Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.

Latest insight

CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

Grzegorz Bronka

19 December, 2025

When testing connectivity of the SDMC NE6037 router inputting a quote character into the "ping" utility revealed an error indicating a Remote Code Execution (RCE) vulnerability. It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance.

READ article

Other articles

Windows security – what is LSASS dump. How to protect against it? Part 1.

DAWID FARBANIEC

09 June, 2022

Windows security – what is LSASS dump. How to protect against it? The ability of Advanced Persistent Threat (APT) groups and other threat actors to take a dump of Windows credentials is a serious threat especially to enterprises and other organizations. The MITRE ATT&CK knowledge base, which is created primarily to support defense against cyber …

READ article

fail2ban – Remote Code Execution

JAKUB ŻOCZEK

04 April, 2022

In this article we will discuss a recently published vulnerability in quite popular software – fail2ban (CVE-2021-32749). Under the right conditions, this bug could be exploited to achieve code execution with root privileges. Luckily, it is difficult for a "normal" attacker to achieve. This vulnerability is rooted in a way the mail command from the …

READ article

Comparison of reverse image searching in popular search engines [OSINT hints]

KRZYSZTOF WOSIŃSKI

11 August, 2021

A little experiment – comparison of Google, Bing and Yandax in terms of reverse image search. Guest post by Krzysztof Wosinski

READ article

Mutation XSS via namespace confusion – DOMPurify

MICHAŁ BENTKOWSKI

21 September, 2020

In this blogpost I'll explain my recent bypass in DOMPurify - the popular HTML sanitizer library. In a nutshell, DOMPurify's job is to take an untrusted HTML snippet, supposedly coming from an end-user, and remove all elements and attributes that can lead to Cross-Site Scripting (XSS).

READ article

Prototype pollution – and bypassing client-side HTML sanitizers

MICHAŁ BENTKOWSKI

18 August, 2020

In this article I'll cover the prototype pollution vulnerability and show it can be used to bypass client-side HTML sanitizers. I'm also considering various ways to find exploitation of prototype pollution via semi-automatic methods. It could also be a big help in solving my XSS challenge.

READ article

HTML sanitization bypass in Ruby Sanitize

michał bentkowski

22 July, 2020

On Jun 16, 2020 a security advisory for Ruby Sanitize library was released about an issue that could lead to complete bypass of the library in its RELAXED config. I have found this bug during a penetration test conducted by Securitum, and in this post I'll explain how I came up with the idea of the bypass and show how it worked.

READ article

marginwidth/marginheight – the unexpected cross-origin communication channel

Michał bentkowski

13 July, 2020

On 6th July 2020 I've announced a XSS challenge on my Twitter. So far only four people were able to solve it and every single one of them told me that they had never heard about the quirk used in the challenge before. So here's a writeup explaining this quirk along with some backstory.

READ article

Art of bug bounty: a way from JS file analysis to XSS

Jakub Żoczek

01 July, 2020

Summary: During my research on other bug bounty program I've found Cross-Site Scripting vulnerability in cmp3p.js file, which allows attacker to execute arbitrary javascript code in context of domain that include mentioned script. Below you can find the way of finding bug bounty vulnerabilities

READ article

Helping secure DOMPurify

Michał Bentkowski

27 January, 2020

Within last year I shared a a few writeups of my bypasses of HTML sanitizers, including: > Write-up of DOMPurify 2.0.0 bypass using mutation XSS > Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass While breaking sanitizers is fun and I thoroughly enjoy doing it, I reached a point where I began to think whether I can contribute even more and propose a fix that will kill an entire class of bypasses.

READ article

Featured articles

Two new CVEs: FooGallery's WordPress plugin

Robert Kruczek

05 July 2024

During some happy hunting, I found two XSS vulnerabilities in the FooGallery WordPress plugin (version 2.4.14), which made 50k instances vulnerable on the day of discovery! These can allow attackers to execute malicious code and gain unauthorized access to administrative functionalities. Below is a detailed explanation of these vulnerabilities and how they can be exploited.

READ article

XSS in WordPress via open embed auto discovery

JAKUB ŻOCZEK

29 May 2023

Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires patient searching.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?