Spaceraccoon's Blog

Negative-Days with Vulnerability Spoiler Alert: Three Months Later

Sun, 24 May 2026 00:00:00 +0000

35 CVEs caught before publication, with an average lead time of 2 days. Three months of running Vulnerability Spoiler Alert on 10 open-source repos - the numbers, the false positives, and what it takes to make an LLM vulnerability monitor actually work.

Discovering Vulnerabilities in Enterprise Audiovisual Hardware

Fri, 01 May 2026 00:00:00 +0000

Some organisations’ most sensitive information is only ever discussed in person. Ironically, the equipment in meeting rooms, conference halls, and other physical locations is often among the least-monitored and most insecurely-configured attack surfaces in an organisation.

Getting a Shell on the Tapo C260 Camera (CVE-2026-0651, CVE-2026-0652, CVE-2026-0653)

Fri, 06 Mar 2026 08:00:00 +0000

I discovered a remote code execution vulnerability on the Tapo C260 after a fun journey of reverse-engineering and understanding its interactions with TP-Link Cloud.

Discovering Negative-Days with LLM Workflows

Sat, 07 Feb 2026 00:00:00 +0000

It’s no longer just about reverse-engineering n-days. You can detect vulnerabilities in open-source repositories before a CVE is published - or even if they’re never published. Here’s how I built an LLM workflow to detect “negative-days” and “never-days”.

Ticket Tricking OpenSSL.org with Google Groups

Mon, 02 Feb 2026 12:00:00 +0000

The Google Groups Ticket Trick vector is alive and well, allowing me to briefly verify an openssl.org email address. Also, vibe-coding security tools is easier than ever.

Reverse Engineering the Tapo C260 and Tapo Discovery Protocol v2

Fri, 02 Jan 2026 00:00:00 +0000

The Tapo C260 is the latest TP-Link camera featuring a whole host of upgrades. As part of the SPIRITCYBER contest where I found several RCEs and other interesting vulnerabilities, I decided to focus on this device and dive deeper into hardware hacking.

Hacking the Nokia Beacon 1 Router: UART, Command Injection, and Password Generation with Qiling

Mon, 13 Oct 2025 00:00:00 +0000

The Nokia Beacon 1 proved to be an interesting journey covering the full spectrum of techniques from hardware debug interfaces to firmware extraction and finally both static and dynamic analysis. I was rewarded with interesting findings including a (now-patched) command injection.

Escaping the Matrix: Client-Side Deanonymization Attacks on Privacy Sandbox APIs

Sun, 17 Aug 2025 12:00:00 +0000

I recently presented at the DEF CON 33 Mainstage and the 12th Crypto & Privacy Village on weaknesses in implementations of Google’s Privacy Sandbox that subverted privacy protections and enabled deanonymization attacks.

Getting a Shell on the LAU-G150-C Optical Network Terminal

Sun, 27 Jul 2025 12:00:00 +0000

Since the Link-All LAU-G150-C Optical Network Terminal isn’t documented anywhere, I thought this was a great opportunity to practice some hardware hacking…

Cybersecurity (Anti)Patterns: Frictionware

Thu, 12 Jun 2025 11:00:00 +0000

Nobody cares about the security tools you build. Here’s how to avoid getting sucked into onboarding hell with frictionware, and actually get traction.

Cybersecurity (Anti)Patterns: Busywork Generators

Sat, 19 Apr 2025 00:01:00 +0000

Many cybersecurity programmes fall into a trap of creating more and more (busy)work, eventually consuming a majority of resources and attention. In my first post in a series on cybersecurity (anti)patterns, I discuss why we end up with busywork generators and how to avoid them.

Pwning Millions of Smart Weighing Machines with API and Hardware Hacking

Mon, 24 Mar 2025 00:03:05 +0000

Why hack one device, when you can hack all of them? By reverse-engineering and finding vulnerabilities in user-machine association flows for smart weighing machines, I was able to take over millions of internet-connected health devices. Hardware and web security are two halves of modern smart device security, and learning to hack both can yield impressive and scary results.

Universal Code Execution by Chaining Messages in Browser Extensions

Sun, 07 Jul 2024 12:01:06 +0000

By chaining various messaging APIs in browsers and browser extensions, I demonstrate how we can jump from web pages to “universal code execution”, breaking both Same Origin Policy and the browser sandbox. I provide two new vulnerability disclosures affecting millions of users as examples. In addition, I demonstrate how such vulnerabilities can be discovered at scale with a combination of large dataset queries and static code analysis.

