Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-infosec

Personal infosec awesome list. Highly subjective by nature.
https://github.com/spekulatius/awesome-infosec

Last synced: 2 days ago
JSON representation

Bugs
- Font Files
  - `CVE-2024-25082` - Similar to previous one, but in archives of compressed WOFF (ZLIB-based) / WOFF2 (Brotli-based) fonts.
  - `CVE-2024-4367` - Glyph rendering in Mozilla's PDF.js leads to JavaScript Execution [`Codean Labs`](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/).
  - Fonts are still a Helvetica of a Problem - Canva Dev-blog covering:
  - `CVE-2023-45139` - XXE via generating a subset from a font,
  - `CVE-2024-25081` - Command-injection via filenames in subfonts,
  - Fonts are still a Helvetica of a Problem - Canva Dev-blog covering:
  - `CVE-2023-45139` - XXE via generating a subset from a font,
  - `CVE-2024-25081` - Command-injection via filenames in subfonts,
  - `CVE-2024-25082` - Similar to previous one, but in archives of compressed WOFF (ZLIB-based) / WOFF2 (Brotli-based) fonts.
  - `CVE-2024-4367` - Glyph rendering in Mozilla's PDF.js leads to JavaScript Execution [`Codean Labs`](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/).
- Request Smuggling
  - `#771666` - Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on `api.zomato.com` `2020-01-10`.
  - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference talk by James Kettle ([@albinowax](https://twitter.com/albinowax)) of PortSwigger `2019-11-16`.
  - `#771666` - Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on `api.zomato.com` `2020-01-10`.
  - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference talk by James Kettle ([@albinowax](https://twitter.com/albinowax)) of PortSwigger `2019-11-16`.
  - `#737140` - CL.TE-based request smuggling on Slack `2019-11-14`.
  - `#737140` - CL.TE-based request smuggling on Slack `2019-11-14`.
  - HTTP Desync Attacks: Request Smuggling Reborn - `2019-08-07`.
  - HTTP Desync Attacks: Request Smuggling Reborn - `2019-08-07`.
  - defparam/smuggler - An HTTP Request Smuggling / Desync testing tool `Python 3`.
  - defparam/smuggler - An HTTP Request Smuggling / Desync testing tool `Python 3`.
- Deserialization
  - Insecure Deserialization Detection in Python - Project work by Aneesh Verma discussing deserialization issues `2023-05`.
  - Insecure Deserialization Detection in Python - Project work by Aneesh Verma discussing deserialization issues `2023-05`.
  - frohoff/ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
  - Universal Deserialisation Gadget for Ruby 2.x-3.x - `2021-01-07`.
  - Ruby Deserialization - Ruby 2.x Universal RCE Deserialization Gadget Chain `2018-11-08`.
  - ambionics/phpggc - PHPGGC is a library of PHP `unserialize()`-payloads along with a tool to generate them, from command line or programmatically.
  - ambionics/phpggc - PHPGGC is a library of PHP `unserialize()`-payloads along with a tool to generate them, from command line or programmatically.
  - Finding a POP chain on a common Symfony bundle - Detailed, step-by-step bash-driven analysis of a Symfony bundle [`Part 2`](https://www.synacktiv.com/en/publications/finding-a-pop-chain-on-a-common-symfony-bundle-part-2) `2023-09-12`.
  - Finding a POP chain on a common Symfony bundle - Detailed, step-by-step bash-driven analysis of a Symfony bundle [`Part 2`](https://www.synacktiv.com/en/publications/finding-a-pop-chain-on-a-common-symfony-bundle-part-2) `2023-09-12`.
  - Code Reuse Attacks in PHP: Automated POP Chain Generation - Using static analytics to automatically identify POP chains in various PHP frameworks.
  - Code Reuse Attacks in PHP: Automated POP Chain Generation - Using static analytics to automatically identify POP chains in various PHP frameworks.
