Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Parser bugs can be real bad, given the wide spread use of them. The article has a few awards: most impactful, parser differential, hardest to fix and weirdest machine.

For most impactful, it was the webp bug. The huffman compression was absolutely everywhere. The runner up was a H.264 file format set of bugs.

For hardest to fix, it was binarly post. Since they deal with low level firmware, it's non-trivial to fix. It was a memory safety issue in image parsing (of course).

Personally, I found the BatBadBut cooler as a parsing command injection bug. Bash and C tokenize arguments for invoked programs the same way. However, Windows bat batch do something entirely different, which most languages, including Rust and Java, didn't account for. In Windows, backslashes are NOT an escape for quotes - the carat is. So, the normal escaping didn't work.

The winner for best parser diff was a Gitlab parsing issue related to YAML processing in Ruby vs Golang. The runner up was a request smuggling vulnerability in NodeJS and several other servers via differences in the interpretation of carriage return within optional whitespace.

The winner for weirdest machine was the NSO groups exploitation of a parser bug to create their own architecture in a PDF parser, as researched by P0. Probably the craziest blog post I've ever read.

I appreciate the author grouping these all together! I hadn't read all of these so it was good for me to get.