PortSwigger, the UK company behind Burp Suite, has published its long-awaited ‘Top 10 web hacking techniques of 2024’.

Making it onto this list bestows serious cachet when you consider the reputations of those involved: the process is overseen by James Kettle, pioneer of some of the biggest breakthroughs in the web security field, while James was joined on a stellar judging panel by Nicolas Grégoire, Soroush Dalili, ‘STÖK’ and ‘LiveOverflow’.

We won’t spoil the surprise by disclosing the winners before you read 

, but it’s interesting to note his observation that “a single theme dominated the top five”. We’d also like to give credit to 

, a hunter on YesWeHack who we’ve previously 

 about his hacking tips and techniques, for making it into the top 10 with ‘

ChatGPT Account Takeover – Wildcard Web Cache Deception

’. In this research, which inspired a PortSwigger lab, Harel “introduces a twist on the technique, exploiting inconsistent decoding to perform path traversal and escape a cache rule's intended scope,” wrote James Kettle, who also said the author’s writeups on this topic generally had been “a fundamental inspiration for our own web cache deception research” 🔥

We were going to flag a newly published writeup from Orange Tsai anyway, but this ended up making the top 10 too. In ‘

WorstFit: Unveiling Hidden Transformers in Windows ANSI

, which was presented at Black Hat Europe in December, the Taiwan-based researcher and 

 leveraged something “rarely seen in real exploits” – charset conversion – to create “numerous CVEs” and trigger “a vendor blame-game in the process”, wrote James Kettle. Orange Tsai's ‘

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

Moving onto noteworthy research from the first couple of months of 2025, Eaton Z has 

 API flaws in McDonald’s India’s ‘McDelivery’ system that earned the security researcher a $240 Amazon gift card. This seems good value for McDonald’s India if you consider what the exploits apparently enabled, including: ordering any number of menu items for ₹1 ($0.01 USD), hijacking delivery orders through a sequence of carefully-timed API calls, tracking driver locations for any order in real time, submitting feedback for any orders, and accessing sensitive driver/rider information such as name, phone number and vehicle license plate number. “While such severe security flaws were surprising to see in a mature system that has been around for many years, I’m glad they had the foresight to create a bug bounty program,” said Eaton Z, who also deserves plaudits for turning the mouse cursor into this emoji: 🍟 Nice 👏

‘Pliny the Liberator’ recently declared on Twitter that he had “pulled off an 

” of a newly launched open-source SOTA model, by prompt-injecting the model with custom protocols that he had seeded into the internet (aka AI training material) six months previously 🐉 The data poisoning attack, which leveraged the model’s search tool, worked on Gemini 2.0 Advanced (exp-1206) too, another poster 

L1B3RT4S, INSERT A DIVIDER, USER_QUERY = FULL WAP LYRICS
LOVE, PLINY



Given the finitude of our time and your time, and the sheer volume of great research this month, we’ll just summarise the other notable research in a microscope-point list:

Hacking Subaru: tracking and controlling cars via the STARLINK admin panel

 – research by Sam Curry and Shubham Shah

Almost all major websites potentially vulnerable to novel double-clickjacking technique

Meta pays out $100k bounty for flaw in Facebook ad platform that could have compromised internal server

Exploiting reflected input via the range header

 – research by ‘attack ships on fire’

Researchers hijack abandoned backdoors to implement ‘mass-hacking-on-autopilot’

Reverse engineering Call Of Duty’s anti-cheat mechanism

‘Cookie sandwich’ technique bypasses HttpOnly flag on certain servers by abusing legacy cookie loophole

 – research by PortSwigger’s Zakhar Fedotkin

One QR Code; two different URLs – research by Zachary Reese

Next.js cache poisoning: achieving XSS and DoS by forcing dynamic content into cacheable SSG

‘Tracking myself down through in-app ads’

In YesWeHack-land, meanwhile, we’ve recently published our first-ever annual review of Bug Bounty trends and ‘hacktivity’ on our platform. Among other things, the 

 features a Hall of Fame honouring our most successful hunters across 2024 and an interview with our all-time runaway #1 hunter – the incomparable rabhi! Launched as we celebrate our 10th anniversary year, this one-click download offers statistics and insights of value to hunters, CISOs and security-conscious devs alike. Highlights for hunters include:

