Behind the Firewall ft. Stu Skove

by Morgan Prost / May 21st, 2026

Sometimes the biggest threats are the ones you can’t see.

During a recent penetration test, Stu Skove uncovered a vulnerability that shows how a single unsanitized parameter can collapse the line between app security and full infrastructure compromise.

At first glance, the app looked solid—no obvious issues. But deep in a file download workflow, two parameters were passing user input straight to the OS.

The danger? It was blind. No errors, no output, no UI indicators. Exploitation left zero traces. To confirm execution, Stu used Burp Collaborator for out-of-band payloads that triggered DNS lookups and outbound traffic. When the server responded with commands like nslookup, dig, and curl, OS-level execution was confirmed.

From there, Stu pivoted. Using crafted curl requests, he exfiltrated data to his controlled endpoint—system hostname, root context, even /etc/shadow. Then came the kicker: AWS instance metadata. The attached IAM role had full access to Elastic Container Registry (ECR). That’s not just local compromise—it’s supply chain compromise. An attacker could poison container images and spread malicious code across the environment.

All of this happened silently. No alerts. No logs. Just outbound HTTP whispers. In the wrong hands, this flaw could enable persistent, cloud-level control without detection.

Recent Editions:

Behind the Firewall ft. Jeneil Russell

May 22nd, 2026

Read More

Behind the Firewall ft. Shannon Lane

May 22nd, 2026

Read More

Behind the Firewall ft. Kyle Pardue

May 22nd, 2026

Read More

Behind the Firewall ft. Randy Bartels

May 22nd, 2026

Read More

Behind the Firewall ft. Suzette Corley

May 22nd, 2026

Read More