Prompt injection is a very new subject in security. If you, like me, don’t have all the time to dedicate to it, it’s quite hard to grasp all the possible insecure scenarios. But luckily, rez0, probably the most active AI hacker, published Prompt Injection Primer for...
#60
Almost $19k for bugs in browser extensions
I think browser extension hacking is quite a good niche at the moment. A lot of bug bounty programs have their extensions in scope but, I don’t know how about you, I know very little about vulnerabilities in them. This article contains multiple writeups about bugs in...
XSS with script CSP bypass
This writeup shows a very interesting way of bypassing CSP by exploiting the fact that the nginx error page has no CSP in combination with using apis[.]google[.]com JSONP endpoint. In short, first, Kevin created an iframe with a non-existing path and then in the JSONP...
Unminify JS with AI
A few new code analysis tools have dropped recently. One of them is Humanify, used for un-minifying JavaScript code using AI. I think I don’t need to convince anyone about the usefulness of this. I’m interested to see how it deals with bigger files....
Effectively transform your data to hundreds of formats with CyberChef
CyberChef is a tool I use all the time. It’s capable of many things starting with decoding Base64 or Hex, through hashing and encryption, up to making HTTP requests. It’s often much quicker to do things here than to code them. The basic usage is very simple but I’m...
Smashing the state machine: the true potential of web race conditions
James Kettle’s research is a yearly must-read for every web hacker. This time, he took a look at race condition bugs, discovered interesting ways of finding them and created tooling that will make hunting race conditions easier for us. After reading the article, I...
DevTools #4 – But where to actually set breakpoints?
This is the fourth and last issue of the series about using DevTools. After reading this, you will have all the tools needed to successfully work with JavaScript. Well, all apart from one. The most important one - the experience. Because I can’t give you that. But...