Reversing JS Malware From marveloptics.com

The injected script steals checkout form data and sends it to a Chinese-owned domain. But the attackers are really bad at programming.
read more ⟶

An Analysis of Cloudflare's Email Address Obfuscation

It’s a hex encoded string where the first byte (the key), is XORed against each subsequent byte to decrypt the email address. This is not a vulnerability.
read more ⟶

Hacking Harvard (and nearly every other college)

Chaining two CSRF attacks and brute forcing the user’s birth date (upper bound = 730 requests) allowed complete account takeover.
read more ⟶

Snow Day Calculator XSS

PHP’s type coercion and unescaped use of the page’s snowdays parameter allows injecting arbitrary HTML and Javascript via a reflected XSS attack.
read more ⟶

Stored XSS in Schoology

Schoology blog posts accept a plain HTML document via a tinymce editor, which may be injected with arbitrary elements, including iframes and event handlers.
read more ⟶

Uncovering a Bug in Cloudflare's Minification Service

A bug in Cloudflare’s Auto Minify service parsed // and /* ... */ within ES6 `template literals` as comments, causing it to truncate lines or entire blocks of code, leading to unpredictable behavior or in rare cases, a code injection vulnerability.
read more ⟶

Bypassing Cert Pinning in the Steam Mobile App

Use apktool and jadx to identify and remove cert pinning code so we can MITM the app to watch its network requests.
read more ⟶