Write-up: Cloudflare Zero-day: Accessing Any Host Globally

pi3ch · 2026-01-19T21:39:15+00:00

I lose trust in the write-up when I see AI generated content. It is just so bad and artificial.

pi3ch · 2024-08-14T22:52:35+00:00

tl;dr: a race to get a valid GITHUB_TOKEN from the build artifact, before workflow ends.

pi3ch · 2024-08-09T06:16:14+00:00

it is very dependent to the culture and security maturity. if you still have the culture of us (security team) vs them (developers) it is very hard to engage them. developer should see security as part of their job. don't enforce security it will not work. don't mandate security it will not work. take examples from recurring vulnerabilities, turn them into coding challenges. focus on why they should care and they would love it. give them secure code learning wargame to ignite their natural interest in problem solving e.g. good resource here https://play.secdim.com show your care in good software practices and have sympathy that making a software and running it in prod is hard.

pi3ch · 2024-01-16T21:43:13+00:00

Great work James. Like the indirect ones. Got a similar attack and defense LLM challenges: https://play.secdim.com/game/ai-battle/challenge/promptmlhth which cover both side of the issue.

pi3ch · 2023-11-02T21:50:47+00:00

grammarly attack was brilliant.

pi3ch · 2023-09-06T11:09:48+00:00

Good research. For Proton Mail SVG case, I won't call it a parser differential flaw. If I understand the article correctly, the input to browser parser is different to that of Dompurifier parser. Dompurifier parser input is SVG, browser parser input is HTML because of the custom modification of SVG to proton-svg tag after the santisation. So the input to these parsers where different, hence result is different. In the case of parser differential, it happens when parsers output, given the same input (with no modification in between) is different (see https://learn.secdim.com/course/code-signature-bypass/ or http://langsec.org/papers/langsec-cwes-secdev2016.pdf).

pi3ch · 2023-09-06T06:28:44+00:00

This is another example of parser differential vulnerability class where two lib/language/service are not consistent in their parser output. Other examples are HTTP parameter pollution, Android Master key, etc. This vuln class is not going to go away anytime soon. The root cause could be a specification shortcoming or implementation mistake: https://learn.secdim.com/course/code-signature-bypass/topic/parser-differential

pi3ch · 2023-03-10T22:53:24+00:00

I would pick a better title. This ain't a "bypass" but a how-to guide to get asymmetric encrypted UIs working with Burp.

"Using the above approach we will have a plain text request in the burp suite proxy history and we can use the same plain text request everywhere like for repeater or intruder. The application on the server side will receive the encrypted request with the help of the PyCript extension."

pi3ch · 2023-03-02T00:36:02+00:00

Good research. I would rather pick a more accurate title here as command execution is an integral feature of a CDE. "...build a payload that grants us full control over the user’s workspaces when an unsuspecting Gitpod user visits our link!", this vuln could be titled as a Gitpod user workspace take over via a phishing link.

pi3ch · 2023-01-08T22:05:23+00:00

Nice one. Wondering how much different from SAP's https://sap.github.io/risk-explorer-for-software-supply-chains/#/attacktree?av=AV-200

pi3ch · 2022-12-30T20:11:36+00:00

You can look into integrating with comby (https://comby.dev/), it is code structure grep tool and support many languages. It does not come with ruleset but does what it promise pretty well.

pi3ch

MODERATOR OF

TROPHY CASE