A while ago, I happened to play a lot of topics related to content type, so I decided to wrote an article about it.
The Magical Features of RegExp and String Replacement in JavaScript
It’s a blog post about a few magical features that I have encountered recently. It is not interesting to say it directly. Let’s start with a few small challenges:
Notes XSS Challenge Author Writeup
Last month, I created an XSS challenge and hosted it on my GitHub: https://aszx87410.github.io/xss-challenge/notes/
This is the writeup about the challenge and solutions, including intended and unintended.
I will start from the intended one.
SSRF and Account Takeover via XSS in ERPNext
ERPNext is a very popular open-source ERP(Enterprise Resource Planning) software built on Frappe Framework.
Last December, we found two vulnerabilities in the latest version of ERPNext: SSRF(Server-Side Request Forgery) and account takeover via XSS. Both vulnerabilities require a low-privileged authenticated user to perform the attack.
By exploiting SSRF, a malicious actor could steal the credentials from cloud metadata and may lead to RCE. For XSS, it’s possible to take over others’ accounts.
We reported both vulnerabilities on November 25th, 2021. At the time of writing, there is still no fix for those two issues, so we decided to publish the details to inform the public about the risk.
Sensitive Data Disclosure in WordPress Plugin Amelia < 1.0.49
Amelia is a WordPress plugin for booking systems developed by TNS. With 40,000+ active installations, it has been used for the clinic, hair salon, tutor, and so on.
In March, we studied the source code of Amelia and found three vulnerabilities in the end:
CVE-2022-0720Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure (CVSS 6.3)CVE-2022-0825Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update (CVSS 6.3)CVE-2022-0837Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure (CVSS 5.4)
By exploiting these vulnerabilities, a malicious actor could get all the customer’s data, including name, phone, and booking details.
In this article, I will talk about the code structure of Amelia and the details of three vulnerabilities.
Intigriti 0222 XSS Challenge Author Writeup
In May 2021, I solved my first Intigriti XSS challenge. Since then, I play every XSS challenge afterward, and solved most of them. Sometimes it’s painful when you try everything you know but still can’t solve it, however, the moment you made it, the pain is gone, replaced with joy and happiness.
As a player, I want to be on the other end(as a challenge maker) at least once, if I have an idea of an interesting XSS challenge.
I talked to @PinkDraconian in Jan 2021 and share an XSS challenge I created, after a few discussions, it gets accepted. This write-up is about the story behind the challenge.
Story of critical security flaws I found in Glints
Glints is a job search platform based in Singapore, and they just got a 20M investment last year, they have a team in Taiwan as well.
In July 2021, I found Glints bug bounty program so I spent some time on it, and I found 4 vulnerabilities in total in the end.
The vulnerabilities I found could have:
- Stole every applicant’s personal information, including name, phone, birthday, resume, and email
- Stole every recruiter’s personal information, including name, job title, team name, and email
In other words, the attacker can steal all users’ information by exploiting the vulnerabilities.
Let’s see what it is.