Published inPreston’s appsec stuffAdmin panel was accessed publicly and vulnerable to XSSPer the vendor’s request, I will not fully disclose these bugs. Given that it’s been 4 years since the bugs were fixed, I think it time…Jan 6, 2021Jan 6, 2021
Published inPreston’s appsec stuffUnusual database exploitThere are many topics about database security to talk about, but I’m not going to do that today. I came across an interesting way to…Apr 5, 2020Apr 5, 2020
Published inPreston’s appsec stuffWhat can you do with an XSS vulnerabilityXSS is the most popular vulnerability in the web. Introducing new technology e.g. HTML5, CORS, Jinja2… also introduces new attack vectors…Jan 24, 2019Jan 24, 2019
Published inPreston’s appsec stuffContainers vs. VMs securityVMs: • malicious script in shared folder • worm propagates in the same/connected networks • VMs and host machine don’t share kernel: each…Jan 24, 2019Jan 24, 2019
Published inPreston’s appsec stuffInsecure Grafana Server @ iCIMSSo I had a phone interview with an iCISM’s recruiter for a security engineer position, but it didn’t go anywhere because she didn’t really…Jan 24, 2019Jan 24, 2019
Published inPreston’s appsec stuffWerkzeug Debugger Remote Code ExecutionA month ago, I found someone’s instance on DigitalOcean with RCE vulnerability. This happens when I was poking around Shodan. I did a…Jan 24, 2019Jan 24, 2019
Published inPreston’s appsec stuffSubdomain takeover @ SparkPostThe email delivery service Sparkpost was vulnerable to subdomain takeover. The subdomain go.sparkpost.com pointed to Unbounce service, but…Jan 24, 20191Jan 24, 20191
