Research

Finding a cross-site scripting vulnerability in the HP OfficeJet 4630 Printer (CVE-2021-3441)

In my free time, I search for vulnerabilities in open-source software, web applications, IoT, embedded devices, and for platforms with bug bounty programs. Most of my research to date includes vulnerabilities in web applications such as cross-site scripting, SQL injections, and authentication bypasses. I follow Google’s Project Zero’s disclosure policy when approaching vendors with vulnerabilities. In addition to my research here, I also publish proof of concept exploits on exploit-db and build out more comprehensive exploits on GitHub, such as exploitation frameworks like SendBirdy.

• CVE-2021-38701 Avigilon - Multiple Devices Authenticated Stored XSS
  Category: xss  Sep, 2021
• CVE-2021-3441 HP Officejet - 'AirPrint' Unauthenticated Stored XSS
  Category: xss  Aug, 2021
• CVE-2021-35956 AKCP sensorProbe - 'Multiple' Authenticated XSS
  Category: xss  Jun, 2021
• PHP Timeclock 1.04 - Time & Boolean Based Blind SQL Injection
  Category: SQLi  May, 2021
• MonkeyType.com - `Self` Cross Site Scripting (XSS) via Word History
  Category: XSS 
• BlockFi - Undisclosed Vulnerability
  Category:  
• Hinge - Modification of Assumed-Immutable Dat
  Category: MAID 
• TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection
  Category: SQLi 
• Authentication Bypass by Spoofing in Miodec/monkeytype
  Category: Auth Bypass 
• MonkeyType.com - Stored Cross-Site Scripting (XSS) via Tribe Chat
  Category: xss