Soroush Dalili

  • Home
  • Blog
  • Bug Bounty Invites
  • Advisories
  • Contact

MongoDB NoSQL Injection with Aggregation Pipelines

Cookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP.NET Framework (CVE-2023-36899 & CVE-2023-36560)

Anchor Tag XSS Exploitation in Firefox with Target=”_blank”

Thirteen Years On: Advancing the Understanding of IIS Short File Name (SFN) Disclosure!

My MDSec Blog Posts so far in 2020/2021!

File Upload Attack using XAMLX Files

Uploading web.config for Fun and Profit 2

IIS Application vs. Folder Detection During Blackbox Testing

Danger of Stealing Auto Generated .NET Machine Keys

x-up-devcap-post-charset Header in ASP.NET to Bypass WAFs Again!

Exploiting Deserialisation in ASP.NET via ViewState

Yet Other Examples of Abusing CSRF in Logout

How to win BIG and even more!

Finding and Exploiting .NET Remoting over HTTP using Deserialisation

More research on .NET deserialization

Feel honoured to be there again after 8 years: Top 10 Web Hacking Techniques of 2017

Story of my two (but actually three) RCEs in SharePoint in 2018

ASP.NET resource files (.RESX) and deserialization issues

MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online

WAF Bypass Techniques – Using HTTP Standard and Web Servers’ Behaviour

SMB hash hijacking & user tracking in MS Outlook

Bug Bounty vs Penetration Testing (Simple Unbiased Comparison)

Additional notes on “A Forgotten HTTP Invisibility Cloak” talk!

Request encoding to bypass web application firewalls

When a web application SSRF causes the cloud to rain credentials & more

Flash it baby!

Common Security Issues in Web-Based Payment Systems (& Gambling Apps)

Interesting XML Processing in Copy/Paste in Word and Outlook

Non-Root-Relative Path Overwrite (RPO) in IIS and .Net applications

Analysis of setting cookies for third party websites in different browsers

IIS Short File Name Disclosure is back! Is your server vulnerable?

Upload a web.config File for Fun & Profit

File Upload and PHP on IIS: >=? and <=* and "=.

Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)!

How did I bypass everything in modsecurity evasion challenge?

Catch-up on Flash XSS exploitation Part 3 – XSS by embedding a flash file

Yahoo bug bounty program – LFI reported and patched!

Catch-up on Flash XSS exploitation Part 2 – “navigateToURL” and “jar:” protocol!

Catch-up on Flash XSS exploitation – bypassing the guardians! – Part 1

Simple Security Tip: window.location = window.location.pathname can cause Open-Redirect issue!

Microsoft XMLDOM in IE can divulge information of local drive/network in error messages – XXE

IE/Firefox Redirection Issue – FB Oauth2 Bypass – BugCrowd

File in the hole! – HackPra slides

XSS by uploading/including a SWF file

Don’t trust a string based on TryParse or IsNumeric result! (.Net/VBScript)

IE9 Self-XSS Blackbox Protection bypass

Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure

Browsers Anti-XSS methods in ASP (classic) have been defeated!

“ASPXErrorPath in URL” Technique in Scanning a .Net Web Application

SecProject Web AppSec Challenge Series 1 Results

SecProject Web AppSec Challenge – Series 1

Sometimes no Ninja skill is required to receive money from security bug bounty programs!

Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)

Flash ExternalInterface.call() JavaScript Injection – can make the websites vulnerable to XSS

Unrestricted File Download V1.0 – Windows Server

Facebook Redirect Link – New Bypass Method – “:/” after the domain name

JSReg Bypasses – OLD

A Dotty Salty Directory: A Secret Place in NTFS for Secret Files!

Skype Privacy Concern: It sends detected numbers + URLs to its server!

NoScript New Bypass Method by Unicode in ASP

New update – July 2010

IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”

Cross Site URL Hijacking by using Error Object in Mozilla Firefox

New Method: Role of the “/” character in mapping the website directories! – Webservers fault?

Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0

IE7-8 drive list enumeration!

Microsoft IIS Semi-Colon Vulnerability

How to prevent phishing attacks? ‐ In 3 Pages ‐

Finding vulnerabilities of YaFtp 1.0.14 (a client-side FTP application)

Why using the “include” techniques are dangerous for the novice developers?

Incorrect solution to disable script execution by .htaccess

Topics

  • Normal Posts
  • Security Posts
  • My Advisories