Hi, I'm Duarte

This is where I share cool stuff that I stumble upon on my ethical hacking journey

  • Cross-Site Scripting (XSS) in Go

    Guessing unknown MIME types

    Posted on March 31, 2024

    The other day I was investigating the findings of a certain SAST scanner for a Go project. In particular, I was analyzing the Reflected Cross-Site Scripting (XSS) results. At first glance, one of these results looked like a True Positive (TP) — it was writing a partially user-controllable value directly... [Read More]

  • Arbitrary Code Execution in Pillow

    CVE-2023-50447

    Posted on January 2, 2024

    During Checkmarx’s Research Group routine activities, we often conduct security assessments on open-source technologies to refine both our tools and our skillset. During one of these activities, I identified a Critical vulnerability in Pillow. It is present in the PIL.ImageMath.eval function, in versions up to and including 10.1.0. This vulnerability... [Read More]
    Tags: