{"id":159840,"date":"2025-07-08T08:59:17","date_gmt":"2025-07-08T06:59:17","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=5790"},"modified":"2025-09-23T16:31:29","modified_gmt":"2025-09-23T16:31:29","slug":"export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/","title":{"rendered":"Export to PDF allows local file inclusion\/path traversal in Microsoft 365"},"content":{"rendered":"<p>Some months ago, while analyzing a client&#8217;s web application, I came across a <strong>file conversion feature<\/strong> that transformed documents in any format into PDF and published them on the company&#8217;s SharePoint through a convenient graphical interface.<\/p>\n<p>This functionality, managed by the client&#8217;s internal application, had an issue that allowed <strong>reading local system files<\/strong> when converting HTML documents to PDF. Obviously, I reported this problem as a high-impact finding, complete with PoC and evidence. During the final presentation call with the client, the project lead thanked me for identifying the issue and candidly informed me that the <em>web.config<\/em> file shown in the screenshots I had provided was not from one of their systems, as they were only using a wrapper of the official Microsoft&#8217;s APIs, and he suggested to <strong>report the bug directly to Microsoft<\/strong> <img decoding=\"async\" draggable=\"false\" src=\"https:\/\/statics.teams.cdn.office.net\/evergreen-assets\/personal-expressions\/v2\/assets\/emoticons\/1f92f_explodinghead\/default\/20_f.png?v=v7\" alt=\"Exploding head\" width=\"20px\" height=\"20px\" aria-label=\"Exploding head\" \/><\/p>\n<p>After finishing the call, I rushed into our Microsoft 365 SharePoint instance to figure out how to trigger and replicate the issue. I then spent my Friday night submitting the bug to <a href=\"https:\/\/msrc.microsoft.com\/report\/vulnerability\">MSRC<\/a>, and 4 months later <strong>I have been rewarded with a $3000 bounty<\/strong> for this issue (Severity: Important\u2009) <img decoding=\"async\" draggable=\"false\" src=\"https:\/\/statics.teams.cdn.office.net\/evergreen-assets\/personal-expressions\/v2\/assets\/emoticons\/party\/default\/20_f.png?v=v21\" alt=\"Party\" width=\"20px\" height=\"20px\" aria-label=\"Party\" \/>!\u00a0 Hereafter, the details of the finding that now has been (obviously) remediated by Microsoft.<\/p>\n<p><img decoding=\"async\" id=\"done-img\" class=\"aligncenter\" src=\"https:\/\/i.imgflip.com\/9yhndq.jpg\" width=\"511\" height=\"335\" \/><\/p>\n<p>The Microsoft Graph APIs allowed users to download uploaded files in a variety of formats. Specifically, as stated in the <a href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/api\/driveitem-get-content-format?view=graph-rest-1.0&amp;tabs=http\">official documentation<\/a> under the <em>Format options<\/em> section, it was possible to convert Microsoft Office files to PDF, or other formats to HTML. The desired output format was specified via the <code>format<\/code> HTTP parameter.<\/p>\n<p>The officially supported formats for PDF conversion included: csv, doc, docx, odp, ods, odt, pot, potm, potx, pps, ppsx, ppsxm, ppt, pptm, pptx, rtf, xls, and xlsx. However, it turned out there was an <strong>undocumented<\/strong> behavior that allowed converting from <strong>HTML to PDF files<\/strong>.<\/p>\n<p>In addition, by embedding specific tags (<em>&lt;embed&gt;<\/em>, <em>&lt;object&gt;,<\/em> and <em>&lt;iframe&gt;<\/em>) into the HTML content, <strong>an attacker could force the inclusion of local files from the server\u2019s file system into the resulting PDF<\/strong>\u2014<strong>even files located outside the server\u2019s root directory<\/strong>.<\/p>\n<p>This effectively opened the door to a <strong>Local File Inclusion (LFI)<\/strong> attack during the conversion process. An attacker exploiting this behavior could have accessed sensitive server-side data\u2014such as Microsoft secrets, database credentials, or potentially application&#8217;s source code. However, I have only been able to read some common files, such as <em>web.config<\/em>, <em>win.ini<\/em>, and a few others. I could speculate that in certain edge cases, if an attacker managed to guess or discover the path to temporary files handled by the application, there was even the potential for <strong>cross-tenant data exposure<\/strong> in multi-tenant environments.