shubs
@infosec_au
Co-founder, security researcher. Building an attack surface management platform, @assetnote
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4
Blog for ToolShell Disclaimer: The content of this blog is provided for educational and informational purposes only. blog.viettelcybersecurity.com/sharepoint-too… #SharePoint #ToolShell
For our third installment of Christmas in July, the @SLCyberSec Research Team is disclosing a critical authentication bypass vulnerability in ETQ Reliance that leads to RCE (CVE-2025-34143). Surprisingly, all you needed was a space to bypass auth. slcyber.io/assetnote-secu…
I hope everyone got some rest after @DownUnderCTF this weekend. My colleague @hash_kitten wrote up a blog post on a novel technique for SQL Injection in PDO's prepared statements, required to exploit the “legendary” challenge, which only got one solve: slcyber.io/assetnote-secu…
This month's Christmas in July release from @SLCyberSec's Security Research team is a pre-authentication RCE vulnerability in Sawtooth Lighthouse Studio (CVE-2025-34300). This software is prevalent and hidden in plain sight. Read more on our blog: slcyber.io/assetnote-secu…
When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (@iangcarroll and I) discovered a vulnerability that could allow an attacker to access the over 64 million chat records using the password "123456". ian.sh/mcdonalds
Pre-auth bugs in enterprise software? Yes please. @hash_kitten takes us inside their research on Adobe Experience Manager—uncovering critical, pre-auth vulnerabilities in a platform powering 45,000+ sites. Live at BSides Canberra 2025: cfp.bsidescbr.com.au/bsides-canberr…
Whenever I audit C# code, I look for benign file operations such as File.Exists(), especially if there's a preceding Path.Combine(). Read about how we leaked NTLM hashes pre-authentication in DotNetNuke (CVE-2025-52488) due to a perfect storm of issues. slcyber.io/assetnote-secu…
I recently found a blind FreeMarker SSTI on a bbp. It was not possible to RCE but I found some nice gadgets to enumerate accessible variables, read data blindly or perform some DoS. I documented that here if someone is interested gist.github.com/n1nj4sec/5e3ff…
Reverse Engineering Vercel's BotID by @blastbots nullpt.rs/reversing-botid
To kick off our Christmas and July research posts, we explain how we achieved persistent XSS on every Adobe Experience Manager Cloud instance, not twice, but thrice! This is now patched across all of AEM cloud, but what an interesting attack surface! slcyber.io/assetnote-secu…
We’re celebrating Christmas in July this year, starting July 1st. We’ll release a security research post on Searchlight Cyber’s blog each week over the month. To be the first to know, subscribe to our RSS feed here: slcyber.io/assetnote-secu…
When I asked @infosec_au to write a foreword for "From Day Zero to Zero Day," I didn't anticipate how perfectly he would capture my mission to break down the barriers to zero-day research. His legendary journey as one of the world's top hackers and the co-founder of Assetnote is…
Honestly a bit surreal, but I’ll be joining @assetnote as a Security Researcher soon🦆. Excited to be part of such a brilliant team.
How do we turn bad SSRF (blind) into good SSRF (full response)? The @assetnote Security Research team at @SLCyberSec used a novel technique involving HTTP redirect loops and incremental status codes that leaked the full HTTP resp. It may work elsewhere! slcyber.io/assetnote-secu…
The post is at tantosec.com/blog/2025/06/i… and we hope you enjoy reading it as much as we enjoyed putting it together! ❤️
Sadly, other than the security team, nobody cares about the security tools you build. Here’s how to avoid getting sucked into onboarding hell with frictionware, and actually get traction. spaceraccoon.dev/cybersecurity-…