Cyber Security Research

CVE-2025-30406 was added to CISA’s KEV list after being exploited in the wild. When we spotted a discrepancy between the vendor’s CVSS score (9.0) and NVD’s rating (9.8), we investigated to understand the real risk: how easily could an attacker obtain the machine keys and use them to exploit the vulnerability? Read on for the full breakdown.

In late 2024, Intruder’s security team was working on some research into APIs which expose endpoints that are missing authentication. The OWASP Top 10 for APIs lists Broken Authentication as number two, so we decided to look into some targets on Bug Bounty programs and see how prevalent these bugs really are.

In July 2023, while spending time hacking a US shipping vendor’s environment, I discovered an XXE (XML External Entity) vulnerability in the Oracle Commerce Cloud SAML login flow which allowed an attacker to forge server-side requests (SSRF) via an external DTD. In this post, I outline how I found it, the methods I used, and the disclosure process.

CSLA.NET is a framework that helps structure business logic for .NET applications into re-usable objects, and share those objects between systems. During a penetration test last year, we discovered an interesting path traversal vulnerability affecting applications using this framework. Read on for a technical explanation of how this vulnerability works.

This is the second post in a two-part series on DNS rebinding. In this post, I introduce new techniques for achieving reliable, split-second DNS rebinding in Chrome, Edge, and Safari when IPv6 is available, as well as a technique for bypassing the local network restrictions applied to the fetch API in Chromium-based browsers.

This post is the first in a two-part series on DNS rebinding in web browsers. In this post, I will talk about a bug we found in our own product which allowed us to retrieve low-privileged AWS credentials using DNS rebinding. In the next post, I will share new techniques to reliably achieve split-second DNS rebinding in Chrome, Edge, and Safari, as well as bypass Chrome's restrictions on requests to private networks.‍

Prototype pollution bugs have been a feature in many CTFs in recent years, and real-world examples in open-source applications have led to impactful exploits such as remote code execution and denial-of-service. The discovery of these bugs has long relied on access to source code, with no safe black-box detection techniques being widely used.

GUIDs (often called UUIDs) are widely used in modern web applications. However, seemingly very few penetration testers and bug bounty hunters are aware of the different versions of GUIDs and the security issues associated with using the wrong one.

Modern web applications typically rely on chains of multiple servers, which forward HTTP requests to one another. The attack surface created by this forwarding is increasingly receiving more attention, including the recent popularisation of cache poisoning...