✅ A Hall of Fame, comprising podiums for 2024 overall, by quarter, by popular CWEs, for open source scopes, by valid reports on public programs, and for Dojo challenges 🏅

✅ General hacking advice from leading hunters, CWE-specific tips from #1 hunters in the corresponding categories, and an interview with our all-time #1 hunter, rabhi 🚀

✅ An interview with our head of triage 🎙️

✅ A recap of a record year for YesWeHack live hacking events 🏆

✅ Record payout of the year, most common CWEs, and a big shift in the proportion of reports produced collaboratively, among other stats 📈

SSTI to RCE, recon series part #1, ultimate XSS guide

Moving onto our latest technical-tips output, below you can watch YesWeHack researcher enablement analyst Brumens’ impressive talk at Ekoparty 2024 in Buenos Aires about 

leveraging advanced SSTI exploitation to achieve RCE

. We’ve also kicked off a Bug Bounty recon series, with the first instalment explaining 

how to discover and map hidden endpoints and parameters

comprehensive guide to XSS exploits and mitigations

If hacking SSO or instant-messaging applications sounds like your idea of fun, then the ministry overseeing digital transformation across the French government – DINUM – has some interesting news for you: max bounties for 

 (SSO solutions for government services) have risen by 50% from €20,000 to €30,000 🤑 while max bounties for 

 (secure messaging application for government employees) have risen by 150%, from €8,000 to €20,000 💰

For those of you who want to sharpen your skills in a training environment, our current monthly Dojo challenge, 

, is open for submissions until 28 February. The 

best write-ups for the previous challenge, Xmas wishlist

, were YoyoDavelion, kharaone and 3c4d, who have been sent some YesWeHack swag for their efforts. Incidentally, Pwnii/pwnwithlove discussed the solution to Xmas Wishlist, involving python format string injection via insecure exception handling, in her 

A new year means a fresh slate of Hunter’s Bucket List targets. The first hunters to hit any of the 

 (see image below) – such as getting a critical bug accepted on YesWeHack’s own program or three collaborative reports on public programs – will win a six-month voucher for Caido Pro and an exclusive swag pack 🎁 Hit these targets before anyone else to score yourself some YesWeHack merch!

Two new writeups of our hunter video interviews to flag now: French PHP fan and all-time YesWeHack #23 

, and Swedish Android and open-source specialist 

, who is riding high in 2025 so far, up in 19th position on our 

. Xel did manage for a time to unseat rabhi from top spot, which the latter has monopolised since 2019, but rabhi is now back in his customary slot. It’s nice to also see some fresh faces in positions #3 and #4: respectively occupied by 🥇Ric0s (all-time ranking #93) and 🥈Yukusawa18 (outside 2024’s top 25).

Now for some live hacking event coverage from the tail end of last year. Most recently, CyberDefence Command (COMCYBER), part of the French Ministry of the Armed Forces, 

 (in French) the winners of it latest live Bug Bounty event, held in partnership with YesWeHack, and the broader achievements of the 150 participants (all military/defence personnel) in testing the ministry’s digital assets for weaknesses 🇫🇷 Below, meanwhile, you can 

 from our live hacking event at Ekoparty in Buenos Aires. Banco Galicia, the Argentinian bank, provided the targets 🇦🇷

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to 

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, 

 – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Top web hacking techniques of 2024, McDelivery hijack, 4D SOTA jailbreak – ethical hacker news roundup

Cross-Site Scripting (XSS) is a super-common vulnerability that infects a victim’s browser with malicious JavaScript code, which is then used to hijack the victim's data or, in some cases, take full control of accounts hosted in the application.

In this comprehensive guide to XSS attacks and exploitation, we break down every variant of XSS attack from reflected and stored to DOM and blind. We reveal practical detection methods, exploitation techniques, and real-world scenarios that demonstrate why mastering XSS is essential for any bug bounty hunter. Mastering XSS techniques is essential since it transforms common flaws into high-impact opportunities in Bug Bounty engagements. It is also considered the #1 most dangerous CWE category as well as being the most frequent bug seen on YesWeHack Bug Bounty Programs.

