~/x64.sh ❯
-
Deploy and Destroy Featuring Certificates
Setting up devices for security research deployment often takes longer than the testing itself. Notes and tooling for standing up (and tearing down) an Android AVD each engagement — including installing the Burp CA on Android 14+.
-
Misconfigured Microsoft Content Provider
The misconfigured content provider bug in com.microsoft.launcher is disclosing issues with the proper functioning of this Android launcher application.
-
ServiceNow Insecure Access Control To Full Admin Takeover
An XHR request to xmlhttp.do with the "ChartDataProcessor" processor in the POST request allows the enumeration of the ServiceNow GQL database, including read access to the `sys_user_session` and `sys_user_token` tables, which provide the necessary information to generate valid `glide_user_activity` and `glide_session_store` cookies, and the X-Usertoken header to allow privilege escalation to any previously authenticated user..
-
JetEngine < 3.1.3.1 - Author+ Remote Code Execution
The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.
-
SwitchResX Vulnerability
SwitchResX installs a privileged helper tool that runs as root but fails to validate incoming XPC connections. This post walks through decompiling the helper and abusing its exported moveFiles method to achieve local privilege escalation.
-
Improper access control in Factory Camera
ACL issue leading to system privileges.
-
The NTLM Exchange
Leaking FQDN information from Microsoft Exchange by parsing the AV_PAIR structures returned in an NTLM challenge over RPC-over-HTTP.
-
XSS Encoding Generator
A short Python tool that generates XSS payloads in several encodings — HTML entities, unicode escapes, and URL encoding — to help bypass WAFs during testing.
-
Enter The Realm
Using Frida to hook the RealmConfiguration function on Android, an encrypted Realm database's encryption key can be extracted at runtime. The recovered key lets you decrypt and read the database contents, demonstrated against both a test app and the Element messenger.
-
BadBinder Emulator Root
During a mobile audit engagement the target application enforced root and emulator detection. This post walks through leveraging the reintroduced BadBinder (CVE-2019-2215) kernel bug to gain temporary root on the Android Studio emulator and bypass those protections.
-
Juno XSS Challenge
Breaking down a neat zero-interaction XSS challenge payload from @junorouse — abusing a URI scheme, a name attribute, onfocus, and a domain + URL-hash bypass to reach execution.
-
Frida and Objection
Frida is a dynamic instrumentation toolkit that lets you introspect running applications and inject JavaScript to hook functions and APIs. This post covers using Frida on mobile devices along with Objection, a dynamic instrumentation framework built on top of it.