Cache Me If You Can: Local Privilege Escalation in Zscaler Client Connector (CVE-2023-41973)

Mon, 27 May 2024 12:01:06 +0000

A couple months ago, my colleague Winston Ho and I chained a series of unfortunate bugs into a zero-interaction local privilege escalation in Zscaler Client Connector. This was an interesting journey into Windows RPC caller validation and bypassing several checks, including Authenticode verification. Check out the original Medium blogpost for Winston’s own ZSATrayManager Arbitrary File Deletion (CVE-2023-41969)!

Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140)

Sun, 04 Feb 2024 05:01:06 +0000

It’s always interesting to find edge cases in strong appsec programmes like Meta and Google that have generally solved entire bug classes like cross-site scripting because it highlights potential blind spots in appsec strategy. In particular, I’m still fascinated by the Clipboard API that seems to evade typical static analysis tools, like a stored XSS I found in Zoom Whiteboard. Here’s how I found similar bugs in Excalidraw (used in Messenger and other Meta assets) and Microsoft Whiteboard.

Hacking HP Display Monitors via Monitor Control Command Set (CVE-2023-5449)

Tue, 31 Oct 2023 05:01:06 +0000

Have you ever wondered how display monitor software can change various settings like brightness over a simple display cable? As it turns out, this relies on a standard protocol that can lead to interesting vulnerabilities. Here’s how I found and exploited CVE-2023-5449 in dozens of HP display monitors.

Passing the New OSEE Exam After Forgetting Everything

Sat, 07 Oct 2023 06:47:00 +0000

The Offensive Security Exploitation Expert (OSEE) certification is a legendary apex achievement among OffSec’s offerings - unabashedly featuring a skull logo and grim reaper iconography in previous iterations. Here’s how I tackled it while busy at work.

Rule Writing for CodeQL and Semgrep

Sat, 08 Apr 2023 16:14:00 +0000

One common perception is that it is easier to write rules for Semgrep than CodeQL. Having worked extensively with both of these static code analysis tools for about a year, I have some thoughts.

I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS

Sat, 17 Dec 2022 15:29:00 +0000

When is copy-paste payloads not self-XSS? When it’s stored XSS. Recently, I reviewed a Zoom’s code to uncover an interesting attack vector.

Challendar: Creating a Challenge for The Infosecurity Challenge 2022

Mon, 19 Sep 2022 00:40:00 +0000

Although I do not actively participate in CTFs, I enjoy creating challenges for them as it forces me to learn by doing. Creating a good CTF challenge is an art, not a science. As the winner of last year’s $30k The InfoSecurity Challenge (TISC), I decided to contribute a challenge instead this year.

Exploiting Improper Validation of Amazon Simple Notification Service SigningCertUrl

Mon, 29 Aug 2022 14:00:00 +0000

Countless applications rely on Amazon Web Services’ Simple Notification Service for application-to-application communication such as webhooks and callbacks. To verify the authenticity of these messages, these projects use certificate-based signature validation based on the SigningCertURL value. Unfortunately, a loophole in official AWS SDKs allowed attackers to forge messages to all SNS HTTP subscribers.

You Have One New Appwntment: Exploiting iCalendar Properties in Enterprise Applications

Thu, 18 Aug 2022 00:45:00 +0000

First defined in 1998, the iCalendar standard remains ubiquitous in enterprise software. However, it did not account for modern security concerns and allowed vendors to create proprietary extensions that expanded the format’s attack surface. I demonstrate how flawed RFC implementations led to vulnerabilities in popular enterprise applications. Attackers can trigger exploits remotely with zero user interaction due to automatic parsing of event invitations. Furthermore, I explain how iCalendar’s integrations with the SMTP and CalDAV protocols enable multi-stage attacks. Despite attempts to secure these technologies separately, the interactions that arise from features such as emailed event reminders require a “full-stack” approach to calendar security. I conclude that developers should strengthen existing iCalendar standards in both design and implementation.

Embedding Payloads and Bypassing Controls in Microsoft InfoPath

Sat, 18 Jun 2022 10:00:00 +0000

While browsing a SharePoint instance recently, I came across an interesting URL. The page itself displayed a web form that submitted data to SharePoint. Intrigued by the .xsn extension, I downloaded the file and started investigating what turned out to be Microsoft InfoPath’s template format. Along the way, I discovered parts of the specification that enabled loading remote payloads, bypassing warning dialogs, and other interesting behaviour.

