Eugene LiminCSG @ GovTechAll Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021–38646)From fuzzing to exploitOct 22, 2021Oct 22, 2021
Eugene LiminCSG @ GovTechAll Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035)How I got started in vulnerability research from dumb fuzzing to code review.Sep 17, 20211Sep 17, 20211
Eugene LiminCSG @ GovTechLife’s a Peach (Fuzzer): How to Build and Use GitLab’s Open-Source Protocol FuzzerThe end-to-end application of Peach Fuzzer, from build, to deployment, to vulnerability discovery.May 21, 2021May 21, 2021
Eugene LiminCSG @ GovTechSupply Chain Pollution: Discovering a 16 Million Download/Week npm Package Zero DayWhile building a CTF challenge for GovTech, I found prototype pollution vulnerabilities affecting millions of users in the supply chain.Dec 23, 2020Dec 23, 2020
Eugene LiminCSG @ GovTechImposter Alert: Extracting and Reversing Metasploit Payloads (Flare-On 2020 Challenge 7)A detailed walkthrough of my challenge experience at FireEye’s seventh annual Flare-On CTF competition.Dec 3, 2020Dec 3, 2020
Eugene LiminThe StartupOpen Sesame: Escalating Open Redirect to RCE With Electron Code ReviewIt’s Node’s World — We Just Live In ItAug 14, 2020Aug 14, 2020
Eugene LiminCSG @ GovTechWeaponising Unicode for Fun and ProfitPlus a tool and tips for defenders.Jul 15, 2020Jul 15, 2020
Eugene LiminCSG @ GovTechClosing the Loop: Practical Attacks and Defences for GraphQL APIsWhile GraphQL provides greater flexibility and power over traditional REST APIs, it can increase the attack surface for vulnerabilities.May 6, 2020May 6, 2020