In my recent XSS case study, there were 3 copy & paste XSSes. While I was familiar with the general underlying mechanism, I didn’t know exactly how it works under the hood. This article by spaceraccoonsec describes those mechanisms in a writeup of a bug in Zoom....
Client-side hacking techniques
4 scenarios where CSRFs you can still find CSRFs in 2023
I’ll admit I was mistaken about the impact of SameSite cookies on CSRFs. I thought that when browsers will start defaulting to SameSite=Lax, CSRFs will vanish. Surely, the number of CSRFs is decreasing but by no means have they vanished. In this article, I’ll show you...
The basics of CSP bypasses
To be honest - I don’t like Content-Security Policy. It’s unclear what programs accept XSSes without a bypass and which do but with lower severity. If you’ve watched the Stipe bounty vlog, you know my story - I almost didn’t report 2x$2,000 XSSes because I didn’t have...
Tips for working with obfuscated JavaScript – .js.map files
Working with obfuscated JS is hard and I hate to admit it but I’m sure the obfuscated has hidden some bugs we all could have found. However, there are a few things we can do to either avoid having to deal with them or make them easier to read. The .js.map file format...
$10,000 Reddit Oauth account takeover explained
Some time ago, I wrote on Twitter, that I am not going to make a video about the recent Oauth account takeover on Reddit for which Frans Rosen got $10,000 - their maximum payout. The reason was that the idea behind the attack is very similar to the ATO on Facebook I...
Scraping the bottom of the CORS barrel (part 1)
jub0bs started a series of blogposts about CORS-related issues. I really like his work and I learn a lot about client-side issues from him. I’m going to closely follow the series to learn a lot of nuances about browsers’ and servers’ exploitable behaviours. Here’s the...
DOM clobbering
I think it’s really rare in our industry to see a well-written and detailed article about a non-beginner-level topic. So I’m that much happier to see this article by 0xGodson about DOM clobbering. It’s a complex subject and I never really invested time into...
Modern OAuth account takeovers
Frans Rosen made some research lately about the security of OAuth flows. He had a very interesting idea which resulted in a bunch of account takeovers. The article is quite long, as per Grammarly, 27 minutes of reading. However, I created a summary for you with the...
Bypassing client-side XSS filters
Bypassing filters is one of my favourite things in security. I like to find bugs where developers don’t expect it but It gives even me more satisfaction when I find a bug which the developer tried to prevent, for example, by implementing a client-side XSS filter....
Bypassing CSP with dangling markup or WordPress
One of the XSS gurus - Gareth Heyes - described a cool method to bypass CSP with dangling iframes. https://portswigger.net/research/bypassing-csp-with-dangling-iframes This, however, was a cool bug but a bug in the browser so you probably won’t use this trick in...