Deep knowledge of browser mechanics in regards to opening windows, window names, iframe sandboxes and others can be key for exploiting an edge cases with client-side bugs. In this blogpost, Huli goes over many of them. For example, you make window[.]open to reuse a...
Client-side hacking techniques
Oauth #3 – response_mode
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...
Oauth #2 – CSRFs and the state
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...
OAuth #1 – How does it even work?
For a long time, the only Oauth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with Oauth and I see many more attack scenarios. In this multi-part series,...
Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild
This XSS by Brett Buerhaus is amazing! It includes multiple steps and ends with DOM Clobbering. It is a technique that I know better from CTF challenges and it’s always satisfying to see something like this on a real-world target....
Oauth redirect URI research paper
A few weeks ago, I had to dive a bit deep into the Oauth protocol and into how different providers actually validate the redirect_uri. I even thought if I would do it on a bigger scale, that could be a bigger research and a good talk. But I see that this paper did a...
Using form hijacking to bypass CSP
Password managers are great. It’s the first thing I recommend to my non-tech friends. Apart from being more secure than reusing passwords, it’s also very convenient to have your password filled in by the browser extension. However, the auto-fill mechanism also comes...
Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140)
As this blogpost shows, the Clipboard API is quite complex. Especially in applications that implement their own formats that often include URLs or iframes. Do not overlook this source of data! https://spaceraccoon.dev/clipboard-microsoft-whiteboard-excalidraw-meta/
CSP bypasses on Portswigger and Twitter
CSP is very complex and also, very annoying when you have an XSS. From this blogpost by Johan Carlsson, you can learn why the following payload bypassed CSP both on Twitter and Portswigger's website. Also, I didn't know that even though you don't see...
Such a cool self-XSS → ATO on Yelp
This report is awesome. It exploits the cookie bridge functionality that allows users to stay signed in on websites in different domains. It also shows how to juggle multiple tabs when you have a self-XSS to turn it into an ATO. https://hackerone.com/reports/2089042