| Listen to the whispers: web timing attacks that actually work |
|
|
|
| Sign-in with World ID: XSS and ATO via OIDC Form Post Response Mode |
|
|
|
| Cross-Site Scripting via Web Cache Poisoning and WAF bypass |
|
|
|
| These Services Shall Not Pass: Abusing Service Tags to Bypass Azure Firewall Rules (Customer Action Required) |
|
|
|
| Bypassing DOMPurify with good old XML |
|
|
|
| Bypassing Imperva SecureSphere WAF (CVE-2023-50969) |
|
|
|
| DOM Purify - untrusted Node bypass |
|
|
|
| The Art of Intrusion: File Upload Bypass & WAF XSS Evasion in AWS S3 Demystified |
|
|
|
| Null Byte on Steroids |
|
|
|
| ModSecurity: Path Confusion and really easy bypass on v2 and v3 |
|
|
|
| Remote Code Execution by Bypassing Cloudflare: CVE-2022–29464 Analysis |
|
|
|
| Fuzzing and Bypassing the AWS WAF |
|
|
|
| The ART of Chaining Vulnerabilities |
|
|
|
| Using Cloudflare To Bypass Cloudflare |
|
|
|
| Bypass WAF by a simple trick gained $1000 bounty |
|
|
|
| My First Bug: How I Was Able to Bypass the WAF and Uncover a Reflected XSS |
|
|
|
| AWS WAF Bypass: invalid JSON object and unicode escape sequences |
|
|
|
| Blind SQL injection with a little WAF |
|
|
|
| AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice |
|
|
|
| Exploiting HTTP Parsers Inconsistencies |
|
|
|
| Prototype Pollution Akamai |
|
|
|
| Bypassing An Industry-Leading WAF and Exploiting SQLi |
|
|
|
| How I discovered XSS via triple URL encode |
|
|
|
| A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF… |
|
|
|
| Bug Bounty Writeup: Stored XSS Vulnerability WAF Bypass |
|
|
|
writeups.xyz
/
WAF Bypass