Breaking into HashiCorp Vault, Apple and Google

Its a web-exploit heavy episode impacing Apple, Hasicorp, Azure, Google, and even a DOMPurify Bypass. Then we end-off with a look into benchmarking fuzzers, and a look at the House of Muney heap exploitation technique.

• [00:00:49] Fuzzing internships for Open Source Software
  
• [00:03:15] CET Updates – CET on Xanax
  
• [00:09:07] Binary Ninja - Open Source Architectures
  
• [00:14:03] Memory Safe 'curl' for a More Secure Internet
  
  • https://daniel.haxx.se/blog/2020/10/09/rust-in-curl-with-hyper/
  
  
• [00:17:25] We Hacked Apple for 3 Months: Here’s What We Found
  
• [00:25:46] Race condition while removing the love react in community files
  
• [00:30:11] Enter the Vault: Authentication Issues in HashiCorp Vault
  
• [00:46:39] Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure
  
• [00:51:11] Password Reset Link Leaked In Refer Header
  
• [00:57:37] The mass CSRFing of *.google.com/* products.
  
• [01:06:02] A brief encounter with Leostream Connect Broker
  
• [01:15:47] Bypassing DOMPurify again with mutation XSS
  
  • https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
  
  
  • https://github.com/marcinguy/jquery-xss-in-html
  
  
• [01:22:10] Apache Struts OGNL Remote Code Execution [CVE-2019-0230]
  
• [01:28:11] UNIFUZZ: A Holistic, Pragmatic Metrics-Driven Platform for Evaluating Fuzzers
  
  • https://github.com/unifuzz/unibench
  
  
  • https://github.com/unifuzz
  
  
• [01:47:15] House of Muney - Leakless Heap Exploitation Technique
  
  • https://github.com/mdulin2/house-of-muney
  
  

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)

Or the video archive on Youtube (@DAY[0])