  - frohoff/ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
  - Universal Deserialisation Gadget for Ruby 2.x-3.x - `2021-01-07`.
  - Ruby Deserialization - Ruby 2.x Universal RCE Deserialization Gadget Chain `2018-11-08`.
- Archives: ZipSlip/TarSlip and others
  - `CVE-2023-40477` - code execution via crafted .rar in vulnerable WinRAR versions prior to 6.23 [`PoC (unverified)`](https://github.com/b1tg/CVE-2023-38831-winrar-exploit) `2023-08-17`.
  - `CVE-2023-32981` - Arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier using crafted archives as parameters [`GitHub Security Lab`](https://securitylab.github.com/advisories/GHSL-2023-058_GHSL-2023-059_Pipeline_Utility_Steps_Plugin/) `2023-05-16`.
  - `CVE-2023-40477` - code execution via crafted .rar in vulnerable WinRAR versions prior to 6.23 [`PoC (unverified)`](https://github.com/b1tg/CVE-2023-38831-winrar-exploit) `2023-08-17`.
  - `CVE-2023-32981` - Arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier using crafted archives as parameters [`GitHub Security Lab`](https://securitylab.github.com/advisories/GHSL-2023-058_GHSL-2023-059_Pipeline_Utility_Steps_Plugin/) `2023-05-16`.
  - `#1914118` - [`PR`](https://github.com/github/securitylab/issues/728), [`Video`](https://www.youtube.com/watch?v=F95U912u7OQ) `2023-03-21`.
  - `CVE-2022-3607` - ZipSlip Symlink variant allows to read any file within OctoPrint Box in [octoprint/octoprint](https://github.com/OctoPrint/OctoPrint) [`Fix`](https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e) `2022-08-24`.
  - `#1914118` - [`PR`](https://github.com/github/securitylab/issues/728), [`Video`](https://www.youtube.com/watch?v=F95U912u7OQ) `2023-03-21`.
  - `CVE-2022-3607` - ZipSlip Symlink variant allows to read any file within OctoPrint Box in [octoprint/octoprint](https://github.com/OctoPrint/OctoPrint) [`Fix`](https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e) `2022-08-24`.
- CLI Applications
  - Terminally Owned - 60 Years of Escaping - DEF CON 31 talk by David Leadbeater `2023`.
  - Weaponizing Plain Text ANSI Escape Sequences as a Forensic Nightmare - DEF CON 31 talk by STÖK `2023`.
  - Plain Text? Really? - NDC Oslo 2021 talk by Dylan Beattie `2021`.
  - Terminally Owned - 60 Years of Escaping - DEF CON 31 talk by David Leadbeater `2023`.
  - Weaponizing Plain Text ANSI Escape Sequences as a Forensic Nightmare - DEF CON 31 talk by STÖK `2023`.
  - Plain Text? Really? - NDC Oslo 2021 talk by Dylan Beattie `2021`.
- Image Libs: Converters, Resizers, etc. pp
  - `CVE-2023-34153` - Command injection via `video:vsync` or `video:pixel-format` [`Fix`](https://github.com/ImageMagick/ImageMagick/issues/6338) `2023-05-30`.
  - ImageMagick: The hidden vulnerability behind your online images - `2023-02-01`.
  - `CVE-2022-44268` - Arbitrary File Read over ImageMagick [`#1858574`](https://hackerone.com/reports/1858574) [`alternative`](https://github.com/voidz0r/CVE-2022-44268).
  - ImageMagick - Shell injection via PDF password - `2021-11-21`.
  - `#1154542` - RCE in GitLab when removing metadata with ExifTool [Video](https://www.youtube.com/watch?v=PZ-H099IaWo) `2021-04-07`.
  - `CVE-2021-32802` - HEIC image preview can be used to invoke Imagick [`#1261413`](https://hackerone.com/reports/1261413) `2020-07-14`.
  - `CVE-2019-11932` - Double-free bug in WhatsApp turns to RCE [`BBRE`](https://www.youtube.com/watch?v=lplExF6djQ4) `2019-10-02`.
  - `CVE-2023-34153` - Command injection via `video:vsync` or `video:pixel-format` [`Fix`](https://github.com/ImageMagick/ImageMagick/issues/6338) `2023-05-30`.
  - ImageMagick: The hidden vulnerability behind your online images - `2023-02-01`.
  - `CVE-2022-44268` - Arbitrary File Read over ImageMagick [`#1858574`](https://hackerone.com/reports/1858574) [`alternative`](https://github.com/voidz0r/CVE-2022-44268).
  - `CVE-2016-3714` - "ImageTragick" Delegate Arbitrary Command Execution [`Exploit-DB`](https://www.exploit-db.com/exploits/39791).
  - ImageMagick - Shell injection via PDF password - `2021-11-21`.
  - `#1154542` - RCE in GitLab when removing metadata with ExifTool [Video](https://www.youtube.com/watch?v=PZ-H099IaWo) `2021-04-07`.
  - `CVE-2021-32802` - HEIC image preview can be used to invoke Imagick [`#1261413`](https://hackerone.com/reports/1261413) `2020-07-14`.
  - `CVE-2019-11932` - Double-free bug in WhatsApp turns to RCE [`BBRE`](https://www.youtube.com/watch?v=lplExF6djQ4) `2019-10-02`.
  - `CVE-2016-3714` - "ImageTragick" Delegate Arbitrary Command Execution [`Exploit-DB`](https://www.exploit-db.com/exploits/39791).
- SQLi
  - payloadbox/sql-injection-payload-list - SQL Injection Payload List.
  - payloadbox/sql-injection-payload-list - SQL Injection Payload List.
- URL Parsers
  - `RFC 3986` - Official RFC Uniform Resource Identifier (URI) `2005-01`.
  - What Is a URL? - Dangers of inconsistent parsing of URLs `2023-04-30`.
  - http-http-http-http-http-http-http - Daniel Stenberg, the author of curl, discusses URLs validation with examples `2022-09-08`.
  - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - BlackHat talk by Orange Tsai discussing how different libs parse URLs [`Slides`](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf) `2017`.
  - `RFC 3986` - Official RFC Uniform Resource Identifier (URI) `2005-01`.
  - What Is a URL? - Dangers of inconsistent parsing of URLs `2023-04-30`.
  - http-http-http-http-http-http-http - Daniel Stenberg, the author of curl, discusses URLs validation with examples `2022-09-08`.
  - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - BlackHat talk by Orange Tsai discussing how different libs parse URLs [`Slides`](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf) `2017`.
- WYSIWYG Editors
  - `CVE-2023-30943` - Moodle vulnerability allowing a remote user to send a specially crafted HTTP request and create arbitrary folders on the system using TinyMCE loaders `2023-05-11`.
  - `CVE-2011-4906` - Joomla 1.5.12 TinyMCE vulnerability leading to RCE (via Arbitrary File Upload) [`#778629`](https://hackerone.com/reports/778629) [`Exploit-DB`](https://www.exploit-db.com/exploits/10183).
  - `CVE-2023-30943` - Moodle vulnerability allowing a remote user to send a specially crafted HTTP request and create arbitrary folders on the system using TinyMCE loaders `2023-05-11`.
  - `CVE-2011-4906` - Joomla 1.5.12 TinyMCE vulnerability leading to RCE (via Arbitrary File Upload) [`#778629`](https://hackerone.com/reports/778629) [`Exploit-DB`](https://www.exploit-db.com/exploits/10183).
- XSS
  - OWASP: XSS Cheat Sheet - Filter Evasion Cheat Sheet by OWASP.
  - Cross-site scripting (XSS) cheat sheet - XSS Cheat Sheet by Portswigger.
  - AwesomeXSS - Awesome Page about XSS.
  - Cross-site scripting contexts - Portswigger XSS context breakouts.
  - Breaking XSS mitigations via Script Gadgets - Conference talk from 2017 explaining various CSP bypasses using Script Gadgets `2017`.
  - OWASP: XSS Cheat Sheet - Filter Evasion Cheat Sheet by OWASP.
  - Cross-site scripting (XSS) cheat sheet - XSS Cheat Sheet by Portswigger.
  - AwesomeXSS - Awesome Page about XSS.
  - Cross-site scripting contexts - Portswigger XSS context breakouts.
  - Breaking XSS mitigations via Script Gadgets - Conference talk from 2017 explaining various CSP bypasses using Script Gadgets `2017`.
- XSS via `data:`-Attribute
  - `#1444682` - XSS over data: at `jamfpro.shopifycloud.com` in outdated Swagger UI `2022-01-09`.
