An Trinh

Wormable Substack XSS: blog.calif.io/p/wormable-sub… It must have been years since the last time a wormable XSS was found in a major social media website. This beautiful type confusion XSS attack vector is a gift that keeps on giving. But most of all, @samykamkar is our hero!

Type confusion attacks in ProseMirror editors blog.calif.io/p/type-confusi…

@crenshawdotdev @calif_io This looks good to me. Thanks for taking the suggestion.

New blog post: in a recent engagement, we turned a simple XSRF in Argo CD to a shell with cluster admin privileges. No fix is available. We recommend hosting Argo CD on an isolated domain. Details: blog.calif.io/p/argo-cd-csrf

In a recent engagement, we encountered a target running CraftCMS, and discovered a Remote Code Execution vulnerability that allowed us to compromise the target. blog.calif.io/p/craftcms-rce CC @yeuchimse

Calif: Redash SAML Authentication Bypass blog.calif.io/p/redash-saml-…

@christophetd @calif_io re-reporting to AWS: We haven't, mostly because we think of this as a new way to exploit an old flaw. Thanks again. Feel free to reach out if you want to discuss further.

@christophetd @calif_io GCP seems to have similar problems in the past with the node/kubelet token and have since greatly restricted the permissions of the GKS token stored on metadata. On system:node being able to create serviceaccounts/token (*for the pods on it), I believe this is the nature of k8s.

Calif Inc: Privilege escalation in AWS Elastic Kubernetes Service blog.calif.io/p/privilege-es…

Great work Khoa! Neat trick exploiting the content handler feature. Always love the feeling a research being appreciated and more research made.

Great usage of the xpath attack vector in xmlsec. A powerful deserialization bug and an ssrf in the public interface to break yet another SSO product. Beautiful stuff!

@scannell_simon Memcached keeps on giving. Great find!

CVE-2022-27924 allows an unauthenticated, remote attacker to dump clear-text creds from a Zimbra instance with default config. We used Memcache response injection to bypass restrictions. Apparently Zimbra is used by over 200.000. Patch now! blog.sonarsource.com/zimbra-mail-st…

@frycos @steventseeley It was more of an info leak than an auth bypass. Thanks for including that!

@steventseeley Maybe blog.tint0.com/2021/09/pingin…

I’m curious, had anyone here found any real world saml authentication bypass vulnerabilities with write ups?

@matthias_kaiser It looks worse. The substitutions can happen in both the string format *and* the string arguments

log4j2 is the new format string !

An attack vector in xmlsec and exploiting it on PingFederate. blog.tint0.com/2021/09/pingin…

@mogwailabs Thanks for writing it up. Although I believe jmxrmi doesn't prevent this. Have you tried the lookup op instead of bind?

In our latest blog post, we take a closer look at @_tint0 s RMIRegistry Bypass gadget mogwailabs.de/blog/2020/02/a…

@daveaitel Thanks. Will keep that in mind :)

@_tint0 You should submit a talk to INFILTRATE! :)

I made some research on Java remote protocols i.blackhat.com/eu-19/Wednesda…