Zeyu's Infosec Blog

👋 This is where I write about information security!

~# whoami

I love to build and break things. Cybersecurity is one of the many fields I'm passionate about.

You can learn more about me from my personal website.

~# ls -la 2023

My first hacker summer camp experience 🏖️

Turning cross-site leaks (XS-Leaks) into "same-site leaks" using the object element to get around SameSite cookies. Nested objects, lazy loading and responsive images help us to conditionally perform callbacks based on HTTP response status codes.

From insufficient security fixes to ReDoS, regular expressions are hard to get right. Yet, they are integral to modern software security and development. Hopefully this article helps you avoid common pitfalls before it's too late!

While participating in a bug bounty programme, I stumbled upon a (surprisingly, somewhat known) XSS vulnerability in the Readium cloud reader that affects many university websites and online libraries.

~# ls -la 2022

HTTP request smuggling is a vulnerability which arises when web servers and proxies interpret the length of a single HTTP request differently. While basic techniques have been known since 2005, renewed research interest in HTTP request smuggling in recent years have uncovered many new bugs in popular web proxies and servers.

Nowadays, novel HTTP request smuggling techniques rely on subtle deviations from the HTTP standard. Here, I discuss some of my recent findings and novel techniques.

My experience in hosting SEETF 2022, and lessons learnt.

SEETF is a cybersecurity Capture the Flag competition hosted by the Social Engineering Experts CTF team. We were pleased to host our inaugural competition in 2022, which saw over 2,000 participants and 1,200 teams. Of these teams, 740 solved at least one challenge.

Last updated