  - `#1276742` - Stored XSS in SVG file as `data:` url in rich text editor `2021-07-24`.
  - `#1444682` - XSS over data: at `jamfpro.shopifycloud.com` in outdated Swagger UI `2022-01-09`.
  - `#1276742` - Stored XSS in SVG file as `data:` url in rich text editor `2021-07-24`.
Orientation
- roadmap.sh - Cyber-Security Roadmap.
- roadmap.sh - Cyber-Security Roadmap.
Bug Chains
- XSS via `data:`-Attribute
  - `#2089042` - ATO via self-XSS and cookie bridge (to switch to local domains: here `yelp.com` to `yelp.dk`). Includes setting additional cookies to break the cookie bridge. `2023-07-28`.
  - `#2089042` - ATO via self-XSS and cookie bridge (to switch to local domains: here `yelp.com` to `yelp.dk`). Includes setting additional cookies to break the cookie bridge. `2023-07-28`.
  - Two XSS Vulnerabilities in Azure with Embedded postMessage IFrames - iframe, postMessage and XSS `2023-06-14`.
  - A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF… - a complex bug chain consisting of an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, and a permissive CORS configuration `2023-05-05`.
  - `#1032610` - Chaining requests to bypass a blacklist `2020-11-12`.
  - WordPress Transposh: Exploiting a Blind SQL Injection via XSS - combining three CVEs using weak default config, using stored XSS, and blind SQL `2022-07-22`.
  - CVE-2023-36844 and Friends: RCE in Juniper Devices - Utilising two bugs that would be near-useless in isolation and combining them to unauthenticated RCE [ComputerWeekly](https://www.computerweekly.com/news/366550532/Threat-actors-exploiting-unpatched-Juniper-Networks-devices) [`CVE-2023-36846`](https://nvd.nist.gov/vuln/detail/CVE-2023-36846) [`CVE-2023-36845`](https://nvd.nist.gov/vuln/detail/CVE-2023-36845) [`PoC`](https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844).
  - Two XSS Vulnerabilities in Azure with Embedded postMessage IFrames - iframe, postMessage and XSS `2023-06-14`.
  - WordPress Transposh: Exploiting a Blind SQL Injection via XSS - combining three CVEs using weak default config, using stored XSS, and blind SQL `2022-07-22`.
  - XXE-scape through the front door: circumventing the firewall with HTTP request smuggling - XML External Entity injection (XXE) vulnerability combined with request smuggling `2020-03-18`.
  - A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF… - a complex bug chain consisting of an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, and a permissive CORS configuration `2023-05-05`.
  - `#1032610` - Chaining requests to bypass a blacklist `2020-11-12`.
  - XXE-scape through the front door: circumventing the firewall with HTTP request smuggling - XML External Entity injection (XXE) vulnerability combined with request smuggling `2020-03-18`.
Language-Level
- PHP
  - Type Juggling - Official PHP page.
  - PHP Magic Tricks: Type Juggling - `2015`.
  - PHP filters chain - What is it and how to use it `2022`.
  - Type Juggling - Official PHP page.
  - PHP Magic Tricks: Type Juggling - `2015`.
  - PHP filters chain - What is it and how to use it `2022`.
- Python
  - Prototype Pollution in Python - `2023-01-04`.
  - Prototype Pollution in Python - `2023-01-04`.
Secret Scanning
- Docker
  - Finding leaked secrets in your Docker image with a scanner - `2022-02-01`.
  - Finding leaked secrets in your Docker image with a scanner - `2022-02-01`.

Programming Languages

JavaScript 2 PHP 2 Python 2 Java 2

Ecosyste.ms: Awesome

awesome-infosec

Bugs

Font Files

Request Smuggling

Deserialization

Archives: ZipSlip/TarSlip and others

CLI Applications

Image Libs: Converters, Resizers, etc. pp

SQLi

URL Parsers

WYSIWYG Editors

XSS

XSS via `data:`-Attribute

Orientation

Bug Chains

XSS via `data:`-Attribute

Language-Level

PHP

Python

Secret Scanning

Docker