I feel like browser extensions have a lot of capabilities and are very juicy targets, yet I don’t think many people focus on them. Once I have more time, I’ll take a look at a few of them in-scope of some bug bounty programs. Especially since this blogpost by...
Client-side hacking techniques
Encoding Differentials: Why Charset Matters
Have you ever paid attention to whether the Content-Type header has the charset in it or not? I certainly haven’t. Turns out that the lack of charset may very well lead to an XSS. And it’s not a crazy, impossible edge case. It’s a reasonably likely attack scenario....
Oauth secrets – my NahamCon talk
My talk “Oauth secrets” from Nahamcon, as well as many other talks, are published on YouTube. The Oauth attacks from the talk are something you must be familiar with these days so make sure to watch it. If you’re a BBRE Premium member and read the issues from the...
.js Files Are Your Friends | @zseano
JS files are a goldmine of information but working with them isn’t easy. In the NahamCon talk, zseano shows us his approach to JS files. Watch the full talk here or continue to read my notes. Endpoints in JS files These days it’s very common to use client-side JS code...
OAuth #4 – exchanging the code
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...
Beating HTML Sanitisers
HTML is incredibly complex. With all the namespaces, foreign objects and integration points, it’s incredibly difficult to sanitise well. Not to even mention doing some custom transformations on the sanitised HTML which, (un)fortunately, some companies try to apply. If...
Magic tricks with iframes and windows
Deep knowledge of browser mechanics in regards to opening windows, window names, iframe sandboxes and others can be key for exploiting an edge cases with client-side bugs. In this blogpost, Huli goes over many of them. For example, you make window[.]open to reuse a...
Oauth #3 – response_mode
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...
Oauth #2 – CSRFs and the state
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...
OAuth #1 – How does it even work?
For a long time, the only Oauth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with Oauth and I see many more attack scenarios. In this multi-part series,...