Yaniv Nizry

Just published two new vulnerability write-ups: 💻FortiClient – Two-click RCE via code injection in the login window yaniv-git.github.io/2025/10/13/For… ⚠️FortiGuard – “Access Blocked” page XSS yaniv-git.github.io/2025/10/13/For…

TROOPERS talks are now live on YouTube! Curious how attackers can turn endpoint protection into an entry point? In my session, I break down exactly how these compromises happen - step by step. 🎥 Watch here: youtube.com/watch?v=sfjxjW…

🔄📦 GitHub Actions offer powerful automation capabilities for CI/CD, but they're not immune to attacks. Take a look at how we tackle this risk with SonarQube Cloud by diving into real-world vulnerabilities. sonarsource.com/blog/securing-… #appsec #security #vulnerability

🗒️✍️Taking a note on security: our latest blog post focuses on Go vulnerabilities, including Arbitrary File Write, XSS, and Misconfiguration. Showcasing our new support for the language in SonarQube Cloud! sonarsource.com/blog/securing-… #appsec #security #vulnerability

🔓⏫ After compromising every endpoint within an organization, our “Caught in the FortiNet” series comes to an end with one more thing. Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS sonarsource.com/blog/caught-in… #appsec #security

[2/2] Meaning that if you have a file write and can't control the extension and the extension doesn't correlate to any Content-Type (let's say .abc), you can add .html to the file name (filename.html.abc) and httpd will serve it as text/html

[1/2] TL;DR: mod_mime, Apache httpd module that is responsible for assigning Content-Type, supports "Files with Multiple Extensions". #bugbountytips

[2/2] Meaning that if you have a file write and can't control the extension and the extension doesn't correlate to any Content-Type (let's say .abc), you can add .html to the file name (filename.html.abc) and httpd will serve it as text/html

Great bug chain by @YNizry that can pwn a whole org, starting with a single user click! I was also able to contribute a bit by creating my first port of a Chrome n-day exploit :)

It was a pleasure to speak at #TROOPERS25 about my Fortinet findings. In case you missed it and don't want to wait for the recording, the first blog post is now live:

Catch our second talk at #TROOPERS25: 🕸️ Caught in the FortiNet: Compromising Organizations Using Endpoint Protection @YNizry will tell you the story of multiple vulnerabilities in Fortinet products that can compromise an entire organization, starting with a single click

📁 Using polyglot file and RXSS to achieve one-click RCE on a Voyager instance. Read more about how SonarQube Cloud detected CVE-2024-55417 in our latest blog post: sonarsource.com/blog/the-taint… #appsec #security #vulnerability

Recently, I had the opportunity to reverse engineer and debug binaries on macOS 🪲🔍 I faced some Apple limitations during setup and struggled to find good beginner resources, so I wrote a short blog post to help others. yaniv-git.github.io/2025/01/11/Mac… #macos #debugging #lldb

🧬🔬 I wrote about this finding a bit more extensively in my blog: yaniv-git.github.io/2024/12/08/DOM… #mXSS #XSS

The reason most PHP-based HTML sanitizers are inherently vulnerable to bypasses is just the tip of the iceberg🥶. Check out our latest blog post to learn why server-side sanitization is doomed to fail. sonarsource.com/blog/sanitize-… #appsec #security #vulnerability #php

Join us at OWASP SF for our talk, "Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail" to discover why client-side sanitization is crucial for a secure web. Can't make it? Stay tuned for our upcoming blog post. #OWASP #GlobalAppSecSanFran

Browsers don’t protect users from CSRF attacks when a website is using the convenient basic HTTP authentication method. Take a look at how SonarCloud found vulnerabilities in pyspider: sonarsource.com/blog/basic-htt… #appsec #security #vulnerability

The simple <script> XSS didn’t work? Don’t give up before trying some mXSS magic🪄. Get to know the fundamentals of this bug class on your way to becoming a master of sanitizer bypasses: sonarsource.com/blog/mxss-the-… #appsec #security #vulnerability #mXSS

Beating HTML Sanitisers  by Paul Gerste & Yaniv Nizry youtube.com/watch?v=g3yzTQ… #BBRENewsletter76