case sensitivity and improper validation of path equivalence. The challenge resolution required knowledge of the Node.js web framework Express. Note: This...
par Alexandre Zanni | Mar 2, 2023 | Articles techniques EN, Challenges
The vulnerability to be detected for this challenge was an XSS via collision by case transformation due to the misordering of security measures. Solving the challenge does not necessarily require knowledge of the language (Ruby) or the web framework (Roda). Indeed,...
par Alexandre Zanni | Fév 16, 2023 | Articles techniques EN, Outils et méthodes
Those who are keen on notifications, whether on twitter or github, will not have missed the release of version 2.0.0 of ffuf. In my previous article Advanced Tips with ffuf, I started by introducing ffuf: What is it for? What makes it different from the others? The...
par Alexandre Zanni | Fév 6, 2023 | Articles techniques EN, Challenges
n°1 – Open-Redirect – Solutions The vulnerability to be detected for this challenge was an arbitrary redirect ("open-redirect"). At least three solutions were possible to solve this challenge. Solving the challenge does not necessarily require...
par Alexandre Zanni | Oct 21, 2022 | Articles techniques EN, Outils et méthodes
Note: This article is also available in french 🇫🇷. What the ffuf? ffuf is the acronym of Fuzz Faster U Fool, it is a command line utility (CLI) intended for penetration testers (pentesters). It is primarily a file and folder scanner for web...
par Alexandre Zanni | Oct 4, 2022 | Articles techniques EN, Outils et méthodes
Transform vulnerabilities to or how to steal user sessions by chaining low risk vulnerabilities Note: This article is also available in french 🇫🇷. This article presents an attack scenario that allows chaining together vulnerabilities, which...
par Alexandre Zanni | Juil 19, 2022 | Articles techniques EN, Outils et méthodes
In this article we’ll see how to crack encrypted archive protected with a password: Using Biham and Kocher plaintext attack on Zip archives (PKZIP) using encryption method ZipCrypto Store (can be extended to ZipCrypto Deflate) Using classic wordlist attack on...