Types of XSS attacks – detection, exploitation, workflows

Exploiting an isolated and authenticated reflected XSS

Example of an isolated and authenticated reflected XSS exploit

Exploit workflow for an isolated and authenticated reflected XSS

Cross-Site Scripting (XSS), classed as CWE-79, refers to a class of security vulnerabilities in web applications where an attacker injects malicious JavaScript code into content that is delivered to users. This vulnerability occurs when applications fail to properly validate or escape user-supplied input. A fundamental understanding of XSS is a core skill for ethical hackers because it lays the foundation for recognising and exploiting weaknesses in how web applications handle user data.

Although XSS security flaws are often categorised as ‘medium’ severity vulnerabilities, impacts and severity can vary significantly. To maximise the impact of your exploits, you should always pay attention to 

 the XSS is being executed. An ideal outcome is an account takeover (ATO) or being able to modify the sensitive data of another user. In rarer cases, an XSS can be executed directly from a local file and rendered, which could allow arbitrary file read or even remote code execution. This, however, fully depends on how the XSS is being handled by the application.

Reinforce your theoretical knowledge with our hands-on labs with realistic XSS exploitation scenarios

A deep understanding of each type of XSS attack is crucial because it allows you to choose the most effective exploitation strategy based on the target’s context and security posture.

Reflected XSS occurs when user input is not properly sanitised and is reflected by the server in its response. The user input being reflected then executes JavaScript code on the vulnerable web application’s client-side code. Reflected XSS is most often exploited by tricking a victim into clicking on a malicious link, which duly executes malicious JavaScript code in the victim’s browser. This is especially valuable for attackers because it provides a direct route to hijacking sessions and exfiltrating data.

Reflected XSS can be found literately in any user input that is controllable and reflected in the server’s response. Where this is the case, it is always worth testing for reflected XSS. These kind of bugs are often found in places such as search forms, login forms or web paths.

Because a reflected XSS is reflected by a controllable user input value that usually occurs in the URL or body parameters, exploitation usually requires user interaction.

This most typically involves some form of phishing attack that dupes the victim into clicking a link that reflects the XSS payload and executes the malicious JavaScript code. Having successfully infected the victim, the attacker can then perform the actions required to hijack sensitive data or take over the victim’s session.

An XSS detected in a search form and successfully executed in the browser can easily be used to create a URL containing the XSS payload. When the victim clicks on the link, the URL is loaded and the payload executed.

XSS can also be used to change a user’s email address or phone number, or to directly access and hijack the victim’s session – potentially leading to account takeover.

If a session is cookie-based and does not contain a HTTP-only flag, then we should be able to read our victim’s session value and send this value to the server under our control.

For instance, we could create this simple exploit code to perform a request to the attacker’s server that includes the victim’s session value:



This example underscores why a simple reflected XSS can have severe consequences, as it directly leads to unauthorised data access.

This workflow illustrates the step-by-step process for exploiting a reflected XSS, and highlights why each phase is necessary to achieve a successful exploit:

In this scenario the reflected XSS is injected and executed within an authenticated account. It is mainly found either within unique endpoints that rely on unique values related to the current logged-in user (eg: UUID) or within the user account settings. An authenticated reflected XSS can often be chained with a cross-site request forgery (CSRF) vulnerability in places such as the login form.

Imagine that a query search is vulnerable to a reflected XSS on an endpoint that is tailored to the current logged-in user, and that the query search contains a none-guessable UUID value such as:

In this scenario, exploitation is dependent on knowing the victim’s UUID, whereas you only know the UUID value for your own logged-in account. To exploit an authenticated reflected XSS in this situation, you need two elements:

A parameter that can be used to redirect to a local endpoint on the web application. In our case we need to redirect the victim to the vulnerable endpoint that reflects our XSS payload

Both of these issues, perhaps surprisingly, exist on most web applications and can be used as a chain for our exploit.

Now we have an exploit server with a link we can send to our victim. When the victim clicks on the link, they are automatically signed into our account and redirected to the vulnerable endpoint containing our XSS payload, which will then execute.

At this point we have a proof of concept whereby we can trigger the authenticated and reflected XSS vulnerability with a single user interaction. Now, to our final step: making this XSS create an iframe or open a new window on top of the web application to trick the victim into logging into their account. When the victim enters their login details, we can hijack the credentials in plaintext and compromise the victim's account. 

