Renniepak created a website where we can all find known CSP bypasses. It’s great because I’m nowhere near remembering all these and, unfortunately, I also don’t have a habit of writing these things down when I encounter them. Not to mention they are difficult to...
Client-side hacking techniques
Using YouTube to steal your files
This writeup involves multiple open redirects, iframes, and then more open redirects and ends up with clickjacking that gives the attacker access to your GDrive files. It also is another example that if you actually understand clickjacking and you create a good POC,...
Beyond XSS: Explore the Web Front-end Security Universe
This is an excellent resource about XSS and other client-side bugs! It describes a lot of techniques like mXSS, CSS injection, cookie bombing and many more. Basically, things that are on such a level where you rarely have one resource gathering as many of them....
Content-Type research
BlackFan has a great GitHub repo with some research about the Content-Type header. If you want to see what response content types allow XSS or which request CT values cause the preflight request to be sent, this is the place to go....
Universal Code Execution by Chaining Messages in Browser Extensions
I feel like browser extensions have a lot of capabilities and are very juicy targets, yet I don’t think many people focus on them. Once I have more time, I’ll take a look at a few of them in-scope of some bug bounty programs. Especially since this blogpost by...
Encoding Differentials: Why Charset Matters
Have you ever paid attention to whether the Content-Type header has the charset in it or not? I certainly haven’t. Turns out that the lack of charset may very well lead to an XSS. And it’s not a crazy, impossible edge case. It’s a reasonably likely attack scenario....
Oauth secrets – my NahamCon talk
My talk “Oauth secrets” from Nahamcon, as well as many other talks, are published on YouTube. The Oauth attacks from the talk are something you must be familiar with these days so make sure to watch it. If you’re a BBRE Premium member and read the issues from the...
.js Files Are Your Friends | @zseano
JS files are a goldmine of information but working with them isn’t easy. In the NahamCon talk, zseano shows us his approach to JS files. Watch the full talk here or continue to read my notes. Endpoints in JS files These days it’s very common to use client-side JS code...
OAuth #4 – exchanging the code
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...
Beating HTML Sanitisers
HTML is incredibly complex. With all the namespaces, foreign objects and integration points, it’s incredibly difficult to sanitise well. Not to even mention doing some custom transformations on the sanitised HTML which, (un)fortunately, some companies try to apply. If...