pspaul
@pspaul95.bsky.social
This was pretty fun to exploit! Even though I didn't manage to pwn the version used for Pwn2Own Berlin, I still learned a ton about LLMs. Maybe I can get my revenge in future competitions 🤞
From bit flip to RCE in Ollama! 🦙
Our latest blog post explains how a file parsing bug led to an interesting out-of-bounds write primitive. Learn how it could have been exploited in Ollama, a tool to run LLMs locally:
www.sonarsource.com/blog/ollama-...
#security #vulnerability #llm #ai
Our latest blog post explains how a file parsing bug led to an interesting out-of-bounds write primitive. Learn how it could have been exploited in Ollama, a tool to run LLMs locally:
www.sonarsource.com/blog/ollama-...
#security #vulnerability #llm #ai
www.sonarsource.com
November 4, 2025 at 5:45 PM
This was pretty fun to exploit! Even though I didn't manage to pwn the version used for Pwn2Own Berlin, I still learned a ton about LLMs. Maybe I can get my revenge in future competitions 🤞
Reposted by pspaul
Using SonarQube to solve a CTF challenge? Done! ✅
Learn how we detected a 0-day vulnerability during #KalmarCTF, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading:
www.sonarsource.com/blog/code-se...
#appsec #CTF #vulnerability
Learn how we detected a 0-day vulnerability during #KalmarCTF, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading:
www.sonarsource.com/blog/code-se...
#appsec #CTF #vulnerability
www.sonarsource.com
September 16, 2025 at 3:38 PM
Using SonarQube to solve a CTF challenge? Done! ✅
Learn how we detected a 0-day vulnerability during #KalmarCTF, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading:
www.sonarsource.com/blog/code-se...
#appsec #CTF #vulnerability
Learn how we detected a 0-day vulnerability during #KalmarCTF, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading:
www.sonarsource.com/blog/code-se...
#appsec #CTF #vulnerability
Reposted by pspaul
🔓⏫ After compromising every endpoint within an organization, our “Caught in the FortiNet” blog series comes to an end with one more thing.
Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:
www.sonarsource.com/blog/caught-...
#appsec #security
Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:
www.sonarsource.com/blog/caught-...
#appsec #security
Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (3/3)
In the last blog of this series, we will focus back on FortiClient and learn how the inner workings of this application work, and what crucial mistake happened that led to us uncovering a local privil...
www.sonarsource.com
July 8, 2025 at 3:32 PM
🔓⏫ After compromising every endpoint within an organization, our “Caught in the FortiNet” blog series comes to an end with one more thing.
Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:
www.sonarsource.com/blog/caught-...
#appsec #security
Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:
www.sonarsource.com/blog/caught-...
#appsec #security
Reposted by pspaul
📁🫷🚧Can't control the extension of a file upload, but you want an XSS?
Read more on how we overcame this obstacle to further exploit entire organizations using Fortinet endpoint protection:
www.sonarsource.com/blog/caught-...
#appsec #vulnerability #bugbountytips
Read more on how we overcame this obstacle to further exploit entire organizations using Fortinet endpoint protection:
www.sonarsource.com/blog/caught-...
#appsec #vulnerability #bugbountytips
Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (2/3)
We recently discovered critical vulnerabilities in Fortinet’s endpoint protection solution that enable attackers to fully compromise organizations with minimal user interaction. In this second article...
www.sonarsource.com
July 1, 2025 at 2:21 PM
📁🫷🚧Can't control the extension of a file upload, but you want an XSS?
Read more on how we overcame this obstacle to further exploit entire organizations using Fortinet endpoint protection:
www.sonarsource.com/blog/caught-...
#appsec #vulnerability #bugbountytips
Read more on how we overcame this obstacle to further exploit entire organizations using Fortinet endpoint protection:
www.sonarsource.com/blog/caught-...
#appsec #vulnerability #bugbountytips
Great bug chain by my team mate Yaniv that can pwn a whole org, starting with a single user click! I was also able to contribute a bit by creating my first port of a Chrome n-day exploit :)
🕸️🏢Caught in the FortiNet: Exploiting Fortinet’s endpoint protection solution to compromise an entire organization using minimal user interaction.
Dive into our technical analysis of this interesting attack scenario:
www.sonarsource.com/blog/caught-...
#appsec #security #vulnerability
Dive into our technical analysis of this interesting attack scenario:
www.sonarsource.com/blog/caught-...
#appsec #security #vulnerability
Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (1/3)
We recently discovered critical vulnerabilities in Fortinet’s endpoint protection solution that enable attackers to fully compromise organizations with minimal user interaction. In the first post of t...
www.sonarsource.com
June 26, 2025 at 2:48 PM
Great bug chain by my team mate Yaniv that can pwn a whole org, starting with a single user click! I was also able to contribute a bit by creating my first port of a Chrome n-day exploit :)
Reposted by pspaul
Catch our second talk at #TROOPERS25:
🕸️ Caught in the FortiNet: Compromising Organizations Using Endpoint Protection
Yaniv Nizry will tell you the story of multiple vulnerabilities in Fortinet products that can compromise an entire organization, starting with a single click
🕸️ Caught in the FortiNet: Compromising Organizations Using Endpoint Protection
Yaniv Nizry will tell you the story of multiple vulnerabilities in Fortinet products that can compromise an entire organization, starting with a single click
June 24, 2025 at 8:32 AM
Catch our second talk at #TROOPERS25:
🕸️ Caught in the FortiNet: Compromising Organizations Using Endpoint Protection
Yaniv Nizry will tell you the story of multiple vulnerabilities in Fortinet products that can compromise an entire organization, starting with a single click
🕸️ Caught in the FortiNet: Compromising Organizations Using Endpoint Protection
Yaniv Nizry will tell you the story of multiple vulnerabilities in Fortinet products that can compromise an entire organization, starting with a single click
Reposted by pspaul
Coming to #TROOPERS25 this week? We'll be there too, presenting our research!
