Spaceraccoon's Blog

InfoSec and White Hat Hacking

2024

Jul 7

Universal Code Execution by Chaining Messages in Browser Extensions

web desktop reverse engineering

May 27

Cache Me If You Can: Local Privilege Escalation in Zscaler Client Connector (CVE-2023-41973)

binary desktop reverse engineering

Feb 4

Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140)

web code review desktop

2023

Oct 31

Hacking HP Display Monitors via Monitor Control Command Set (CVE-2023-5449)

binary desktop reverse engineering hardware

Oct 7

Passing the New OSEE Exam After Forgetting Everything

reverse engineering binary exploit

Apr 8

Rule Writing for CodeQL and Semgrep

dev code review

2022

Dec 17

I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS

web code review

Sep 19

Challendar: Creating a Challenge for The Infosecurity Challenge 2022

dev web code review

Aug 29

Exploiting Improper Validation of Amazon Simple Notification Service SigningCertUrl

cloud web code review

Aug 18

You Have One New Appwntment: Exploiting iCalendar Properties in Enterprise Applications

desktop red team web ios android

Jun 18

Embedding Payloads and Bypassing Controls in Microsoft InfoPath

desktop red team

Feb 3

Solving DOM XSS Puzzles

web code review

2021

Dec 31

2Q21: New Year's Reflections

writing

Nov 26

The InfoSecurity Challenge 2021 Full Writeup: Battle Royale for $30k

desktop binary reverse engineering dev code review web android api red team

Oct 22

All Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021-38646)

desktop binary reverse engineering fuzzing

Sep 29

All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021-33035)

desktop binary reverse engineering fuzzing code review

Sep 17

Down the Rabbit Hole: Unusual Applications of OpenAI in Cybersecurity Tooling

dev ai code review reverse engineering

Jun 23

ROP and Roll: EXP-301 Offensive Security Exploit Developer (OSED) Review and Exam

training binary

May 22

Life's a Peach (Fuzzer): How to Build and Use GitLab's Open-Source Protocol Fuzzer

fuzzing binary

Mar 11

Offensive Security Experienced Penetration Tester (OSEP) Review and Exam

training red team

Feb 2

Applying Offensive Reverse Engineering to Facebook Gameroom

desktop reverse engineering

2020

Dec 23

Supply Chain Pollution: Hunting a 16 Million Download/Week npm Package Vulnerability for a CTF Challenge

web code review

Dec 3

Imposter Alert: Extracting and Reversing Metasploit Payloads (Flare-On 2020 Challenge 7)

binary reverse engineering

Sep 18

Beat The Clock: The CSIT InfoSecurity Challenge

binary reverse engineering

Aug 14

Open Sesame: Escalating Open Redirect to RCE with Electron Code Review

desktop code review reverse engineering

May 15

Closing the Loop: Practical Attacks and Defences for GraphQL APIs

web api

Apr 5

Same Same But Different: Discovering SQL Injections Incrementally with Isomorphic SQL Statements

web

Feb 18

A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell

web

Jan 12

Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2

web

2019

Dec 29

Low-Hanging Apples: Hunting Credentials and Secrets in iOS Apps

ios

Dec 15

From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13

ios