shubs
@shubs.io
Co-founder, security researcher. Building an attack surface management platform, @assetnote.io
Reposted by shubs
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United State...
samcurry.net
January 23, 2025 at 5:44 PM
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
Reposted by shubs
Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...
January 22, 2025 at 6:16 PM
Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...
Reposted by shubs
We broke something:
in a recent pentest on a hardened target, we were able to achieve unauthenticated Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in a Spring Boot application
We wrote it down for you to try at home:
modzero.com/en/blog/spri...
in a recent pentest on a hardened target, we were able to achieve unauthenticated Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in a Spring Boot application
We wrote it down for you to try at home:
modzero.com/en/blog/spri...
Exploiting SSTI in a Modern Spring Boot Application (3.3.4)
modzero.com
January 10, 2025 at 9:51 AM
We broke something:
in a recent pentest on a hardened target, we were able to achieve unauthenticated Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in a Spring Boot application
We wrote it down for you to try at home:
modzero.com/en/blog/spri...
in a recent pentest on a hardened target, we were able to achieve unauthenticated Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in a Spring Boot application
We wrote it down for you to try at home:
modzero.com/en/blog/spri...
Reposted by shubs
Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here:
portswigger.net/research/top...
portswigger.net/research/top...
Top ten web hacking techniques of 2024: nominations open
Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an
portswigger.net
January 8, 2025 at 2:09 PM
Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here:
portswigger.net/research/top...
portswigger.net/research/top...
Reposted by shubs
I put together a VERY limited (for now) list of web hackers in a Starter pack:
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
December 18, 2024 at 12:54 AM
I put together a VERY limited (for now) list of web hackers in a Starter pack:
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
Reposted by shubs
Rapid7 analysis of Apache #Struts 2 CVE-2024-53677 here via research lead Ryan Emmons — highlights:
* No, this isn't really being successfully exploited in the wild
* Payloads need to be customized to the target
* The 'fixed' version *does not* remediate the vuln
attackerkb.com/assessments/...
* No, this isn't really being successfully exploited in the wild
* Payloads need to be customized to the target
* The 'fixed' version *does not* remediate the vuln
attackerkb.com/assessments/...
remmons-r7's assessment of CVE-2024-53677 | AttackerKB
CVE-2024-53677 is a flawed upload logic vulnerability in Apache Struts 2. The vulnerability permits an attacker to override internal file upload variables in a…
attackerkb.com
December 18, 2024 at 8:48 PM
Rapid7 analysis of Apache #Struts 2 CVE-2024-53677 here via research lead Ryan Emmons — highlights:
* No, this isn't really being successfully exploited in the wild
* Payloads need to be customized to the target
* The 'fixed' version *does not* remediate the vuln
attackerkb.com/assessments/...
* No, this isn't really being successfully exploited in the wild
* Payloads need to be customized to the target
* The 'fixed' version *does not* remediate the vuln
attackerkb.com/assessments/...
Reposted by shubs
Last month, our Security Research team discovered and disclosed a critical pre-authentication RCE in CraftCMS (CVE-2024-56145). You can read our blog post on the issue here: assetnote.io/resources/re...
#attacksurfacemanagement
#attacksurfacemanagement
December 19, 2024 at 2:12 AM
Last month, our Security Research team discovered and disclosed a critical pre-authentication RCE in CraftCMS (CVE-2024-56145). You can read our blog post on the issue here: assetnote.io/resources/re...
#attacksurfacemanagement
#attacksurfacemanagement
We recently focused on CVE-2024-8534, a vulnerability that can cause DoS or memory corruption, pre-auth on Citrix NetScaler. You can read our research and analysis here: www.assetnote.io/resources/re...
Citrix Denial of Service: Analysis of CVE-2024-8534
An analysis of CVE-2024-8534, a memory safety vulnerability leading to memory corruption and Denial of Service in NetScaler ADC and Gateway.
www.assetnote.io
December 12, 2024 at 1:32 PM
We recently focused on CVE-2024-8534, a vulnerability that can cause DoS or memory corruption, pre-auth on Citrix NetScaler. You can read our research and analysis here: www.assetnote.io/resources/re...
Reposted by shubs
My latest blog post is live! Check your Ruby on Rails applications for the use of params[:_json]
nastystereo.com/security/rai...
nastystereo.com/security/rai...
