Avatar

Organizations

@twitter @rss

Popular posts

  1. ACSC 2023 Gotion Challenge Author Writeup
    I made a Gotion Challenge in ACSC (Asian Cyber Security Challenge) 2023. This is a byte-range cache poisoning XSS challenge. Challenge Description: Gotion is yet another simple secure note service. You might have seen these kind of applications many times before, but try this one! Challenge Repository: https://github.com/tyage/acsc2023-gotion In ACSC 2023, I made a Gotion challenge and promotion video :) Thank you everyone who played! pic.twitter.com/SN4PXKkKid — もうダニ by 左京区在中 (@tyage) February 26, 2023 Challenge Details The challenge has three components: Go web application, nginx and bot.

  2. Diving into Dependabot along with a bug in npm
    If you are developing some applications on GitHub, you might have seen pull requests from Depedabot. It automatically finds outdated vulnerable packages and sends pull requests to fix that. It is enabled by default and can make a commit on dependabot/* branch of many repositories on GitHub. Therefore, I thought If I could gain a controll of Dependabot, I can steal write permissions of those repositories. So I started to look into Dependabot.

  3. Gain write permission of repositories with a bug in GitHub Actions
    Gain write permission of repositories with a bug in GitHub Actions GitHub Actions is a useful feature for the jobs, for example, building, publishing. I found a bug which allows unauthorized users to edit the main branch of the repositories in GitHub. Repositories which enables GitHub Actions are affected but fortunately, the bug exists in a brief window from 2021/02/04 18:42 UTC to 2021/02/05 13:35 UTC. Also, protected branch is safe :)

  4. Security filter bypasses with "matrix variables"
    Spring framework, which is a popular web application framework for Java, supports “matrix variables”. With matrix variables, we can set the values of parameters in the path segment. // GET /owners/42;q=11/pets/21;q=22 @GetMapping("/owners/{ownerId}/pets/{petId}") public void findPet( @MatrixVariable(name="q", pathVar="ownerId") int q1, @MatrixVariable(name="q", pathVar="petId") int q2) { // q1 == 11 // q2 == 22 } source Some of you may have seen the URIs that contain session ID such as http://example.com/login;jsessionid=XXXXXXX . The important point is that matrix variables can appear not only in the last part of the URI but also in the middle part of the URI (e.

  5. ブログをHugo + GitHub Pagesに変えた

    ブログをHugo + GitHub Pagesで運用することにしました。 10年以上WordPressでブログを運用していたのだけど、わざわざ専用のサーバを用意したりWordPressの更新を時々見たりするメリットもあまりないなと。

  6. CSP Embedded EnforcementでXSS mitigationをbypassする話

    なに

    CSP Embedded Enforcementを使って、JavaScriptで書かれたXSS mitigationをbypassできるパターンがあるという話。
    以下のような条件が必要なので現実に使える場面は普通はなさそう。
    CTFでは便利かもしれない。

    • Webページで同一オリジンのページをiframeで読み込める
    • WebページのヘッダにCSPが設定されていない
    • Webページに指定したHTMLを埋め込める(XSSができる)
    • ただし、WebページにJavaScriptによるXSS防御機構がある

    このとき、CSP Embedded Enforcementを使うことで、防御機構を回避して攻撃コードだけを実行することができる。

Less
More

    Post activity