{"uuid": "f855ece5-7549-44e8-8d46-6552b12ae192", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-4908", "type": "seen", "source": "https://t.me/S_E_Reborn/4443", "content": "\ud83c\udf0d Top 10 web hacking techniques of 2023..\n\n\u2022  \u041d\u043e\u043c\u0438\u043d\u0430\u0446\u0438\u044f - top 10 \u043b\u0443\u0447\u0448\u0438\u0445 \u043c\u0435\u0442\u043e\u0434\u043e\u0432 \u0432\u0435\u0431-\u0432\u0437\u043b\u043e\u043c\u0430 \u0432 2023 \u0433\u043e\u0434\u0443. \u041a\u0430\u0436\u0434\u0430\u044f \u0441\u0442\u0430\u0442\u044c\u044f \u0437\u0430\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u0435\u0442 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u044f:\n\n - Ransacking your password reset tokens;\n - mTLS: When certificate authentication is done wrong;\n - Smashing the state machine: the true potential of web race conditions;\n - Bypass firewalls with of-CORs and typo-squatting;\n - RCE via LDAP truncation on hg.mozilla.org;\n - Cookie Bugs - Smuggling & Injection;\n - OAuth 2.0 Redirect URI Validation Falls Short, Literally;\n - Prototype Pollution in Python;\n - Pretalx Vulnerabilities: How to get accepted at every conference;\n - From Akamai to F5 to NTLM... with love;\n - can I speak to your manager? hacking root EPP servers to take control of zones;\n - Blind CSS Exfiltration: exfiltrate unknown web pages;\n - Server-side prototype pollution: Black-box detection without the DoS;\n - Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari;\n - HTML Over the Wire;\n - SMTP Smuggling - Spoofing E-Mails Worldwide;\n - DOM-based race condition: racing in the browser for fun;\n - You Are Not Where You Think You Are, Opera Browsers Address Bar Spoofing Vulnerabilities;\n - CVE-2022-4908: SOP bypass in Chrome using Navigation API;\n - SSO Gadgets: Escalate (Self-)XSS to ATO;\n - Three New Attacks Against JSON Web Tokens;\n - Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix;\n - PHP filter chains: file read from error-based oracle;\n - SSRF Cross Protocol Redirect Bypass;\n - A New Vector For \u201cDirty\u201d Arbitrary File Write to RCE;\n - How I Hacked Microsoft Teams and got $150,000 in Pwn2Own;\n - AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice;\n - BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover;\n - MyBB Admin Panel RCE CVE-2023-41362;\n - Source Code at Risk: Critical Code Vulnerability in CI/CD Platform TeamCity;\n - Code Vulnerabilities Put Skiff Emails at Riskr;\n - How to break SAML if I have paws?\n - JMX Exploitation Revisited;\n - Java Exploitation Restrictions in Modern JDK Times;\n - Exploiting Hardened .NET Deserialization;\n - Unserializable, but unreachable: Remote code execution on vBulletin;\n - Cookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP.NET Framework;\n - Hunting for Nginx Alias Traversals in the wild;\n - DNS Analyzer - Finding DNS vulnerabilities with Burp Suite;\n - Oh-Auth - Abusing OAuth to take over millions of accounts;\n - nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover;\n - One Scheme to Rule Them All: OAuth Account Takeover;\n - Exploiting HTTP Parsers Inconsistencies;\n - New ways of breaking app-integrated LLMs;\n - State of DNS Rebinding in 2023;\n - Fileless Remote Code Execution on Juniper Firewalls;\n - Thirteen Years On: Advancing the Understanding of IIS Short File Name (SFN) Disclosure!\n - Metamask Snaps: Playing in the Sand;\n - Uncovering a crazy privilege escalation from Chrome extensions;\n - Code Vulnerabilities Put Proton Mails at Risk;\n - Hacking into gRPC-Web;\n - Yelp ATO via XSS + Cookie Bridge;\n - HTTP Request Splitting vulnerabilities exploitation;\n - XSS in GMAIL Dynamic Email;\n - Azure B2C Crypto Misuse and Account Compromise;\n - Compromising F5 BIGIP with Request Smuggling;\n - One Supply Chain Attack to Rule Them All;\n - Cookie Crumbles: Breaking and Fixing Web Session Integrity;\n - tRPC Security Research: Hunting for Vulnerabilities in Modern APIs;\n - From an Innocent Client-Side Path Traversal to Account Takeover.\n\n#web #hack", "creation_timestamp": "2024-01-25T19:25:42.000000Z"}