December 10, 2024 at 8:30 AM
My latest blog post is live! Check your Ruby on Rails applications for the use of params[:_json]
nastystereo.com/security/rai...
nastystereo.com/security/rai...
Reposted by shubs
Here is a great follow up blog post to my blog Remote Code Execution with Spring properties written by Elliot Ward: snyk.io/articles/rem...
Remote Code Execution with Spring Boot 3.4.0 Properties | Snyk
this article introduces two methods for leveraging Logback configuration to achieve Remote Code Execution (RCE) in Spring Boot applications. These techniques are effective on the latest version of Spr...
snyk.io
December 6, 2024 at 9:46 PM
Here is a great follow up blog post to my blog Remote Code Execution with Spring properties written by Elliot Ward: snyk.io/articles/rem...
This is really great research by @ryotak.net -
I appreciated that he covered some of his experiments along the way, and how he landed on a finely tuned way of finding a 12-char hash collision with a command injection payload at the end.
flatt.tech/research/pos...
I appreciated that he covered some of his experiments along the way, and how he landed on a finely tuned way of finding a 12-char hash collision with a command injection payload at the end.
flatt.tech/research/pos...
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection
Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at Flatt Security Inc.
A few days ago, I was upgrading my home lab network, and I decided to upgrade the OpenWrt on my router.1 After ac...
flatt.tech
December 7, 2024 at 11:45 AM
This is really great research by @ryotak.net -
I appreciated that he covered some of his experiments along the way, and how he landed on a finely tuned way of finding a 12-char hash collision with a command injection payload at the end.
flatt.tech/research/pos...
I appreciated that he covered some of his experiments along the way, and how he landed on a finely tuned way of finding a 12-char hash collision with a command injection payload at the end.
flatt.tech/research/pos...
Reposted by shubs
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
November 27, 2024 at 9:10 AM
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
This is amazing. I’ve been in this scenario several times where the good old days of dropping a JSP file is not possible.
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties
Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...
srcincite.io
November 27, 2024 at 2:32 AM
This is amazing. I’ve been in this scenario several times where the good old days of dropping a JSP file is not possible.
Reposted by shubs
The "bug bounty hunters and content creators" starter pack is now up to 60 users! Follow this to get instantly connected to the bug bounty community & let me know if I've missed you off!
go.bsky.app/GD7hKPX
go.bsky.app/GD7hKPX
Bug bounty hunters & content creators
Join the conversation
go.bsky.app
November 23, 2024 at 4:21 PM
The "bug bounty hunters and content creators" starter pack is now up to 60 users! Follow this to get instantly connected to the bug bounty community & let me know if I've missed you off!
go.bsky.app/GD7hKPX
go.bsky.app/GD7hKPX
Reposted by shubs
I've just updated Shortscan to support reading a list of URLs to scan from a file (and included a minor bugfix). Feedback welcome! The latest version is v0.9.2 and can be found on Github: github.com/bitquark/sho...
GitHub - bitquark/shortscan: An IIS short filename enumeration tool
An IIS short filename enumeration tool. Contribute to bitquark/shortscan development by creating an account on GitHub.
github.com
November 25, 2024 at 12:55 AM
I've just updated Shortscan to support reading a list of URLs to scan from a file (and included a minor bugfix). Feedback welcome! The latest version is v0.9.2 and can be found on Github: github.com/bitquark/sho...
Reposted by shubs
The latest album from @ytcracker.bsky.social is so good
Advertising Neals
YTCracker · Album · 2024 · 17 songs
open.spotify.com
November 21, 2024 at 8:14 PM
The latest album from @ytcracker.bsky.social is so good
Earlier this year, Assetnote's Security Research team discovered a vulnerability in Sitecore XP (CVE-2024-46938) that can lead to pre-authentication RCE.
Order of operations bugs are one of my favorite types of bugs :) Write up and exploit script here: assetnote.io/resources/re...
Order of operations bugs are one of my favorite types of bugs :) Write up and exploit script here: assetnote.io/resources/re...
November 22, 2024 at 5:50 AM
Earlier this year, Assetnote's Security Research team discovered a vulnerability in Sitecore XP (CVE-2024-46938) that can lead to pre-authentication RCE.
Order of operations bugs are one of my favorite types of bugs :) Write up and exploit script here: assetnote.io/resources/re...
Order of operations bugs are one of my favorite types of bugs :) Write up and exploit script here: assetnote.io/resources/re...