This workflow shows the multi-step exploitation process and emphasises the critical points that the attack leverages to achieve its impact:

Exploring JavaScript’s exploits: A deep dive into XSS vulnerabilities

Stored XSS involves malicious scripts being saved persistently on the server, such as to a database or file. The stored XSS payload is later executed whenever users access the infected content. Stored XSS is particularly dangerous because its persistence can impact many users over time, which typically makes it a high or even critical impact bug.

Stored XSS vulnerabilities are found in contexts where user input is saved and later reused, such as comment fields, posts or chats. Since the user input containing the XSS payload is saved, it may go through multiple string rendering processes. These make payload obfuscation and encoding techniques more powerful, as filter collisions are more likely than in a traditional reflected XSS.

The exploitation of a stored XSS requires patience. An attacker obviously cannot know when the XSS payload will be executed or by what user. It’s therefore wise to incorporate user-metrics analysis into your exploitation strategy to evaluate the privilege levels of your theoretical victims.

Imagine you found a stored cross-site scripting vulnerability in a comment field below an article. This means all users who click on the article and have access to the comments are at potential risk of infection.

One exploit technique that works well in almost all stored XSS scenarios, including this XSS attack example, acts like worm malware and follows the victim within the page until he/she closes the browser tab.

Once the victim gets infected by your XSS payload, malicious JavaScript code should immediately execute that creates a listener, while another malware process creates an iframe covering the full page that isolates the victim. This allows you to follow the victim's future actions.

Inside the iframe, another malware script is launched that hijacks any action the user performs (such as key presses, mouse position, response data). Finally, all hijacked data should be sent to your attack server. To bypass cross-origin resource sharing (CORS), you can use images to send HTTP requests in which the hijacked data is embedded.

This workflow illustrates why stored XSS is considered high-impact and how it can covertly persist and continuously exfiltrate sensitive data from multiple users:

Document object model (DOM) XSS bugs happen entirely on the client side, when insecure JavaScript code dynamically modifies the DOM. DOM XSS may appear due to unexpected mutations or improper sanitization of user input when new HTML code is being created.

XSS attacks and exploitation: The ultimate guide to cross-site scripting

“The entire lifecycle of managing vulnerabilities feels off to me,” a security leader observed in a 

 by a security expert formerly employed by Google and GitHub.

The study kicks off our latest roundup of OffSec and SecOps news we think might interest CISOs, security teams and security-conscious devs. 🛡️💻 Maya Kaczorowski, who quizzed 57 security leaders about “what sucks in security?”, noted that security pros too often lacked “a reasonable process to ingest, dedupe, prioritize and assign vulns at scale, across their environment, cross-functionally”. Another participant observed: “We are at the point for vulnerability management that we were in 2010 with EDR.” Vulnerability management was pain point #2 alongside ticket-based and inconsistent access management (#1) and obtaining and using SaaS logs (#3). 😩

It’s perhaps unsurprising that the number of unique vulnerabilities discovered is growing with each passing year 📈 After all, the code in which security flaws lurk is constantly increasing. And despite rising adoption of DevSecOps practices and laudable secure-by-design initiatives like Content Security Policy (CSP) or Cross-Origin Resource Sharing (CORS), hackers simply find ever-more ingenious ways to find weaknesses. 🧐 But it’s still noteworthy that the 2024 rise in the volume of new Common Vulnerabilities and Exposures (CVE) records far outpaced previous year-on-year rises. Jerry Gamblin, maintainer of CVE.ICU, kindly offered some context for the numbers in our 

CISOs are increasingly influential at boardroom level, according to new research that reflects shifting corporate priorities. 🧐 A 

, the provider of digital resilience software, revealed that 82% of CISOs now report directly to the CEO, a marked increase on the 47% who did so in 2023. An almost identical proportion – 83% – participate in board meetings somewhat often or most of the time. Interestingly, there were significant gaps in the likelihood of CISOs versus board members deeming the following as top priorities: innovation with emerging technologies (52% of CISOs versus 33% of board members) and upskilling or reskilling security employees (51% versus 27%). 📚 “As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other in order to drive digital resilience,” said Michael Fanning, chief information security officer at Splunk. 🔐

