Simon Koeck
Security researcher and developer. I find vulnerabilities
and write about them.
Recent writeups
high / h3
One Uppercase Letter Breaks Every Nuxt App
h3 powers every Nuxt app but only recognized 'chunked' in lowercase. Send 'ChunKed' instead and you get request smuggling.
critical / Tolgee
Reading /etc/passwd via Translation Upload in Tolgee
Tolgee's XML translation importers ship with zero security config. Upload a crafted file, read anything from the server. Confirmed on their cloud platform.