<\/p>\n<p>Once the vulnerability was discovered, exploitation was quite easy as you can see in the following steps:<\/p>\n<ol>\n<li>Upload of the malicious HTML file via the graph API:<\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"wp-image-5793 size-full aligncenter\" src=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/06\/articolo_o365_1_upload.png\" alt=\"\" width=\"1055\" height=\"575\" \/><\/p>\n<p>2. Request the file in PDF format:<\/p>\n<p><img decoding=\"async\" class=\"wp-image-5797 size-full aligncenter\" src=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/06\/articolo_o365_4_upload_censored-1.png\" alt=\"\" width=\"1670\" height=\"461\" \/><\/p>\n<p>3. The file can be dowloaded with the requested local resource included using the URL provided in the server response:<\/p>\n<p><img decoding=\"async\" class=\"size-full wp-image-5798 aligncenter\" src=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/06\/articolo_o365_3_upload_censored-1.png\" alt=\"\" width=\"1029\" height=\"594\" \/><\/p>\n<p>I hope you enjoyed this short article! Cheers \ud83e\udd42 \ud83e\udd11<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some months ago, while analyzing a client&#8217;s web application, I came across a file conversion feature that transformed documents in [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":159937,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[81],"tags":[82,225,515,516,553],"class_list":["post-159840","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerabilities","tag-vulnerability-research","tag-bug-bounty","tag-graph-api","tag-microsoft-365","tag-cloud"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HN Security Export to PDF allows local file inclusion\/path traversal in Microsoft 365<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HN Security Export to PDF allows local file inclusion\/path traversal in Microsoft 365\" \/>\n<meta property=\"og:description\" content=\"Some months ago, while analyzing a client&#8217;s web application, I came across a file conversion feature that transformed documents in [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/\" \/>\n<meta property=\"og:site_name\" content=\"HN Security\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-08T06:59:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-23T16:31:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/MIC-365.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"836\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Gianluca Baldi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@hnsec\" \/>\n<meta name=\"twitter:site\" content=\"@hnsec\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"Gianluca Baldi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/\"},\"author\":{\"name\":\"Gianluca Baldi\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/person\\\/251b6740cfa820dd94ab485c48adb8f5\"},\"headline\":\"Export to PDF allows local file inclusion\\\/path traversal in Microsoft 365\",\"datePublished\":\"2025-07-08T06:59:17+00:00\",\"dateModified\":\"2025-09-23T16:31:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/\"},\"wordCount\":512,\"publisher\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/MIC-365.jpg\",\"keywords\":[\"vulnerability research\",\"bug bounty\",\"graph api\",\"microsoft 365\",\"cloud\"],\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"it-IT\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/\",\"name\":\"HN Security Export to PDF allows local file inclusion\\\/path traversal in Microsoft 365\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/MIC-365.jpg\",\"datePublished\":\"2025-07-08T06:59:17+00:00\",\"dateModified\":\"2025-09-23T16:31:29+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/#primaryimage\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/MIC-365.jpg\",\"contentUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/MIC-365.jpg\",\"width\":1600,\"height\":836,\"caption\":\"Microsoft 365 logo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Export to PDF allows local file inclusion\\\/path traversal in Microsoft 365\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#website\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\",\"name\":\"HN Security\",\"description\":\"Offensive Security Specialists\",\"publisher\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\",\"name\":\"HN Security\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/hn-libellula.jpg\",\"contentUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/hn-libellula.jpg\",\"width\":696,\"height\":696,\"caption\":\"HN Security\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/hnsec\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/hnsecurity\\\/\",\"https:\\\/\\\/github.com\\\/hnsecurity\",\"https:\\\/\\\/infosec.exchange\\\/@hnsec\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/person\\\/251b6740cfa820dd94ab485c48adb8f5\",\"name\":\"Gianluca