A few weeks ago, I discovered what a cross-window forgery is. If you're unfamiliar with it, it'll be covered in next week's podcast. It's one of the methods used to exploit one-click confirmation screens, such as OAuth consent screens. Yet today, I...
Client-side hacking techniques
Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal
Maxence Schmitt is back with another article about client-side path traversals. This time about constructing JSON payloads that can be interpreted as PDFs by the backend. The trick I liked the most is the one with bypassing the file unix command. By default, it uses a...
OAuth #6 – OAuth server-side account takeovers
We're continuing the OAuth series with yet more potential attacks. I'll show you two server-side OAuth attacks that are a bit less known yet, because they don’t need the user interaction, they are usually rated as criticals. I’ll also show you two other...
Cross-Site POST Requests Without a Content-Type Header
Did you know that this code would send a POST request without a Content-Type header? I didn’t. So if you have a backend code like this, you can use it to bypass the CSRF protection. Quick, simple, and unexpected edge case, just as we all love!...
Bypassing WAFs with the phantom $Version cookie
And as if the cookie parsing logic from the previous article isn’t complex enough, you can add a $Version phantom cookie to the mix that downgrades the cookie parsing logic to some old standard....
Handling Cookies is a Minefield
I feel like even though cookies have been around forever, 2024 is the year where we all realize how complex cookie parsing is and how many things can go wrong. I think a lot of it can be attributed to MatanBer and his interviews in CTTB. But also, to articles like...
OAuth #5 – OAuth recon
I've been having quite a good time recently with authentication bugs. Not all of them are in SSO flows but most of them are and the techniques I've used are the same ones I covered in previous articles from this series: OAuth #1 - How does it even work? Oauth...
Exploring the DOMPurify library: Bypasses and Fixes
Kévin Mizu comes back to the newsletter for the second issue in a row. This time, with a blog post about DOMPurify bypasses and some mXSSes. If you think you know HTML, read it and I guarantee you will change your mind. I certainly know nothing about HTML, but...
Cookies, Caching & Attacking Chrome Extensions with MatanBer CT 95&96
All of you should listen to all the Critical Thinking podcasts. That’s the only reason I’m not putting every single episode in the newsletter and I only do it once in a while. Like now when I’m sharing with you the episode with MatanBer about hacking browser...
Find local RCEs and other bugs with no memory corruption skills
Over the years, despite having absolutely zero memory corruption skills, I have had quite a lot of success in hacking desktop apps. Many people overlook this attack surface. In this article, I will tell you how to successfully find RCEs and other bugs only with your...