Solving DOM XSS Puzzles

Thu, 03 Feb 2022 00:05:45 +0000

DOM-based Cross-site scripting (XSS) vulnerabilities rank as one of my favourite vulnerabilities to exploit. It’s a bit like solving a puzzle; sometimes you get a corner piece like $.html(), other times you have to rely on trial-and-error. I recently encountered two interesting postMessage DOM XSS vulnerabilities in bug bounty programs that scratched my puzzle-solving itch.

2Q21: New Year's Reflections

Fri, 31 Dec 2021 10:24:09 +0000

Wishing you and your loved ones a very happy new year!

The InfoSecurity Challenge 2021 Full Writeup: Battle Royale for $30k

Fri, 26 Nov 2021 03:32:20 +0000

From 29 October to 14 November 2021, the Centre for Strategic Infocomm Technologies (CSIT) ran The InfoSecurity Challenge (TISC), an individual competition consisting of 10 levels that tested participants’ cybersecurity and programming skills. I took away important lessons for both CTFs and day-to-day red teaming that I hope others will find useful as well. What distinguished TISC from typical CTFs was its dual emphasis on hacking AND programming - rather than exploiting a single vulnerability, I often needed to automate exploits thousands of times. You’ll see what I mean soon.

All Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021-38646)

Fri, 22 Oct 2021 11:43:10 +0000

By searching for DBF-related vulnerabilities in Microsoft’s desktop database engines, I took one step towards the deep end of the fuzzing pool. I could no longer rely on source code review and dumb fuzzing; this time, I applied black-box coverage-based fuzzing with a dash of reverse engineering. My colleague Hui Yi has written several fantastic articles on fuzzing with WinAFL and DynamoRIO; I hope this article provides a practical application of those techniques to real vulnerabilities.

All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021-33035)

Wed, 29 Sep 2021 03:35:58 +0000

This two-part series will share how I got started in vulnerability research by discovering and exploiting code execution zero-days in office applications used by hundreds of millions of people. I will outline my approach to getting started in vulnerability research including dumb fuzzing, coverage-guided fuzzing, reverse engineering, and source code review. I will also discuss some management aspects of vulnerability research such as CVE assignment and responsible disclosure.

Down the Rabbit Hole: Unusual Applications of OpenAI in Cybersecurity Tooling

Fri, 17 Sep 2021 13:16:55 +0000

Most research into the malicious applications of AI tends to focus on human factors (scamming, phishing, disinformation). There has been some discussion of AI-powered malware but this remains very much in the proof-of-concept stage. This is partly a function of the kinds of models available to researchers - generative models lend themselves easily to synthetic media, while language models are easily applied to phishing and fake news. But where do we go from these low-hanging fruits?

ROP and Roll: EXP-301 Offensive Security Exploit Developer (OSED) Review and Exam

Wed, 23 Jun 2021 15:21:40 +0000

After clearing the OSEP at the end of February 2021, I took the 60-day EXP-301/OSED package from March to May 2021, and finally cleared the exam in mid-June. At the time of writing, this costs $1299. As my job role is pretty multi-disciplinary, I found it necessary to build up my exploit development skills and the OSED came at a right time.

Life's a Peach (Fuzzer): How to Build and Use GitLab's Open-Source Protocol Fuzzer

Sat, 22 May 2021 03:08:55 +0000

The Peach protocol fuzzer was a well-known protocol fuzzer whose parent company – Peach Tech – was acquired by GitLab in 2020. This article aims to demonstrate an end-to-end application of Peach Fuzzer, from build to deployment.

Offensive Security Experienced Penetration Tester (OSEP) Review and Exam

Thu, 11 Mar 2021 09:40:44 +0000

Overall, I felt that the OSEP was worth the price of admission given the sheer amount of content it throws at you, as well as the excellent labs that will solidify your learning-by-doing. Here’s my review along with some tips and tricks to maximize your OSEP experience.

Applying Offensive Reverse Engineering to Facebook Gameroom

Tue, 02 Feb 2021 17:03:30 +0000

Late last year, I was invited to Facebook’s Bountycon event, which is an invitation-only application security conference with a live-hacking segment. Although participants could submit vulnerabilities for any Facebook asset, Facebook invited us to focus on Facebook Gaming. Having previously tested Facebook’s assets, I knew it was going to be a tough challenge.

