Snyk do an annual CTF competition in which you have to exploit security vulnerabilities and solve encryption puzzles. This is a write up of how I solved the 'Disco Dancer' CTF challenge from last year.
Author: Ben Richardson
Bypassing XSS filters
Recently I was going through a number of Bug Bounty programs looking for one particular weakness. The weakness I was focusing on is called Open Redirect (or Insecure Redirect). The most common form of this is where a user tries to load a page which requires them to be logged in. On many websites this … Continue reading Bypassing XSS filters
Critical stored XSS vulnerabilities found in popular webmail client
Imagine if simply opening an email could result in the entire contents of your mailbox being stolen. That's exactly what was possible on this popular webmail client used by millions of email addresses around the world. Let me demonstrate what I found...
Escape API
With everyone in lock-down due to Covid-19, it is not possible to play something which has become very popular in recent years: escape room games. I decided to mix work and pleasure (not like that!) to create a virtual escape room. It’s not just virtual, it’s meta. Everything is API calls. Starting with a single … Continue reading Escape API
Health Monitoring of Azure Web Apps with Sitecore
Recently when diagnosing an issue with a Sitecore website hosted on Azure Web Apps, I noticed an intermittent issue where we were seeing the application going up and down frequently. i.e. up for a minute, down for two, up, down, up, down. Investigation led me to see that it was one instance of the Web … Continue reading Health Monitoring of Azure Web Apps with Sitecore
Hibob hacked (ethically)
Cross site scripting (XSS) is nothing new, it has been prevalent for as long as I have been a developer. In my experience, frameworks have reduced the amount we have to worry about protecting against certain attacks as they often handle the escaping for you. However this can give a false sense of security and … Continue reading Hibob hacked (ethically)
Upgrading Sitecore Web Forms for Marketers to 8.1 and keeping MSSQL
If you are lucky enough to need to upgrade a Sitecore solution containing WFFM from 7.2 or earlier (or even 6.x as I have been doing) to 8.1, and you have a requirement to keep form data stored in MSSQL then you may encounter a few issues. The first thing to note is that in … Continue reading Upgrading Sitecore Web Forms for Marketers to 8.1 and keeping MSSQL
Sitecore- why are my dates all wrong?!
The short answer - Sitecore changed something and you didn't read all the small print in the release notes (see 'Time zones and UTC'). When upgrading Sitecore to 8.0 or higher you may have noticed that dates and times are displaying incorrectly. Or if you were unlucky enough to upgrade in the winter you may … Continue reading Sitecore- why are my dates all wrong?!
Sitecore upgrades and indexes
If you are upgrading Sitecore, after you have performed all upgrade steps delete the indexes folder and rebuild all indexes. I have experienced issues recently with some unusual indexing problems. Indexes would become corrupt and unusable only to be fine after a rebuild and then break again hours or days later. Some trawling of the … Continue reading Sitecore upgrades and indexes
Sitecore indexes – timing is everything
Three years ago I experienced a problem where delivery websites were not getting their indexes updated following content changes in the authoring environment. We went around the houses and openned a ticket with Sitecore support. After some back and forth they suggested we check that the web and database server clocks are synchronised as this … Continue reading Sitecore indexes – timing is everything