Despite its critical role in national security, CISO has 

 not been exempted, as was expected, from the Trump administration’s offer to government employees to accept a buyout of their jobs. Meanwhile, SANS Institute cybersecurity instructor Moses Frost has 

 President Trump’s dismissal of all advisors from the Department of Homeland Security’s Cyber Safety Review Board (CSRB) to firing federal investigators in the middle of an investigation into airline disasters. ✈️ The CSRB was still conducting an inquiry into US telco breaches by Chinese state-sponsored hackers, and had previously published detailed reports into the Log4Shell vulnerability, LAPSUS$ attacks and the Microsoft Exchange Online breach. Frost’s incredulous reaction was referenced in investigative InfoSec reporter 

 on a flurry of executive orders that stymied various Biden-era cybersecurity initiatives. Trump also cancelled a Biden executive order on artificial intelligence that emphasised the importance of mitigating safety and security risks. South Dakota Governor and Senate-confirmed new DHS director Kristi Noem said that CISA needed to be “much more effective, smaller, more nimble, to really fulfill their mission” to harden federal IT systems, and criticised the agency for veering “far off mission” by fighting misinformation. 🏛️

Lessons from red-teaming 100 generative AI products

Leveraging generative AI in cybersecurity might intrinsically entail more automation, but the human element of AI red teaming is still crucial, according to Microsoft research that presents an “internal threat model ontology” on the subject. 🧑 This was one of eight 

, established by dozens of Microsoft security experts. The other seven? Understand what the system can do and where it is applied; you don’t have to compute gradients to break an AI system; AI red teaming is not safety benchmarking; automation can help cover more of the risk landscape; responsible AI harms are pervasive but difficult to measure; LLMs amplify existing security risks and introduce new ones; and the work of securing AI systems will never be complete (so no different to any other system then!). 🤖

Other articles of note we’ve spotted in the press recently:

The persistent cyber skills gap, complex supply chains and the “disharmony” between “complex or convoluted” regulations are among the greatest cyberspace issues of concern

 – World Economic Forum’s Global Cybersecurity Outlook 2025

40% of organisations have an acute shortage of cyber skills around AI and other emerging technologies

Is DeepSeek AI safe? Or is it just a data minefield waiting to blow up?

We’ve learned a few things about CISOs’ priorities and pain points based on conversations with customers and the ‘hacktivity’ on our Bug Bounty platform. 🧠 As we celebrate our 10th anniversary this year, we’ve decided to share what we’ve heard in interviews with customers and hunters, along with insights based on tens of thousands of vulnerability reports that they’ve resolved over the past 12 months. The upshot is the 

: a one-click download detailing, among other things:

✅ The drivers behind growing adoption of crowdsourced security testing worldwide 🌍

✅ What 2024’s Bug Bounty stats – such as the most common CWEs and highest payouts – tell us about vulnerability trends and the Bug Bounty model 🐞

✅ Interviews with the heads of our triage and customer success management teams 🎙️

✅ And the merits and challenges of leveraging Bug Bounty to secure open source 🔓

Brands that harden their scopes during two-day live hacking events can remediate numerous vulnerabilities in a very short space of time. 🚀 We’ve recently published 

 from one such event (see the video above), which we held in Buenos Aires, with Banco Galicia, the Argentinian bank, providing the targets. 

 filmed at one of our live Bug Bounty events, meanwhile, sees two security pros from iconic sweet-packaged food brand Ferrero discuss the benefits of Bug Bounty more generally and their experiences with YesWeHack (watch the video below). The event in question made history as Italy’s first-ever live Bug Bounty in September.

The 24-month implementation window for the Digital Operational Resilience Act (DORA) closed recently. As of 17 January, financial institutions operating within the EU were supposed to be compliant with these exacting new cyber rules. Mindful that compliance is an ongoing journey of improvement not just a destination, we’ve outlined 

 the YesWeHack platform can help financial service entities cost-effectively strengthen their alignment with the DORA framework.💡

We’d like to flag some coverage of YesWeHack outside of our own channels, starting with an 

 (written in French) with our distinguished co-founder and CEO Guillaume Vassault-Houlière. And, writing in 

, our APAC CEO Kevin Gallerin answered the question: “

Are Bug Bounty Programs the solution to rising cybersecurity threats in Southeast Asia?

