munsiwoo

thanksgiving 2021: log4shell thanksgiving 2025: react2shell some things never change...

🔥 The "impossible" XXE in PHP? Not so impossible anymore. Our researcher Aleksandr Zhurnakov discovered an interesting combination of PHP wrappers and a feature of XML parsing in libxml2 to exploit it. Read: swarm.ptsecurity.com/impossible-xxe…

0-click RCE Exploit for CVE-2024-10924 that affects 4 million WP sites 🤪 Secure your site ASAP! #WordPress #BugBounty #BugBountyTips

@_lauritz_ there's another interesting trick here 😇 ```html <script> let a = '<!--<script>'; alert(a); // not work </script> <script> alert(2); // not work </script> ``` this behavior is also valid for backtick and double quote.

TIL: HTML comments work as single-line-comments in JavaScript context 🤯 <script> <!-- test --> alert(1); alert(2); </script> Only alert(2) is executed. #HTML #LegacyStuff #XSS

PlaidCTF is officially over!! Congratulations to our top-performing investigation teams! 1. "What's your ETA" (HypeBoy) 2. "Kalmar: Guardians of the Elven Veil - Paranormal Psyduck's Payback" (Kalmarunionen) 3. "Spooky Maltese Ghosts" (Friendly Maltese Citizens)

Statement on glibc/iconv Vulnerability Recently, a bug in glibc version 2.39 and older (CVE-2024-2961) was uncovered where a buffer overflow in character set conversions to the ISO-2022-CN-EXT character set affects PHP. Read our full statement at #2024-04-24-1" target="_blank" rel="nofollow noopener">php.net/archive/2024.p…

We HypeBoy topped Plaid CTF 2024! 👑 @_Reinose_en @justlikebono @munsiwoo @real_as3617 @mhibio_ptw @howdays1 @stanzz @soo_sudo @n1net4il @1nteger_c @c2w2m2 @pr0cf51 @cmy981224 @csapp3e ironore15 G0RiYa Thanks to the great support from dakuo & hellsonic

A few deprecations shipped in Chrome 120. Data URLs in SVG <use> is now blocked. chromestatus.com/feature/512882… CSP Embedded Enforcement's implicit opt-in for same-origin iframes is gone. chromestatus.com/feature/509815…

Web Security vs. Binary Exploitation

all team member: @_Reinose_en @justlikebono @munsiwoo @real_as3617 @mhibio_ptw @howdays1 @haven4someone @stanzz @soo_sudo @n1net4il @1nteger_c @c2w2m2 ironore15 G0RiYa only 14 korean teammates XD

Blind PostgreSQL Injection in DApp Interface (USD $20,000 Bounty) I'll be back soon with an English version post. Hang in there 😎 blog.munsiwoo.kr/2023/03/blind-…

Sometimes the bot may not work :( If you solve the challenge, please DM me with your payload.

I made a simple xss challenge :) link: munsiwoo.kr:7777 can you execute script you want, and steal the flag?

The end of PHP LFI challenges (?) - hxp.io/blog/88/The-en…

@ashuu_lee I wanna eat good beef. see you soon.

Today I got second bounty from VRP :) It was UAF vulnerability in stable chrome.

From now until Christmas, I will try to share something from my notes / research every day - most of them are old but might still be useful to remember #XMas2020 #AppSec #Web #HTTP

@po6ix 형은 좀 쉴 필요가 있다

Incredible research: $75,000 bounty🤯 "My research uncovered 7 0day vulnerabilities in Safari (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787), 3 were used in kill chain to access the camera." ryanpickren.com/webcam-hacking…

Top 10 new web hacking techniques of 2019 portswigger.net/research/top-1…

Ever wondered what makes a CTF challenge good? I've asked myself that many times. I wrote this to help me answer that question based on discussions with others in the community bit.ly/ctf-design