📱 1-click RCE in the YTDLnis Android app!
On Android, turning file writes into RCE is usually quite hard, but here the app had a nice gadget for us. Check out the details in our latest blog post:
www.sonarsource.com/blog/ytdlnis...
#appsec #security #vulnerability
🧟 A fixed vulnerability that comes back to life?
This could have happened in GitHub Actions until yesterday! Learn how attackers could have exploited seemingly fixed workflow vulnerabilities:
www.sonarsource.com/blog/zombie-...
#appsec #security #vulnerability
My TROOPERS25 talk has been uploaded! If you ever wondered if "style-src: 'unsafe-line'" in your CSP is bad, this one is for you.
Scriptless Attacks: Why CSS is My Favorite Programming Language
www.youtube.com/watch?v=Owp-...
This was pretty fun to exploit! Even though I didn't manage to pwn the version used for Pwn2Own Berlin, I still learned a ton about LLMs. Maybe I can get my revenge in future competitions 🤞
Using SonarQube to solve a CTF challenge? Done! ✅
Learn how we detected a 0-day vulnerability during #KalmarCTF, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading:
www.sonarsource.com/blog/code-se...
#appsec #CTF #vulnerability
🔓⏫ After compromising every endpoint within an organization, our “Caught in the FortiNet” blog series comes to an end with one more thing.
Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:
www.sonarsource.com/blog/caught-...
#appsec #security
📁🫷🚧Can't control the extension of a file upload, but you want an XSS?
Read more on how we overcame this obstacle to further exploit entire organizations using Fortinet endpoint protection:
www.sonarsource.com/blog/caught-...
#appsec #vulnerability #bugbountytips
Great bug chain by my team mate Yaniv that can pwn a whole org, starting with a single user click! I was also able to contribute a bit by creating my first port of a Chrome n-day exploit :)
Catch our second talk at #TROOPERS25:
🕸️ Caught in the FortiNet: Compromising Organizations Using Endpoint Protection
Yaniv Nizry will tell you the story of multiple vulnerabilities in Fortinet products that can compromise an entire organization, starting with a single click
Title: Scriptless Attacks: Why CSS is My Favorite Programming Language Speaker: Paul Gerste, Vulnerability Researcher, Sonar Date: Wednesday, June 25, 2025 Time: 2:15 pm Location: Track 3
Coming to #TROOPERS25 this week? We'll be there too, presenting our research!
🎨 Scriptless Attacks: Why CSS is My Favorite Programming Language
@pspaul95.bsky.social will convince you why CSS should not be overlooked in client-side web attacks and what is possible without JavaScript today
This was a fun one to discover!
SQL syntax can be ambiguous, and MySQL anticipated this a long time ago. Other SQL dialects stuck to the spec, leading to SQL injection when the right stars align:
my dream browser vuln is one entirely exploitable from CSS, no JS involved. not sure how feasible that really is tho, even with all the modern conditional CSS tricks
📊⚠️ Data in danger!
We found an XSS vulnerability in Grafana with the help of SonarQube. Learn about the details in our latest blog post:
www.sonarsource.com/blog/data-in...
#appsec #security #vulnerability
Browser compatibility There is no browser implementing this feature.
"wow, this css property would be amazing for my css crime, i wonder what the browser support is looking like"
Ever wondered what the Alt-Svc header is used for? Well, it can make you a MitM if you control it!
I can finally publish the writeup to my GymTok challenge: control the header, become MitM, and perform a cross-protocol attack!
blog.pspaul.de/posts/gymtok...
Wow, thanks for 2nd place! Didn't expect this, maybe it's my sign to finally write it down in text form and tackle all the follow-up ideas 👀