siunam's Website

My personal website

Home Writeups Research Talks Blog Projects About

My Research

Parse and Parse: MIME Validation Bypass to XSS via Parser Differential (CTBB Lab)

January 31, 2025

This research is an extension of Content-Type research from BlackFan. More specifically, the response Content-Type tricks. Unfortunately, the multiple Content-Type trick is not clearly explained by BlackFan. Therefore, I’ll explain and demonstrate how a single comma character can cause parsing difference between the browser and different MIME type parser libraries.

Tags: Parser Differential, Client-Side, MIME, XSS

October 15, 2025

If you can do CRLF injection in the response header, most likely you can also do response resplitting to achieve reflected XSS. Even if a strict CSP is in place, you could bypass it by using response splitting as a CSP gadget. I coined this trick as "Nested Response Splitting"!

Tags: Client-Side, CRLF Injection, XSS, CSP

Python Dirty Arbitrary File Write to RCE via Writing Shared Object Files Or Overwriting Bytecode Files

April 29, 2025

In web security, it has a vulnerability class called "arbitrary file write" (AFW), where the attacker can create or overwrite files on the server, which potentially lead to RCE (Remote Code Execution). For instance, if a web application that uses PHP and Apache, an attacker could create a new .htaccess file to gain RCE (A real-world example can be seen in one of my bug bounty findings). In Apache, the .htaccess file is to make configuration changes on a per-directory basis. However, with the help of AFW vulnerability, attack can add the following rules to tell Apache to treat files with .txt extension as a PHP script: […]

Tags: Arbitrary File Write, Python

Attempted Research in PHP Class Pollution

February 19, 2025

After reading the Ruby class pollution research from Doyensec and re-read the blog post about class pollution in Python, I started to think this research question:

  • If class pollution is possible in Python and Ruby, does that mean other programming languages that support OOP (Object-Oriented Programming) is inherently vulnerable to class pollution?[…]

Tags: Class pollution, PHP