New blog post is out! A few vulnerabilities in Mailcow.
A critical unauthenticated XSS, and another interesting Self-XSS escalation involving a Login CSRF with a leftover tab. Check it out:
www.aikido.dev/blog/xss-vul...
Happy to have made some web chllaenges for Plfanzen CTF. The evetn runs next weekend, cehck it out!
plfanzen.lol
Thanks @cryptocat.me for inviting me to my first ever podcast!
Check out the section at 29:36 😄
Now that everybody's had a chance to solve it, here's a timelapse of my playtesting run of the JavaScript Crossword!
SPOILER WARNING: Please try it yourself first in the post below, it's very satisfying to solve, I don't want you to miss out on that 😄
(1 second = 2 minutes)
I won't keep you in mystery any longer, here's how I found an XSS vulnerability *in* Shazzer!
The chain involved some interesting browser techniques no sane developer could foresee. Check out the details below:
jorianwoltjer.com/blog/p/stori...
(and thanks @garethheyes.co.uk for making Shazzer!)
Cool exploit with @0x999.net:
He found that \x7F breaks Chrome's "Copy as cURL (cmd)" command parsing in Windows Console Host. In combination with a ", it allowed you to add any arguments to curl.
With -o writing files is easy, but we need the username for the startup path... (1/2)
(2/2) After some wild ideas of leaking it, I found a different solution using the obscure "Variables" (curl.se/docs/manpage...) feature of curl. We can define and expand {{USERPROFILE}}, then finish with an 8.3 Shortname "StartM~1" to avoid issues with a space!
The final payload:
Fun parser differential to fallback SVG sanitizer bypass:
github.com/freescout-he...
We tested another mail client, Roundcube this time. The agents found a Stored Self-XSS vulnerability that could really only be exploited with Cookie Tossing.
Scary for password reset tokens...
Blog post below:
www.aikido.dev/blog/roundcu...
i made a new game called js crossword where you have to solve it by literally writing javascript code that eval()'s into the correct values!
check it out if you're into ctfs or wanna challenge your javascript skills
lyra.horse/fun/jscrossw... <3
www.aikido.dev
Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.
### Summary
Bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of `.png` with content type of `imag...
We found a stored XSS in Roundcube's draft attachment endpoint that, chained with a cookie tossing technique, gives an attacker full access to a victim's inbox. Here's how the exploit chain works and ...
How I found an XSS in Shazzer, a tool for discovering and sharing browser quirks through fuzzing. Not *using*, but *in* Shazzer. We'll explore some useful techniques with Blob URLs to unsandbox malici...
jorianwoltjer.com
Jorian
Jorian
Jorian
Jorian
Rebane
i made a new game called js crossword where you have to solve it by literally writing javascript code that eval()'s into the correct values!
check it out if you're into ctfs or wanna challenge your javascript skills
lyra.horse/fun/jscrossw... <3
Rebane
Did you catch @jorianwoltjer.com's cool XSS chain on RoundCube mail? 👀
If not, you can hear (and see) all about it in the latest episode of the @rapid7.com podcast!
youtu.be/A05dD51mLyo