Baldi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g\",\"caption\":\"Gianluca Baldi\"},\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/author\\\/gianluca-baldi\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HN Security Export to PDF allows local file inclusion\/path traversal in Microsoft 365","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/","og_locale":"it_IT","og_type":"article","og_title":"HN Security Export to PDF allows local file inclusion\/path traversal in Microsoft 365","og_description":"Some months ago, while analyzing a client&#8217;s web application, I came across a file conversion feature that transformed documents in [&hellip;]","og_url":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/","og_site_name":"HN Security","article_published_time":"2025-07-08T06:59:17+00:00","article_modified_time":"2025-09-23T16:31:29+00:00","og_image":[{"width":1600,"height":836,"url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/MIC-365.jpg","type":"image\/jpeg"}],"author":"Gianluca Baldi","twitter_card":"summary_large_image","twitter_creator":"@hnsec","twitter_site":"@hnsec","twitter_misc":{"Scritto da":"Gianluca Baldi","Tempo di lettura stimato":"4 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/#article","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/"},"author":{"name":"Gianluca Baldi","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/251b6740cfa820dd94ab485c48adb8f5"},"headline":"Export to PDF allows local file inclusion\/path traversal in Microsoft 365","datePublished":"2025-07-08T06:59:17+00:00","dateModified":"2025-09-23T16:31:29+00:00","mainEntityOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/"},"wordCount":512,"publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/MIC-365.jpg","keywords":["vulnerability research","bug bounty","graph api","microsoft 365","cloud"],"articleSection":["Vulnerabilities"],"inLanguage":"it-IT"},{"@type":"WebPage","@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/","url":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/","name":"HN Security Export to PDF allows local file inclusion\/path traversal in Microsoft 365","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/#primaryimage"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/MIC-365.jpg","datePublished":"2025-07-08T06:59:17+00:00","dateModified":"2025-09-23T16:31:29+00:00","breadcrumb":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/#primaryimage","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/MIC-365.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/MIC-365.jpg","width":1600,"height":836,"caption":"Microsoft 365 logo"},{"@type":"BreadcrumbList","@id":"https:\/\/hnsecurity.it\/it\/blog\/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hnsecurity.it\/it\/"},{"@type":"ListItem","position":2,"name":"Export to PDF allows local file inclusion\/path traversal in Microsoft 365"}]},{"@type":"WebSite","@id":"https:\/\/hnsecurity.it\/it\/#website","url":"https:\/\/hnsecurity.it\/it\/","name":"HN Security","description":"Offensive Security Specialists","publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hnsecurity.it\/it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/hnsecurity.it\/it\/#organization","name":"HN Security","url":"https:\/\/hnsecurity.it\/it\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","width":696,"height":696,"caption":"HN Security"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/hnsec","https:\/\/www.linkedin.com\/company\/hnsecurity\/","https:\/\/github.com\/hnsecurity","https:\/\/infosec.exchange\/@hnsec"]},{"@type":"Person","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/251b6740cfa820dd94ab485c48adb8f5","name":"Gianluca Baldi","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g","caption":"Gianluca Baldi"},"url":"https:\/\/hnsecurity.it\/it\/blog\/author\/gianluca-baldi\/"}]}},"jetpack_featured_media_url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/MIC-365.jpg","_links":{"self":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/159840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/comments?post=159840"}],"version-history":[{"count":4,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/159840\/revisions"}],"predecessor-version":[{"id":160871,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/159840\/revisions\/160871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media\/159937"}],"wp:attachment":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media?parent=159840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/categories?post=159840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/tags?post=159840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}