Breaking into HashiCorp Vault, Apple and Google
01:54:47 Share

Its a web-exploit heavy episode impacing Apple, Hasicorp, Azure, Google, and even a DOMPurify Bypass. Then we end-off with a look into benchmarking fuzzers, and a look at the House of Muney heap exploitation technique.

• [00:00:49] Fuzzing internships for Open Source Software)

• [00:03:15] CET Updates – CET on Xanax)

• [00:09:07] Binary Ninja - Open Source Architectures)

• [00:14:03] Memory Safe 'curl' for a More Secure Internet)

• https://daniel.haxx.se/blog/2020/10/09/rust-in-curl-with-hyper/)

• [00:17:25] We Hacked Apple for 3 Months: Here’s What We Found)

• [00:25:46] Race condition while removing the love react in community files)

• [00:30:11] Enter the Vault: Authentication Issues in HashiCorp Vault)

• [00:46:39] Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure)

• [00:51:11] Password Reset Link Leaked In Refer Header)

• [00:57:37] The mass CSRFing of .google.com/ products.)

• [01:06:02] A brief encounter with Leostream Connect Broker)

• [01:15:47] Bypassing DOMPurify again with mutation XSS)

• https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/)

• https://github.com/marcinguy/jquery-xss-in-html)

• [01:22:10] Apache Struts OGNL Remote Code Execution [CVE-2019-0230])

• [01:28:11] UNIFUZZ: A Holistic, Pragmatic Metrics-Driven Platform for Evaluating Fuzzers)

• https://github.com/unifuzz/unibench)

• https://github.com/unifuzz)

• [01:47:15] House of Muney - Leakless Heap Exploitation Technique)

• https://github.com/mdulin2/house-of-muney)

Watch the DAY[0] podcast live on Twitch (@dayzerosec)) every Monday afternoon at 12:00pm PST (3:00pm EST)

Or the video archive on Youtube (@DAY[0]))