~/x64.sh

  • Deploy and Destroy Featuring Certificates

    PentestingMobile

    Setting up devices for security research deployment often takes longer than the testing itself. Notes and tooling for standing up (and tearing down) an Android AVD each engagement — including installing the Burp CA on Android 14+.

  • Misconfigured Microsoft Content Provider

    Vuln ResearchMobile

    The misconfigured content provider bug in com.microsoft.launcher is disclosing issues with the proper functioning of this Android launcher application.

  • ServiceNow Insecure Access Control To Full Admin Takeover

    Vuln ResearchWeb

    An XHR request to xmlhttp.do with the "ChartDataProcessor" processor in the POST request allows the enumeration of the ServiceNow GQL database, including read access to the `sys_user_session` and `sys_user_token` tables, which provide the necessary information to generate valid `glide_user_activity` and `glide_session_store` cookies, and the X-Usertoken header to allow privilege escalation to any previously authenticated user..

  • JetEngine < 3.1.3.1 - Author+ Remote Code Execution

    Vuln ResearchWeb

    The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.

  • SwitchResX Vulnerability

    Vuln ResearchmacOS

    SwitchResX installs a privileged helper tool that runs as root but fails to validate incoming XPC connections. This post walks through decompiling the helper and abusing its exported moveFiles method to achieve local privilege escalation.

  • Improper access control in Factory Camera

    Vuln ResearchMobile

    ACL issue leading to system privileges.

  • The NTLM Exchange

    PentestingWeb

    Leaking FQDN information from Microsoft Exchange by parsing the AV_PAIR structures returned in an NTLM challenge over RPC-over-HTTP.

  • XSS Encoding Generator

    ToolingWeb

    A short Python tool that generates XSS payloads in several encodings — HTML entities, unicode escapes, and URL encoding — to help bypass WAFs during testing.

  • Enter The Realm

    PentestingMobile

    Using Frida to hook the RealmConfiguration function on Android, an encrypted Realm database's encryption key can be extracted at runtime. The recovered key lets you decrypt and read the database contents, demonstrated against both a test app and the Element messenger.

  • BadBinder Emulator Root

    PentestingMobile

    During a mobile audit engagement the target application enforced root and emulator detection. This post walks through leveraging the reintroduced BadBinder (CVE-2019-2215) kernel bug to gain temporary root on the Android Studio emulator and bypass those protections.

  • Juno XSS Challenge

    PentestingWeb

    Breaking down a neat zero-interaction XSS challenge payload from @junorouse — abusing a URI scheme, a name attribute, onfocus, and a domain + URL-hash bypass to reach execution.

  • Frida and Objection

    PentestingMobile

    Frida is a dynamic instrumentation toolkit that lets you introspect running applications and inject JavaScript to hook functions and APIs. This post covers using Frida on mobile devices along with Objection, a dynamic instrumentation framework built on top of it.