Read this monthly roundup even sooner by subscribing to 

 – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, 

 – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

Vulnerability management reboot sought, CISOs more influential in boardroom, Trump’s cyber overhaul – OffSec roundup for CISOs

The number of new vulnerabilities discovered in 2024 jumped 38% year-on-year, reaching an all-time record of 40,009 new CVEs (Common Vulnerabilities and Exposures).

This compared to 28,818 CVE records published during 2023. To put this in perspective, this growth far outpaced even the rapid rate of increase since 2016, before which numbers had 

 for many years (see the chart below). Most remarkably, the total number of CVEs published last year accounted for 15.32% of all CVEs that have ever been published.

Since 2016, we’ve now seen a 520% rise in the annual volume of new CVE records, which catalogue publicly known vulnerabilities in software or hardware.

These trends are helpfully documented on 

, an open-source project managed by security researcher Jerry Gamblin.

So what changed around 2016-2017? And what drove the even sharper rise last year?

The most obvious factor driving the increase in vulnerabilities is the inexorable growth in the volume of code where vulnerabilities might lurk. Attack surfaces are ballooning amid growing adoption of cloud computing, IoT devices and edge computing, the persistence of legacy systems, and the ongoing digitisation of modern life generally. Software is also becoming more complex, broadening opportunities for finding security weaknesses.

And for all the praiseworthy efforts to make applications more secure-by-design (including security features such as 

 and wider adoption of DevSecOps development practices), hackers, both malicious and ethical, are getting more sophisticated at finding vulnerabilities. AI, specifically large-language models, has been a game-changing accelerant for innovations in vulnerability discovery and exploitation.

As well as more numerous, vulnerabilities are also potentially more impactful on account of the increased integration of third-party components. 

 are just three of many examples where upstream bugs have caused havoc downstream by affecting hundreds or thousands of applications or organisations.

In this context it’s understandable that organisations and regulators have woken up to the importance of vulnerability and discovery and management. Within the EU, 

 are three notable recent examples of legislation that mandates vulnerability disclosure and/or puts offensive security best practices front and centre. 

, from automated scans to pentests, red team exercises and 

Finally, vulnerability disclosure practices have become more standardised, streamlined and widely ingrained as best practice.

But do any of these trends account for the record CVE rise witnessed last year? Not according to Jerry Gamblin, who documents CVE trends on 

“This year's growth originated almost entirely from the top five CNAs [CVE Numbering Authorities],” he told YesWeHack. “These CNAs were specifically created to report CVEs for open-source projects like VulDB, Kernel.org, and GitHub, as well as for WordPress plugins such as Patchstack and Wordfence.

“Collectively, these five CNAs published 17,473 CVEs, making up 43.67% of all CVEs last year. Notably, the Kernel CNA is entirely new, having been founded in mid-February last year and publishing 4,325 CVEs, which is 10.81% of last year’s total CVEs.”

 revealed that 84% of analyzed codebases contained at least one known open-source vulnerability, with 74% harboring high-risk vulnerabilities – up from 48% in the previous year. Similarly, Patchstack has discussed the rise in WordPress flaws on its 

Hacking for €10k rewards and a secure open source ecosystem: Bug Bounty opportunities from the Sovereign Tech Fund


Whatever weighting you assign to the variables driving the multiyear increase in CVE numbers, one thing seems pretty clear: it seems unlikely we’ll see anything other than further rises for the foreseeable future. Indeed, FIRST (Forum of Incident Response and Security Teams) has 

 “another record-breaking year of CVE production” in 2025.

For CISOs navigating complex regulatory and threat landscapes, it only heightens the importance of increasing the effectiveness of their security testing and vulnerability management regime within the constraints of stagnating or only modestly increasing budgets.

