This is a cross post of the blog post written here:https://snyk.io/blog/demystifying-http-request-smuggling/. Often at my role as a Security Analyst within Snyk, I study trends within the dependenc...

This blog post contains a walk-through of https://webhacking.kr/ wargames which was recommended to me by a friend. Level 1 The following can be seen in level 1. The source code of the backend ...

Recently I went hunting for Zip traversal vulnerabilities within the PHP ecosystem. While looking at well known PHP ZIP dependencies, I noticed that, both pclzip and zipper were vulnerable to trave...

DOM-based Cross site Scripting (XSS) is a type of XSS where user input is written to a web pages’ Document Object Model without proper sanitization. This could be abused by an attacker to manipulat...

Notes related to RipsTech PHP Security Calendar 2019 which aren’t accessible anymore. Challenge 1 - Candy Cane import org.jdom2.Content; import org.jdom2.Document; import org.jdom2.JDOMException;...

This blog post contains a walkthrough of Nebula provided by Exploit Education. Nebula is a vulnerable ISO which has a variety of Linux privilege escalation vulnerabilities. Some of these vulnerabil...

The favicons of Chirpy are placed in the directory assets/img/favicons/. You may want to replace them with your own. The following sections will guide you to create and replace the default favicons...

Common XSS Tricks I use This post contains a common list of XSS payloads I tend to use most of often. Taken from the internet, the origin of most of these payloads are uknown but they are often sh...

This challenge was part of Facebook CTF . Looking at the challenge tab, the following information is provided: Going to the provided URL, this leads to the following web application where you ca...

This challenge was part of Facebook CTF . Looking at the challenge tab, the following information is provided: The goal of this challenge is the exploit the PDF conversion service seen below. ...