siunam's Website

My personal website

Home Writeups Research Talks Blog Projects About

My Research

CRLF Injection Nested Response Splitting CSP Gadget

October 15, 2025

If you can do CRLF injection in the response header, most likely you can also do response resplitting to achieve reflected XSS. Even if a strict CSP is in place, you could bypass it by using response splitting as a CSP gadget. I coined this trick as "Nested Response Splitting"!

Tags: Client-Side, CRLF Injection, XSS, CSP

Python Dirty Arbitrary File Write to RCE via Writing Shared Object Files Or Overwriting Bytecode Files

April 29, 2025

In web security, it has a vulnerability class called "arbitrary file write" (AFW), where the attacker can create or overwrite files on the server, which potentially lead to RCE (Remote Code Execution). For instance, if a web application that uses PHP and Apache, an attacker could create a new .htaccess file to gain RCE (A real-world example can be seen in one of my bug bounty findings). In Apache, the .htaccess file is to make configuration changes on a per-directory basis. However, with the help of AFW vulnerability, attack can add the following rules to tell Apache to treat files with .txt extension as a PHP script: […]

Tags: Arbitrary File Write, Python

Attempted Research in PHP Class Pollution

February 19, 2025

After reading the Ruby class pollution research from Doyensec and re-read the blog post about class pollution in Python, I started to think this research question:

  • If class pollution is possible in Python and Ruby, does that mean other programming languages that support OOP (Object-Oriented Programming) is inherently vulnerable to class pollution?[…]

Tags: Class pollution, PHP