Orange Tsai π
@orange_8361
This is π
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confusβ¦ Highlights include: β‘ Escaping from DocumentRoot to System Root β‘ Bypassing built-in ACL/Auth with just a '?' β‘ Turning XSS into RCE with legacy codeβ¦
This will be one of the few OSEE trainings held in Asia. Welcome to Taiwan :) blog.orange.tw/posts/2025-07-β¦
A bit late, but I just published my blog post on bypassing Ubuntuβs sandbox! Hope you enjoy it! u1f383.github.io/linux/2025/06/β¦
I don't have OSCPβinstead, I have OSEE! π
My first kernel exploit! Big thanks to @d3vc0r3 and @offsectraining ! π
Thrilled to share our latest deep dive into Windows Kernel Streaming! Just presented this research at @offensive_con. Check it out: devco.re/blog/2025/05/1β¦
Another day, another bug of mine got listed in CISA's KEV. Why does everyone love my bugs (sigh...)? BTW, great article by @SinSinology again!
Our client base has been feeding us rumours about in-the-wild exploited SonicWall SMA n-days (CVE-2023-44221, CVE-2024-38475) for a while... Given these are now CISA KEV, enjoy our now public analysis and reproduction :-) labs.watchtowr.com/sonicboom-fromβ¦
Come join us at the Ask A Security Expert session at Black Hat Asia on April 4th! I'll be there with @orange_8361, @ryan_flores, and @Marmusha answering your cybersecurity questions. Submit your topics in advance using the form on the event page. Looking forward to seeing you!
The blog post is the full version of my talk at 38c3. It's about some vulnerabilities we found in libarchive and some interesting behaviors of libarchive that you don't want to miss. My favorite part is it only took us 56 seconds to trigger a crash by AFL++.
Our latest deep dive explores libarchive vulnerabilities under recent Windows 11 updates. ππ Check out NiNi's (@terrynini38514) technical write-up for key insights and security implications. Read more here: devco.re/blog/2025/02/1β¦ #VulnerabilityResearch #Cybersecurity
The results are in! We're proud to announce the Top ten web hacking techniques of 2024! portswigger.net/research/top-1β¦
This is absolutely the greatest recognition for a researcher. Thank you all!
The results are in! We're proud to announce the Top ten web hacking techniques of 2024! portswigger.net/research/top-1β¦
Voting for the Top 10 Web Hacking Techniques of 2024 is live! Two of my research are nominated β Give them a vote! π₯ > Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! > WorstFit: Unveiling Hidden Transformers in Windows ANSI!
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10-wβ¦
The detailed version of our #WorstFit attack is available now! π₯ Check it out! π blog.orange.tw/posts/2025-01-β¦ cc: @_splitline_
Our talk at #BHEU is done! Hope you all enjoyed it. π A detailed blog is on the way, but in the meantime, check out the pre-alpha website worst.fit for early access and the slides! Huge thanks to @BlackHatEvents and my awesome co-presenter @_splitline_! πβ
Our talk at #BHEU is done! Hope you all enjoyed it. π A detailed blog is on the way, but in the meantime, check out the pre-alpha website worst.fit for early access and the slides! Huge thanks to @BlackHatEvents and my awesome co-presenter @_splitline_! πβ
./ @_splitline_ and I will be in London for Black Hat Europe next week. Let's see how many calcs we will pop! π #BHEU @BlackHatEvents blackhat.com/eu-24/briefingβ¦
Dropped my slide for POC2024 on Linux kernel exploitation, including a journal from Pwn2Own Vancouver earlier this year. Enjoy π. u1f383.github.io/slides/talks/2β¦
I love CRLF Injection π
Confirmed! Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from the DEVCORE Research Team combined a CRLF Injection, an Auth Bypass, and a SQL Injection to exploit the Synology BeeStation. They earn $20,000 and 4 Master of Pwn points. #Pwn2Own #P2OIreland
Tips for Pwn2Own player: pick a target that no one care, then you got no collision. Shout out to my colleague: @h3xr4bb1t We manage to bypass all the hardware protection together π
Our final attempt of Day 2 of #Pwn2Own Ireland ends in a success as NiNi (@terrynini38514) of the DEVCORE Research Team pops the AeoTec Smart Home Hub. They head off for the last disclosure of the day. #P2OIreland
Weβve released Part II of our Windows Kernel Streaming series!
Weβve just published Angelboyβs (@scwuaptx) latest deep dive into Windows Kernel vulnerabilities, fresh off the stage from #Hexacon! Donβt miss out on the cutting-edge insights and findings. Check it out here: devco.re/blog/2024/10/0β¦ #MSRC #VulnerailibtyResearch
Remember CVE-2024-4577, the PHP-CGI RCE bypass? Actually, the Best-Fit 'feature' also impacts non-CJK codepages such as locales in the Americas, Western Europe, Oceania, and more! @_splitline_ and I will share these cool findings at @BlackHatEvents! π₯ Let's make argumentβ¦
