📁 Using polyglot file and RXSS to achieve one-click RCE on a Voyager instance. Read more about how SonarQube Cloud detected CVE-2024-55417 in our latest blog post: #appsec #security #vulnerability

RT @Sonar_Research: What a year! We look back and summarize our security research highlights of 2024: 🪲 Vulnerabilities in Jenkins, Source…

What a year! We look back and summarize our security research highlights of 2024: 🪲 Vulnerabilities in Jenkins, SourceForge, Joomla, and much more 🎙️ 7 talks, including DEF CON and Hexacon 🏆 5 nominations and 1 award #research #vulnerability #appsec

CORS misconfigurations are definitely not good, but how bad can they get? 🧐 Our latest blog post discusses how an origin reflection issue detected by SonarQube leads to code execution in a real-world application: #appsec #security #vulnerability

🧵 [4/4] For this to cause namespace confusion, we need an element that is shared between namespaces. In the case of DOMPurify, allowing a custom element also allows it in all namespaces by default.

RT @Sonar_Research: The reason most PHP-based HTML sanitizers are inherently vulnerable to bypasses is just the tip of the iceberg🥶. Check…

In case you missed it, here's the recording of our #HEXACON2024 talk "Exploiting File Writes in Hardened Environments"! It's a short and sweet 30-minute talk, so grab a coffee and sit back while @scryh_ goes from HTTP request to ROP chain in Node.js ☕

@kaystrobach [2/2] Markdown generates the HTML by itself. The markdown renderer might also contain vulnerabilities or allow arbitrary HTML elements by default. It is a different solution to handle user input which can fit or not, depending on the application.

@sephr [2/2] There is a point where using exactly the same parser as the renderer (preferably without serializing and re-rendering) is necessary to avoid parsing shenanigans.

@sephr [1/2] There are cases where server-side sanitization can be safe. Take, for example, the extreme case of disallowing any HTML by escaping. But the more HTML elements developers need to allow, the greater the potential for bypass.

RT @Sonar_Research: CVE-2024-35219: Arbitrary File Read and Delete in OpenAPI Generator Check out our latest blog post, in which we explai…

CVE-2024-35219: Arbitrary File Read and Delete in OpenAPI Generator Check out our latest blog post, in which we explain how @SonarCloud unveiled the complex taint flow behind this critical vulnerability in OpenAPI Generator: #security #vulnerability

Our researchers @realansgar and @pspaul95 crafted a few interesting CTF challenges with bugs based on their research! Some of them are still unsolved, can you be the first to beat them?

RT @Sonar_Research: From HTTP request to ROP chain in Node.js! 🔥 Our latest blog post explains how to turn a file write vulnerability in a…

@Rahim7X This technique works even if you cannot write an existing template file because the application does not have template files or all files are set to read-only. The latter was the case for a target app we researched, which led us to discover this technique.