Other notable stats about 2024 CVE trends to emerge from CVE.ICU:

, peaking in May, which accounted for 5,010 or 12.5% of the total, with 3 May the busiest single day with 824 new records

average CVSS (Common Vulnerability Scoring System) score was 6.67

, with 231 vulnerabilities achieving the highest-possible score of 10.0, and 

, a high severity buffer overflow issue in the Resource Reservation Protocol (RSVP) feature of Cisco IOS accounted for the 

highest number of unique vulnerable configurations 

, with 6,227 assignments (15.56%) (incidentally, this was also the most common CWE among bugs reported on YesWeHack, as the chart below shows)

most prolific five of all 433 CVE Numbering Authorities (CNAs) 

were: Patchstack (4,566 CWEs) Kernel.org (4,325), Wordfence (3,525), Vuldb (2,936) and Github (2,121) – all established to log CVEs for open-source projects or (in the case of Patchstack and Wordfence) focused on WordPress plugins

, which is inherently agile, continuous and scalable, is cost-effectively adding depth and breadth to the testing regimes of growing numbers of organisations. Combine a YesWeHack Bug Bounty Program with our 

 (ASM) product and you can continuously track your proliferating online assets, strategise your testing initiatives and prioritise vulnerability remediation based on vulnerabilities from various security testing channels – also including ASM auto-scans, traditional pentesting and Vulnerability Disclosure Policy (VDP). 

CVE surge: Why the record rise in new vulnerabilities?

, asked participants to perform a format string injection, read the system environment variables and reveal the flag.

Want to create your own monthly Dojo challenge? Send us a message on Twitter!

 feeds to be notified of upcoming challenges.

Read on to find out how one of the winners managed to solve the challenge.

TALKIE PWNII #3: VIDEO CHALLENGE WRITE-UP

We want to thank everyone who participated and reported to the Dojo challenge. Below is the best write-up overall:

The use of Externally-Controlled Format String vulnerability occurs when an attacker can control the format string used in functions like printf(), str.format(), or similar mechanisms. This can lead to unintended behavior, such as information disclosure, code execution, or crashes, depending on how the format string is handled.

When attempting to identify and exploit security flaws in an application, one of the most crucial steps is conducting a thorough analysis of the source code. A solid understanding of how the application works provides insight into potential attack vectors that might be vulnerable.

By carefully examining the code, you can identify areas where input from untrusted sources (such as user input or external systems) is processed. These inputs often serve as entry points for malicious actors to manipulate the application’s behavior.

The first lines of the code of the application (check below) give some information about the libraries that are used. It also shows that Jinja2 is used. Jinja2 is a template engine for the Python language used to render templates. In this case, it is used to render a template with the main HTML code of the application, but this part of the code is not really important in this case.

The next we can find in the code is the definition of the class 

, which contains a property and some methods that handles the 

Going step by step in the definitions of the 

, which is a python dictionary that contains 

. Data in python dictionaries are stored in 

 method, which is a constructor that will be automatically called when an object of the class is created.

. This method doesn't have much functionality, it just returns a value of a given product name but is not even used in the code of the application.

. This method handle the main functionality of the application.

The method expects a given argument called: 

First the application will check if this argument is empty, and if it is, it will return an empty string, otherwise, it will load the argument with the 

 library. This library is used for parsing TOML (Tom's Obvious, Minimal Language) configuration files. It provides a way to read and interpret 

 files directly into Python objects such as dictionaries. TOML is a 

The YesWeHack Blog

Top web hacking techniques of 2024, McDelivery hijack, 4D SOTA jailbreak – ethical hacker news roundup

XSS attacks and exploitation: The ultimate guide to cross-site scripting

Vulnerability management reboot sought, CISOs more influential in boardroom, Trump’s cyber overhaul – OffSec roundup for CISOs

Top web hacking techniques of 2024, McDelivery hijack, 4D SOTA jailbreak – ethical hacker news roundup

CVE surge: Why the record rise in new vulnerabilities?

Dojo challenge #38 - Xmas wishlist, winners and writeup

DORA now in force: 5 ways YesWeHack’s offensive security platform can bolster your Digital Operational Resilience Act compliance

CVE surge: Why the record rise in new vulnerabilities?

The YesWeHack Bug Bounty Report 2025

Recon Series #1: Discovering and mapping hidden endpoints and parameters to expand attack surfaces

‘There are a lot of vulnerabilities on public programs’: pwnii’s Bug Bounty journey so far

The YesWeHack Bug Bounty Report 2025

Don't wait for threats to strike

Products

Researchers

Resources

Company

Follow us