Malicious authorization server attack in UMA 2.0

Published: Mar 18 2025

In a previous post, I described a pass-the-permission-ticket vulnerability in UMA 2.0 in which a malicious UMA resource server could kindly ask a UMA client to give it access tokens actually intended for another UMA resource server. In this post, I am describing a similar attack when the authorization server is malicious.

Pass-the-permission-ticket vulnerability in UMA 2.0

Published: Mar 18 2025

In the User-Managed Access (UMA) 2.0 protocol, a malicious resource server (or a malicious server acting as a resource server) can obtain a requesting party (access) token (RPT) intended for another UMA resource server from a UMA client by passing a permission ticket obtained from the target resource server to the UMA client. This can compromise the privacy (confidentiality) and integrity of UMA protected resources.

Exposing services in/out Podman containers

Published: Jan 27 2025

Some more tips for interacting with the namespaces of Podman containers.

GitHub Copilot instructions

Give me your prompt, would you kindly?

Published: Dec 26 2024

Extracting the system prompt from GitHub CoPilot.

Bypassing XSS filters

Published: Nov 20 2024

In this post, I am describing some payloads which I used to bypass two distinct XSS filter implementations (such as Web Application Firewalls (WAF)) as well as the approach to design them.

The FBI recommends using ad blockers

Published: Sep 8 2024

An interesting note from the FBI.

UMA 2.0 diagrams

Published: Jun 17 2024

Some diagrams (mostly sequence diagrams) about UMA 2.0.

Arbitrary code execution through kitty-open.desktop file association

ニャーニャー

Published: Sep 23 2023

In Debian kitty package, the kitty-open.desktop file would associate kitty +open with several MIME types. This could be used to arbitrary trigger code execution by serving a file with such a MIME type.

This has been introduced in kitty in 73a197fcd (2022-02-06) released as part of v0.24.3. This has been fixed in v0.26.5-5 of the Debian kitty package. Fixed upstream in 537cabca7 released in v0.29.0. Other distributions such as Ubuntu Lunar are still impacted.

Shell command and Emacs Lisp injection in emacsclient-mail.desktop

Published: Jun 8 2023

Shell command injection and Emacs Lisp injection vulnerabilities in one of the Emacs Desktop Entry (emacsclient-mail.desktop) leading to arbitrary code execution through a crafted mailto: URI.

Arbitrary file write in Stellarium file association

Published: Jun 8 2023

I found an arbitrary file write vulnerability (through path traversal) which would be exploited for arbitrary code execution in Stellarium (desktop version).

Page 1 of 4 | Previous page | Next page | JSON Feed | Atom Feed