Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover

April 22, 2024

Public disclosure of a vulnerability in AWS Amplify which exposed IAM roles associated with Amplify projects to be assumed by anyone in the world.

Two Minor Cross-Tenant Vulnerabilities in AWS App Runner

April 3, 2023

Writeup for two minor cross-tenant vulnerabilities I found in AWS App Runner.

Using an Undocumented Amplify API to Leak AWS Account IDs

March 27, 2023

Writeup for a technique I found to leak an AWS account ID from an Amplify app.

A Look at AWS API Protocols

January 23, 2023

An introduction to AWS API protocols and how they work.

A Confused Deputy Vulnerability in AWS AppSync

November 21, 2022

Datadog: Technical analysis of a confused deputy vulnerability I found in AWS AppSync.

OpenSSL Punycode Vulnerabiliy (CVE-2022-3602)

November 1, 2022

Datadog: A technical analysis of the OpenSSL punycode vulnerability.

Revisiting Lambda Persistence

September 16, 2021

Revisiting and building on the original Lambda persistence technique.

XSS in the AWS Console

June 3, 2021

Writeup for a cross-site scripting bug I found in the AWS Console.

Intercept SSM Agent Communications

January 27, 2021

Research on post-exploitation techniques against SSM Agent abusing send-command and start-session.

Enumerate AWS API Permissions Without Logging to CloudTrail

October 17, 2020

Writeup for a bug I discovered in the AWS API that would allow you to enumerate certain permissions for a role without logging to CloudTrail.

Abusing AWS Connection Tracking

August 11, 2020

Tunnel out of restricted security groups by abusing connection tracking.

Abusing GitLab Runners

July 11, 2020

Some research I did on abusing GitLab Runners to steal information by emulating a runner's behavior.

CVE-2020-11108: How I Stumbled into a Pi-hole RCE+LPE

May 10, 2020

Writeup for CVE-2020-11108 covering how I found the vulnerability and how it can be exploited for fun/profit.

Escalating Deserialization Attacks (Python)

February 23, 2020

Demonstrating how to exploit deserialization attacks in Python 2/3

Intercept Linux CLI Tool Traffic

January 11, 2020

A guide on how to intercept Linux CLI tool traffic with Burp Suite

Bypass GuardDuty PenTest Alerts

September 4, 2019

A guide to bypass the GuardDuty PenTest Finding Type

Hijacking IAM Roles and Avoiding Detection

July 1, 2019

A guide on how to steal IAM role keys and use them without being detected

IDOR Attacks

June 4, 2019

An introduction to IDOR attacks

Security Headers: Content Security Policy

December 3, 2018

An in depth overview of the Content Security Policy header

Angular Universal: Some Insights

October 4, 2018

Some advice based on my experience with Angular Universal

OSCP Review

July 23, 2018

My thoughts and experiences with the OSCP