pspaul's blog
Home
Hi! I play CTFs with
FluxFingers
and research vulnerabilities at
Sonar
.
Find me on
,
,
,
and
.
Publications
2024-10-28
Ancient Monkey: Pwning a 17-Year-Old Version of SpiderMonkey
2024-10-24
Hack.lu 2024: SQL Injection Isn't Dead: Smuggling Queries At The Protocol Level
on
youtube.com
2024-10-20
Bench Press: Leaking Text Nodes with CSS
2024-08-10
DEF CON 32: SQL Injection Isn't Dead: Smuggling Queries At The Protocol Level
on
youtube.com
2024-07-09
Gogs: RCE via Git-Related Bugs (2/2)
on
sonarsource.com
2024-07-02
Gogs: RCE via Argument Injection in the SSH Server (1/2)
on
sonarsource.com
2024-06-19
justCTF 2024 Teaser: Casino (Web 394)
2024-06-17
Re-moo-te Code Execution in Mailcow: Always Sanitize Error Messages
on
sonarsource.com
2024-04-26
Insomni'hack 2024: Beating The Sanitizer: Why You Should Add mXSS To Your Toolbox
on
youtube.com
2024-03-21
Micro Services, Major Headaches: Detecting Vulnerabilities in Erxes' Microservices
on
sonarsource.com
2023-11-20
VSCode: Vulnerabilities in the NPM Integration (3/3)
on
sonarsource.com
2023-11-14
VSCode: Markdown Vulnerabilities in Third-Party Extensions (2/3)
on
sonarsource.com
2023-11-07
VSCode: Deep Dive into Your Favorite Editor (1/3)
on
sonarsource.com
2023-10-26
Paul's Security Weekly #804: VSCode Vulnerabilities
on
youtube.com
2023-10-25
Pwn2Own Toronto 2023: RCE in the Wyze Cam v3
on
twitter.com
2023-09-20
RCE in Tutanota Desktop
on
sonarsource.com
2023-09-12
XSS in Skiff Mail
on
sonarsource.com
2023-09-04
XSS in Proton Mail
on
sonarsource.com
2023-08-11
DEF CON 31: Visual Studio Code is Why I Have (Workspace) Trust Issues
on
youtube.com
2023-06-15
TyphoonCon 2023: Patches, Collisions and Root Shells: A Pwn2Own Adventure
on
typhooncon.com
2023-05-11
Black Hat Asia 2023: Stealing With Style: Using CSS to Exploit Proton Mail & Friends
on
youtube.com
2023-03-24
Insomni'hack 2023: You Click, You Lose: a Practical Look at Visual Studio Code's Security
on
insomnihack.ch
2022-12-09
Pwn2Own Toronto 2022: WAN-Side RCE in the Synology RT6600ax Router
on
twitter.com
2022-09-20
OneDev Remote Code Execution
on
sonarsource.com
2022-07-12
RCE via Prototype Pollution in Blitz.js
on
sonarsource.com
2022-07-09
FAUST CTF 2022: compiler60
2022-03-08
Securing Developer Tools: Package Managers
on
sonarsource.com
2021-11-30
NodeBB 1.18.4 - Remote Code Execution With One Shot
on
sonarsource.com
2021-08-31
Ghost CMS 4.3.2 - Cross-Origin Admin Takeover
on
sonarsource.com
2021-07-13
Etherpad 1.8.13 - Code Execution Vulnerabilities
on
sonarsource.com
2021-03-18
NoSQL Injection in Rocket.Chat: How A Small Leak Grounds A Rocket
on
sonarsource.com
2019-10-24
Hack.lu CTF 2019: Save Our Planet (Web 500)
on
ctftime.org
2019-10-07
Intigriti XSS Challenge #4
2019-06-04
Facebook CTF 2019: Secret Note Keeper (Web 676)
2019-04-16
PlaidCTF 2019: Potent Quotables (Web 300)
2019-01-27
Codegate CTF Preliminary 2019: PyProt3ct (Reversing 27.8)
2018-10-28
P.W.N. CTF 2018: Converter (Web/Crypto 200)
2018-10-24
Hack.lu CTF 2018: Petite Prison (Pwn 500)