As this blogpost shows, the Clipboard API is quite complex. Especially in applications that implement their own formats that often include URLs or iframes. Do not overlook this source of data! https://spaceraccoon.dev/clipboard-microsoft-whiteboard-excalidraw-meta/
#71
JSON crack – visual JSON editor
JSON crack is a great tool for visualising JSONs. You can visually browse the contents and collapse or expand certain parts to make JSON easily browseable. https://jsoncrack.com/editor
JSON crack – visual JSON editor
JSON crack is a great tool for visualising JSONs. You can visually browse the contents and collapse or expand certain parts to make JSON easily browseable. https://jsoncrack.com/editor
CSP bypasses on Portswigger and Twitter
CSP is very complex and also, very annoying when you have an XSS. From this blogpost by Johan Carlsson, you can learn why the following payload bypassed CSP both on Twitter and Portswigger's website. Also, I didn't know that even though you don't see...
3 unauth RCEs in Lucee and $20k bounty from Apple
This writeup by Harsh Jaiswal & Rahul Maini is incredible! Maybe, you remember my video from 2021 about a $50,000 RCE in Apple via a 0day in Lucee. It was by the same pair of hunters. And they decided to find another RCE there. And they found it. But it wasn't...
Exploiting Hardened .NET Deserialization by Piotr Bazydło
I didn’t know about this research until the Portswigger’s TOP 10 list came out. It’s about finding deserialisation gadgets in .NET but also, about a new way of exploiting these bugs as deserialisation-serialisation chains in cases where you don’t have gadgets good...
Top 10 web hacking techniques of 2023
Portswigger's yearly TOP10 hacking techniques is a collection of the top writeups of the year. I make sure to read all the articles from the top 10 but also, I don't forget about the nominations list - I try to read the most interesting ones from there, too....
Breaking HTTP parsers using HTTP garden
Smaller and bigger inconsistencies in HTTP parsing occur all the time. However, there are infinite combinations of servers and reverse proxies but some of those inconsistencies are only dangerous in very specific contexts. And the trick is to be able to find them when...