You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: BB-Reports.md
+9-1
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@
6
6
7
7
# Schemes
8
8
9
-
>Attacking Redis db via CR symbols via`git://` link: https://hackerone.com/reports/441090
9
+
[Attacking Redis db via CR symbols in`git://` link](https://hackerone.com/reports/441090)
10
10
11
11
# Vulns
12
12
@@ -31,6 +31,14 @@ Redirection is found on reverse proxy and [can move you to internal servises (SS
31
31
32
32
## File upload
33
33
34
+
Always look for the command injection if you have noticed that your files are edited or converted in some way.
35
+
36
+
### Image
37
+
38
+
Basically SVG files can be used to insert arbitary JavaScript code via `script` tag and even entire HTML-markup via the `foreignObject` tag: https://github.com/allanlw/svg-cheatsheet.
39
+
40
+
If an old version of librsvg is used to convert SVG to PNG, it can cause a [memory leakage](https://hackerone.com/reports/2107680).
41
+
34
42
### Video
35
43
36
44
[SSRF-LFR in FFmpeg](https://hackerone.com/reports/1062888)
0 commit comments