Eugene LiminCSG @ GovTechAll Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021–38646)From fuzzing to exploit16 min read·Oct 22, 2021----
Eugene LiminCSG @ GovTechAll Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035)How I got started in vulnerability research from dumb fuzzing to code review.14 min read·Sep 17, 2021--1--1
Eugene LiminCSG @ GovTechLife’s a Peach (Fuzzer): How to Build and Use GitLab’s Open-Source Protocol FuzzerThe end-to-end application of Peach Fuzzer, from build, to deployment, to vulnerability discovery.11 min read·May 21, 2021----
Eugene LiminCSG @ GovTechSupply Chain Pollution: Discovering a 16 Million Download/Week npm Package Zero DayWhile building a CTF challenge for GovTech, I found prototype pollution vulnerabilities affecting millions of users in the supply chain.7 min read·Dec 23, 2020----
Eugene LiminCSG @ GovTechImposter Alert: Extracting and Reversing Metasploit Payloads (Flare-On 2020 Challenge 7)A detailed walkthrough of my challenge experience at FireEye’s seventh annual Flare-On CTF competition.11 min read·Dec 3, 2020----
Eugene LiminThe StartupOpen Sesame: Escalating Open Redirect to RCE With Electron Code ReviewIt’s Node’s World — We Just Live In It7 min read·Aug 14, 2020----
Eugene LiminCSG @ GovTechWeaponising Unicode for Fun and ProfitPlus a tool and tips for defenders.5 min read·Jul 15, 2020----
Eugene LiminCSG @ GovTechClosing the Loop: Practical Attacks and Defences for GraphQL APIsWhile GraphQL provides greater flexibility and power over traditional REST APIs, it can increase the attack surface for vulnerabilities.9 min read·May 6, 2020----