Research to read this week 28/2025
A spicy week with double Sam Curry!
đExploiting an ORM Injection to Steal Cryptocurrency from an Online Shooter
A great example of ORM-injection/leak exploitation: https://blog.p1.gs/writeup/2025/07/06/Hacking-a-crypto-game/
đŁPre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)
Another great write-up from WatchTowr, this time on a SQL injection to RCE in FortiWebâs Fabric Connector: https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/
đȘAbusing Windows, .NET Quirks, and Unicode Normalization to Exploit DNN (DotNetNuke)
The Assetnote team is back at it with another great findâespecially worth reading if youâre into C# code review: https://slcyber.io/assetnote-security-research-center/abusing-windows-net-quirks-and-unicode-normalization-to-exploit-dnn-dotnetnuke/
đWould You Like an IDOR with That? Leaking 64 million McDonaldâs Job Applications
Youâve probably already come across this one, but just in case: https://ian.sh/mcdonalds
đWhy XSS Persists in This Frameworks Era?
A well-written and detailed analysis on why we still have XSS: https://flatt.tech/research/posts/why-xss-persists-in-this-frameworks-era/