So here is my #PoC for #CVE-2024-42327, that actually exploits the vulnerability in order to test if you are vulnerable or not: github.com/compr00t/CVE...

Well, Easytax is a local application and the vulnerability is a client-side XXE, only exploitable locally as correctly declared by the researcher with a CVSS score of 4.6 and AV:L (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:N/SA:L) in CVE-2024-9044.

But hey, easy news, right? (2/2)

The #sneakpeek as a video (as you posted it on LinkedIn) looks way more promising than as a picture here 😅

fully agree. and if never heard of your idea, this would drive me crazy for sure. But as more it get‘s known, the less harder I have to think ;-)

and you are right, in that case I would fight the WAF first, but how is that different from a classical WAF that responds with RST? I need to bypass that as well before I can exploit anything.

For example a legit search request that returns some data. As long as I get the data as a response, the app runs properly. So if I expect stability issues, I would resend the legit request and if data is returned, something is off but def. no stability issue

If I wanna find vulnerabilities, I could still do that. I can not relay on response codes but can still try to exploit something and if I receive a response similar to the baseline, I bypassed the WAF successfully.

well for example if I get a 5xx error, I would initially assume stability issues. I would then send the correct request and would expect to get a response similar to the baseline, right?

not sure about the idea, could be quite fun but once this gets known, it should be rather easy to detect with a bit of baselining as the legit request still has to work reliably…