HolyGhost logoHolyGhost

/analysis

Clear, detailed breakdowns of known vulnerabilities, attack techniques, and other researchers' work. I did not discover these, I explain them so you can understand how they actually work. Original sources are credited in each post.

Analysis

SolarWinds: When the Trusted Update Was the Attack

Attackers did not break into thousands of networks one by one. They compromised a single software vendor's build process and let the trusted updates carry the backdoor in. A breakdown of the SolarWinds supply chain attack.

8 min read·#solarwinds#supply-chain#backdoor
Analysis

From a URL Field to Cloud Keys: SSRF and the Metadata Endpoint

Server side request forgery turns a harmless looking URL input into a way to read a cloud instance's own credentials. Here is how the metadata endpoint becomes the prize, and why IMDSv2 changed the game.

12 min read·#ssrf#cloud#aws
AnalysisCVE-2021-44228

Log4Shell: How a Logging Library Became the Internet's Worst Day

A single string written into a log file could run attacker code on millions of servers. Here is how Log4Shell (CVE-2021-44228) worked, why it spread so far, and what it taught the industry about dependencies.

9 min read·#log4shell#java#rce
AnalysisCVE-2017-5753CVE-2017-5715CVE-2017-5754

Spectre and Meltdown: When the CPU's Cleverness Became a Leak

Modern processors guess ahead to go faster. Spectre and Meltdown showed that guessing leaves traces an attacker can read. A plain explainer of speculative execution side channels.

9 min read·#spectre#meltdown#cpu
Analysis

Pass the Hash: Why Stealing the Password Is Optional

In Windows networks an attacker often does not need your password, just its hash. Here is how pass the hash works, why it powers lateral movement, and how to break the chain.

9 min read·#pass-the-hash#active-directory#windows
AnalysisCVE-2017-0144

EternalBlue: The Leaked Exploit That Powered WannaCry

How a flaw in an ageing file sharing protocol, weaponised by a leaked intelligence exploit, spread ransomware across the world in hours. A breakdown of EternalBlue and MS17-010.

8 min read·#eternalblue#smb#windows
AnalysisCVE-2014-0160

Heartbleed: When Asking Nicely Leaked the Server's Secrets

A missing length check in OpenSSL let anyone read chunks of a server's memory, including private keys and passwords. Here is how Heartbleed (CVE-2014-0160) worked and why it was so serious.

7 min read·#heartbleed#openssl#tls
AnalysisCVE-2014-6271

Shellshock: The Bash Bug Hiding in an Environment Variable

For years, Bash would run code smuggled into the end of an environment variable. Shellshock (CVE-2014-6271) turned that into remote code execution across a huge slice of the internet.

7 min read·#shellshock#bash#linux
Analysis

Directory Traversal: Escaping the Folder You Were Meant to Stay In

By adding ../ to a file path, an attacker can climb out of the intended directory and read files the application never meant to expose. Here is how path traversal works and how to block it.

9 min read·#directory-traversal#web-security#path-traversal
Analysis

SQL Injection: When Your Input Becomes the Database's Command

SQL injection turns a login box or search field into a way to read, change, or destroy a database. Here is how it works, the flavours it takes, and the one fix that actually stops it.

10 min read·#sql-injection#web-security#databases
Analysis

Buffer Overflows: Writing Past the Edge and Hijacking a Program

One of the oldest and most influential classes of vulnerability. How writing more data than a buffer can hold lets an attacker corrupt memory and seize control, and the defences that now stand in the way.

10 min read·#buffer-overflow#memory-corruption#exploitation
Analysis

Insecure Deserialization: Trusting a Blob of Bytes Too Much

Turning saved data back into live objects sounds harmless. When the data comes from an attacker, it can lead to remote code execution. Here is how insecure deserialization works and how to avoid it.

8 min read·#deserialization#web-security#rce
Analysis

XXE: When an XML Parser Reads Files It Should Not

XML has a feature that lets a document pull in outside content. Point it at a local file or an internal server and a helpful parser becomes a data leak. Here is how XML External Entity attacks work.

9 min read·#xxe#web-security#xml