Preston TinPreston’s appsec stuffAdmin panel was accessed publicly and vulnerable to XSSPer the vendor’s request, I will not fully disclose these bugs. Given that it’s been 4 years since the bugs were fixed, I think it time…2 min read·Jan 6, 2021----
Preston TinPreston’s appsec stuffUnusual database exploitThere are many topics about database security to talk about, but I’m not going to do that today. I came across an interesting way to…1 min read·Apr 5, 2020----
Preston TinPreston’s appsec stuffWhat can you do with an XSS vulnerabilityXSS is the most popular vulnerability in the web. Introducing new technology e.g. HTML5, CORS, Jinja2… also introduces new attack vectors…1 min read·Jan 24, 2019----
Preston TinPreston’s appsec stuffContainers vs. VMs securityVMs: • malicious script in shared folder • worm propagates in the same/connected networks • VMs and host machine don’t share kernel: each…1 min read·Jan 24, 2019----
Preston TinPreston’s appsec stuffInsecure Grafana Server @ iCIMSSo I had a phone interview with an iCISM’s recruiter for a security engineer position, but it didn’t go anywhere because she didn’t really…2 min read·Jan 24, 2019----
Preston TinPreston’s appsec stuffWerkzeug Debugger Remote Code ExecutionA month ago, I found someone’s instance on DigitalOcean with RCE vulnerability. This happens when I was poking around Shodan. I did a…1 min read·Jan 24, 2019----
Preston TinPreston’s appsec stuffSubdomain takeover @ SparkPostThe email delivery service Sparkpost was vulnerable to subdomain takeover. The subdomain go.sparkpost.com pointed to Unbounce service, but…1 min read·Jan 24, 2019--1--1