Sayooj B Kumar

Security Engineer @Cred | CTF'ing @teambi0s

Bangalore, India

Caught in Transit: A Deep Dive into Two HTTP Request Smuggling Vulnerabilities

tl;dr

CVE-2024-6827
CVE-2024-31617

Aug 8 Web Exploitation , Bug Bounty , Zeroday CVE, Gunicorn, OpenLiteSpeed Comments

RCE via Twitter Hogan.js

tl;dr

Reversing Hogan.js
RCE - using Hogan-js

Dec 15 Web Exploitation , Bug Bounty Hogan_js, Prototype Pollution Comments

GateKeeping - CSAW '21 Qualifier

tl;dr

Bypass nginx’s DENY ALL using SCRIPT_NAME
Calculate key_id uploading flag.txt.enc
Leak the key and decrypt flag.txt.enc

Sep 14 CTF Nginx Comments

Intigriti's October XSS challenge

tl;dr

HTML injection to XSS html=</h1></div><code id=intigriti><b><i(('>&xss=));alert(document.domain)

Sep 3 CTF , Labs Client Side, XSS Comments

Prototype Pollution Vulnerable Labs

tl;dr

Lab1 - Prototype pollution in deparam when combined with reddit platform.js turns out to be xss
Lab2 - Prototype pollution to Xss via arg.js
Lab3 - Prototype pollution to Xss via recaptcha

Aug 24 Web Exploitation , Labs Client Side, Prototype Pollution Comments

Json Analyser - InCTF Internationals 2021

tl;dr

Json_Interoperability - /verify_roles?role=supersuperuseruser\ud800","name":"admin
Prototype_Pollution - {"constructor":{"prototype":{"test":"123"}}} in config-handler
rce - using squirrelly-js

Aug 15 CTF , 0days InCTFi, Json_Interoperability, Prototype Pollution Comments

illusion - pwn2win 2021

tl;dr

Using Prototype pollution vulnerablity in fast-json-patch pollute value in outputFunctionName
Get a shell as the flag can only be obtained using binary file

Jun 3 CTF Prototype Pollution, RCE Comments