Supply Chain Pollution: Hunting a 16 Million Download/Week npm Package Vulnerability for a CTF Challenge

Wed, 23 Dec 2020 15:29:57 +0000

GovTech’s Cyber Security Group recently organised the STACK the Flags Cybersecurity Capture-the-Flag (CTF) competition from 4th to 6th December 2020. For the web domain, my team wanted to build challenges that addressed real-world issues we have encountered during penetration testing of government web applications and commercial off-the-shelf products.

Imposter Alert: Extracting and Reversing Metasploit Payloads (Flare-On 2020 Challenge 7)

Thu, 03 Dec 2020 13:04:53 +0000

I recently participated in FireEye’s seventh annual Flare-On Challenge, a reverse engineering and malware analysis Capture The Flag (CTF) competition. Out of the 11 challenges ranging from typical executables to games written in exotic programming languages, I liked Challenge 7 the best.

Beat The Clock: The CSIT InfoSecurity Challenge

Fri, 18 Sep 2020 03:44:44 +0000

Last month, the Centre for Strategic Infocomm Technologies (CSIT) invited local cybersecurity enthusiasts to tackle the InfoSecurity Challenge (TISC). The Challenge was organized in a capture-the-flag format, with 6 cybersecurity and programming challenges of increasing difficulty unlocked one after another.

Open Sesame: Escalating Open Redirect to RCE with Electron Code Review

Fri, 14 Aug 2020 11:43:43 +0000

This blog post will go through my whitebox review of an unnamed Electron application from a bug bounty program. I will demonstrate how I escalated an open redirect into remote code execution with the help of some debugging. Code samples have been modified and anonymized.

Closing the Loop: Practical Attacks and Defences for GraphQL APIs

Fri, 15 May 2020 13:37:11 +0000

While GraphQL promised greater flexibility and power over traditional REST APIs, GraphQL could potentially increase the attack surface for access control vulnerabilities. Developers should look out for these issues when implementing GraphQL APIs and rely on secure defaults in production. At the same time, security researchers should pay attention to these weak spots when testing GraphQL APIs for vulnerabilities.

Same Same But Different: Discovering SQL Injections Incrementally with Isomorphic SQL Statements

Sun, 05 Apr 2020 09:04:58 +0000

Despite the increased adoption of Object-Relational Mapping (ORM) libraries and prepared SQL statements, SQL injections continue to turn up in modern applications. In real-world scenarios, researchers need to balance two concerns when searching for SQL injections - 1. Ability to execute injections in multiple contexts; and 2. Ability to bypass WAFs and sanitization steps. A researcher can resolve this efficiently with something I call Isomorphic SQL Statements.

A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell

Tue, 18 Feb 2020 06:02:34 +0000

While researching a bug bounty target, I came across a web application that processed a custom file type which was actually just a ZIP file that contains an XML that functions as a manifest. If handled naively, this packaging pattern creates additional security issues. These “vulnerabilities” are actually features built into the XML and ZIP formats. Responsibility falls onto XML and ZIP parsers to handle these features safely. Unfortunately, this rarely happens, especially when developers simply use the default settings.

Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2

Sun, 12 Jan 2020 23:15:18 +0000

The Spring Boot framework is one of the most popular Java-based microservice frameworks that helps developers quickly and easily deploy Java applications. With its focus on developer-friendly tools and configurations, Spring Boot accelerates the development process. However, these development defaults can become dangerous in the hands of inexperienced developers.

Low-Hanging Apples: Hunting Credentials and Secrets in iOS Apps

Sun, 29 Dec 2019 14:58:40 +0000

Diving straight into reverse-engineering iOS apps can be daunting and time-consuming. While wading into the binary can pay off greatly in the long run, it’s also useful to start off with the easy wins, especially when you have limited time and resources. One such easy win is hunting login credentials and API keys in iOS applications.

From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13

Sun, 15 Dec 2019 15:41:06 +0000

I wanted to get into mobile app pentesting. While it’s relatively easy to get started on Android, it’s harder to do so with iOS. For example, while Android has Android Virtual Device and a host of other third-party emulators, iOS only has a Xcode’s iOS Simulator, which mimics the software environment of an iPhone and not the hardware. As such, iOS app pentesting requires an actual OS device.