x0root

Bug bounty programs are frequently presented as a straightforward path for security researchers to contribute to digital safety and earn rewards. However, my extensive experience with platforms such as HackerOne and Bugcrowd has unveiled a more complex and often frustrating reality. This environment, while promising merit-based recognition, often prioritizes political navigation and inconsistent triage over genuine technical contributions, challenging the very foundation of ethical hacking. Challenges in Meritocracy and Analyst Competence The core premise of bug bounty—identify a vulnerability, receive compensation—is deceptively simple. My journey, and that of many peers, indicates that technical skill alone is insufficient for success; a significant portion involves navigating the inherent politics of these platforms. A recurring issue is the competence of triage analysts. I have submitted critical security vulnerabilities, including stored Cross-Site Scripting (XSS) on Atlassian and...

Artificial intelligence is an incredible technology. Its potential to help us is vast—it can help us understand complex topics, learn new skills, and completely transform the way we work. But as with any powerful tool, my concern has never been about the technology itself, but about how it's being used. And right now, I believe it's being used wrongly. A recent experience brought this into sharp focus. Do you know the YouTuber Enderman? He runs a popular tech channel, and I literally grew up watching his videos, he is the reason why I know tech this deep.  For a long time, his content was a huge part of my life—his skills, his humor, his sheer creativity. He was the one who sparked my deep interest in technology, and I genuinely believe his influence is a big reason I'm a security researcher today. But a while ago, something incredibly frustrating happened. His channel was banned by an AI for "violations." Despite numerous appeals, the ban remained. (The channel i...

This post details the technical investigation and disclosure of CVE-2025-68116, a Stored Cross-Site Scripting (XSS) vulnerability in the FileRise application. This vulnerability allowed an attacker to execute arbitrary JavaScript in a victim's browser, including logged-in administrators, by exploiting a flaw in how the application served browser-renderable file uploads, specifically SVG files, via public share links. The issue was particularly notable as it represented a bypass of a prior security mitigation, highlighting the complexity of securely handling user-uploaded content. The vulnerability was ultimately resolved in FileRise v2.7.1. Vulnerability Summary The core of the vulnerability lay in the application's failure to consistently apply security headers, which are designed to prevent a browser from rendering a file inline. CVE ID: CVE-2025-68116 Vulnerability: Stored Cross-Site Scripting (XSS) via Browser-Renderable Uploads (SVG / HTML) Affected Software: FileRise (ver...

While exploring secure image handling in web applications, I came across a stored cross-site scripting (XSS) vulnerability in Seafile, a popular open-source file storage and collaboration platform. This vulnerability allows an attacker to upload a malicious SVG file that executes JavaScript when viewed directly or embedded, potentially compromising user sessions and data. Summary Seafile does not adequately sanitize SVG files uploaded by users, allowing arbitrary JavaScript execution when the SVG is accessed via its raw URL. This issue is made more dangerous because the raw vulnerable URL is exposed in the page source and can be shared with other users, leading to widespread XSS. Proof of Concept (PoC) 1. Log in to a Seafile instance. 2. Upload an SVG file containing embedded JavaScript (e.g., <svg><script>alert(document.domain)</script></svg>). 3. Right-click the uploaded image and select “Open in new tab.” 4. The raw SVG URL opens and the JavaScript payload ex...

Sync-In is a popular open-source file manager used by many individuals and teams. While exploring its features, I decided to test its security by attempting an XSS (Cross-Site Scripting) attack on the publicly available demo instance. Steps to Reproduce: 1. Access the Demo Instance       I started by accessing the official demo at https://demo.sync-in.com and logging in using the provided test credentials. 2. Upload an SVG File       Next, I attempted to upload an SVG file containing embedded JavaScript. The upload was successful. 3. Render the SVG       When I opened the file within the application, the SVG was rendered as an image, but the embedded script did not execute. 4. Open in New Tab       Curious, I opened the rendered SVG image in a new browser tab. 5. XSS Triggered       Once opened directly in a new tab, the embedded JavaScript executed, confirming the XSS vulnerability. Outcome I immediately reporte...

Overview The target was a Fortinet Next-Generation Firewall (NGFW), a formidable system relying on aggressive Deep Packet Inspection (DPI). Its directive was simple: block all unauthorized tunneling. My objective was proving that its "threat intelligence" had exploitable policy blind spots. Initial attempts with solutions like OpenVPN and WireGuard failed instantly. This was not simple port blocking. The FortiGate performed protocol fingerprinting, immediately recognizing the distinct traffic signatures of these protocols and dropping the connections. Any consumer VPN signature was a red flag. The challenge was confirming and exploiting a predictable policy exclusion. The goal crystallized: Protocol-Based Bypass. The IKEv2 Differential Testing revealed the key vulnerability: IKEv2 (Internet Key Exchange version 2) traffic showed inconsistent signs of life while other protocols were instantly terminated. IKEv2 is part of the IPsec suite and is specifically favored for enterpri...