case-studies

Real examples of security work, including penetration testing projects. Learn from detailed stories of security assessments and how challenges were handled.
How we found an IDOR in Jira
case-studies
How we found an IDOR in Jira
This blog details our discovery of an Insecure Direct Object Reference (IDOR) vulnerability in JIRA, a product by Atlassian. You may be familiar with Atlassian platform from our previous blog, where we discussed how we found a wormable XSS vulnerability in their web application. If you haven't already,
6 min read
How We Found a Wormable XSS in Atlassian
case-studies
How We Found a Wormable XSS in Atlassian
We recently uncovered an interesting vulnerability during a security assessment at Snapsec, An XSS attack capable of spreading to other organizations—a wormable XSS. This blog will delve into how we crafted an XSS payload that exploited Atlassian's interconnected web application, giving you a first-hand look at how
7 min read
Finding Multiple Security Issues on Agorapulse
case-studies
Finding Multiple Security Issues on Agorapulse
Agorapulse provides everything an organization could possibly need for social media marketing, monitoring, and management. Agorapulse is a full-featured social media management platform. Some of its features include a variety of ways to publish content, schedule posts, and report about social account usage. The software is used to create and
9 min read
Spring4Shell: Everything you need to know.
News
Spring4Shell: Everything you need to know.
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the
6 min read
We Hacked Larksuite For 1 month and Here is what we found
case-studies
We Hacked Larksuite For 1 month and Here is what we found
Almost a year back in March 2020 shuffling our private invites stock to crash into a program worthy of our time and excitement. In a while, we stumbled upon a program by name of Lark Technologies. Larksuite is a collaborrative platform where users can collaborate on various tasks. This product
21 min read
Hacking Zendesk - Cache Deception, Privilege Escalation and more
case-studies
Hacking Zendesk - Cache Deception, Privilege Escalation and more
Another expedition to choose a new target to hack at Snapsec stopped at Zendesk. Zendek aligned with most of our testing principles, which we consider while choosing a new target to hack. Their available metrics remarked that the Zendesk security team was responsive and acknowledged the work of security researchers
9 min read
How did we Found Log4shell on Agorapulse
case-studies
How did we Found Log4shell on Agorapulse
Log4j is a logging framework for Java applications. It is a popular choice for developers looking for a simple and flexible logging solution. However, in the past Log4j has been found to be vulnerable to a number of security threats. The log4j library has recently been found to contain a
5 min read