🎨 Scriptless Attacks: Why CSS is My Favorite Programming Language
@pspaul95.bsky.social will convince you why CSS should not be overlooked in client-side web attacks and what is possible without JavaScript today
🎨 Scriptless Attacks: Why CSS is My Favorite Programming Language
@pspaul95.bsky.social will convince you why CSS should not be overlooked in client-side web attacks and what is possible without JavaScript today
June 23, 2025 at 10:57 AM
Coming to #TROOPERS25 this week? We'll be there too, presenting our research!
🎨 Scriptless Attacks: Why CSS is My Favorite Programming Language
@pspaul95.bsky.social will convince you why CSS should not be overlooked in client-side web attacks and what is possible without JavaScript today
🎨 Scriptless Attacks: Why CSS is My Favorite Programming Language
@pspaul95.bsky.social will convince you why CSS should not be overlooked in client-side web attacks and what is possible without JavaScript today
This was a fun one to discover!
SQL syntax can be ambiguous, and MySQL anticipated this a long time ago. Other SQL dialects stuck to the spec, leading to SQL injection when the right stars align:
SQL syntax can be ambiguous, and MySQL anticipated this a long time ago. Other SQL dialects stuck to the spec, leading to SQL injection when the right stars align:
SQL Injection despite using prepared statements? 🧐
Turns out that SQL syntax can be ambiguous! Learn how this has led to vulnerabilities in several popular PostgreSQL client libraries:
www.sonarsource.com/blog/double-...
#appsec #security #vulnerability
Turns out that SQL syntax can be ambiguous! Learn how this has led to vulnerabilities in several popular PostgreSQL client libraries:
www.sonarsource.com/blog/double-...
#appsec #security #vulnerability
Double Dash, Double Trouble: A Subtle SQL Injection Flaw
Can a simple dash character introduce a security risk? Discover how SQL line comments can open the door to unexpected injection vulnerabilities in several PostgreSQL client libraries!
www.sonarsource.com
June 10, 2025 at 3:50 PM
This was a fun one to discover!
SQL syntax can be ambiguous, and MySQL anticipated this a long time ago. Other SQL dialects stuck to the spec, leading to SQL injection when the right stars align:
SQL syntax can be ambiguous, and MySQL anticipated this a long time ago. Other SQL dialects stuck to the spec, leading to SQL injection when the right stars align:
Reposted by pspaul
📊⚠️ Data in danger!
We found an XSS vulnerability in Grafana with the help of SonarQube. Learn about the details in our latest blog post:
www.sonarsource.com/blog/data-in...
#appsec #security #vulnerability
We found an XSS vulnerability in Grafana with the help of SonarQube. Learn about the details in our latest blog post:
www.sonarsource.com/blog/data-in...
#appsec #security #vulnerability
Data in Danger: Detecting Cross-Site Scripting in Grafana
Learn how SonarQube detected a Cross-Site Scripting (XSS) vulnerability in Grafana, a popular open-source data observability platform.
www.sonarsource.com
April 24, 2025 at 3:02 PM
📊⚠️ Data in danger!
We found an XSS vulnerability in Grafana with the help of SonarQube. Learn about the details in our latest blog post:
www.sonarsource.com/blog/data-in...
#appsec #security #vulnerability
We found an XSS vulnerability in Grafana with the help of SonarQube. Learn about the details in our latest blog post:
www.sonarsource.com/blog/data-in...
#appsec #security #vulnerability
Reposted by pspaul
"wow, this css property would be amazing for my css crime, i wonder what the browser support is looking like"
March 27, 2025 at 11:14 AM
"wow, this css property would be amazing for my css crime, i wonder what the browser support is looking like"
Ever wondered what the Alt-Svc header is used for? Well, it can make you a MitM if you control it!
I can finally publish the writeup to my GymTok challenge: control the header, become MitM, and perform a cross-protocol attack!
blog.pspaul.de/posts/gymtok...
I can finally publish the writeup to my GymTok challenge: control the header, become MitM, and perform a cross-protocol attack!
blog.pspaul.de/posts/gymtok...
GymTok: Breaking TLS Using the Alt-Svc Header
Ever wondered what the Alt-Svc response header is used for? Turns out it can be used to become a Man-in-the-Middle and attack TLS!
blog.pspaul.de
February 19, 2025 at 4:10 PM
Ever wondered what the Alt-Svc header is used for? Well, it can make you a MitM if you control it!
I can finally publish the writeup to my GymTok challenge: control the header, become MitM, and perform a cross-protocol attack!
blog.pspaul.de/posts/gymtok...
I can finally publish the writeup to my GymTok challenge: control the header, become MitM, and perform a cross-protocol attack!
blog.pspaul.de/posts/gymtok...
Wow, thanks for 2nd place! Didn't expect this, maybe it's my sign to finally write it down in text form and tackle all the follow-up ideas 👀
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 6, 2025 at 9:18 AM
Wow, thanks for 2nd place! Didn't expect this, maybe it's my sign to finally write it down in text form and tackle all the follow-up ideas 👀