For me, client-side bugs were harder to understand than server-side bugs. For example, if you are exploiting an SQL injection, the case is simple. There’s: your burp/terminal the server that you are attacking. With client-side bugs, there’s: your burp/terminal your...
Client-side hacking techniques
Exploiting XSS without Content-Type header
Last week, on a private bug bounty program, I stumbled upon a server that responded with something like this: However, no alert popped up. The reason is that there’s no text/html Content-Type header. In fact, there’s no Content-Type header at all. It was an API...
Finding Swagger UI XSS at scale
Dawid Moczadło wrote a blogpost about finding an XSS in Swagger UI. Swagger is a very popular way of presenting API docs. Finding a bug like this allowed him to then find this bug at scale and get many bounties for it....
How XSS experts bypass CSP?
Gareth Heyes is one of the best in the world when it comes to XSS. Lately, he found a great XSS in Paypal. Initially, the report was rejected because PayPal requires you to bypass the CSP. Although he thinks that XSS should be accepted without Content Security Policy...
Should you stop using alert() in XSS?
You say XSS, I think alert(). However, it might no longer be the ideal proof of concept for cross-site scripting. Some malicious adverts were using alert() for social engineering from iframes on legit websites. Chrome made the decision that alerts will no longer work...
Exploiting CORS in local applications
From my experience, it's not rare to see an application that has misconfigured CORS. However, there's a great chance this is not exploitable anyway. Either the application doesn't use cookies but an Authorization header instead, or the cookie has a...
Cross-site WebSocket hijacking
WebSockets are an asynchronous way of communication between the browser and the server. It's the perfect fit for any live functionalities like chats or live statistics. From my experience, developers are often unaware of the risks associated with using WebSockets....
New XSS vectors
Recently, one of the XSS gurus - Gareth Heyes, found a few new XSS vectors. Many times I was annoyed when using the XSS cheat sheet. I was marking that I can only use a specific HTML tag, let’s say an “a” tag. The payload that I am supposed to use also uses the style...
Client-side path traversal
Client-side path traversal is a new name for me. Sam Curry mentioned it on his Twitter. I want to share it because I do see some use cases for this trick. It also means that we won't get rid of CSRFs that quickly. What is client-side path traversal about? Let's say...
Fuzzing WebSockets messages
A few issues ago I presented what is known as client-side WebSocket hijacking. However, this is not the only issue that can occur there. At the end, the backend still processes your input somehow. When it does, standard vulnerabilities with access control or injection...