A very interesting take on client-side vs server-side bugs by Shubs. He said a similar thing in my podcast interview with him which you can listen to here. https://twitter.com/infosec_au/status/1698322940159557987
#62
Finding Vulnerabilities with MRVA CodeQL
Some time ago, CodeQL got an addition of MRVA which allows to run CodeQL queries on multiple repositories. I’ve been procrastinating running some queries for a long time but the author of this article - Maiky didn’t procrastinate and described the process of finding...
CSRFing VS Code’s Debug Adapter Protocol
I think the attack scenario of sending requests from the victim’s browser to desktop apps or their extensions is undervalued and you can get good bounties with this attack scenario. Like Dan McNulty, who described what the DAP protocol is and how you can abuse it for...
API Security Testing using AI in Postman
I am not a big fan of separating API testing from the rest of the web - to me it’s a part of the web. However, in this blogpost, Dana Epp described a methodology of testing the API in Postman, utilising its AI assistant. I must say it looks really good. I think...
Sources-to-sinks or sinks-to-sources – which approach works better when?
There are two major approaches to finding bugs in the source code - sources to sinks and sinks to sources. The natural question is: which one is better? The answer is, as usual, it depends. In this article, I’ll tell you on what it depends on. I’ll tell you my...
Client-side JavaScript Instrumentation
If you have been reading this newsletter for some time, you know I’m a heavy user of the DOM Invader browser extension. It’s great although it doesn’t come without cons and I’m not 100% comfortable relying on it. Especially since it only works in the embedded browser....
Novel ways of HTTP request splitting
CRLF is a commonly known vulnerability type - you send a request with CRLF characters and you look if you can they are reflected without sanitisation in the response. Whereas this scenario is the easiest to detect, it’s not the only one. There’s also a possibility...