In this really extensive blogpost, adnanthekhan describes how he found multiple instances of cache poisoning in GitHub Actions. The takeaway is that if any workflow uses GitHub Actions caching and we can run untrusted code in the context of the main branch, we likely...
#76
Digging for SSRF in NextJS apps
To be honest, I run out of things to write about Assetnote blogposts. They are always quality, always clear, and always useful so you should read them no matter what I say. The recent one is interesting in that not only it describes a zero day in NextJS but also...
Looking back at the past 4 months
Eldar describes his experiences with different bug bounty platforms and specifically their triage process. He definitely makes me want to spend some time on YesWeHack and Intigiriti because he wrote that the triage process is smoother than on Hackerone or Bugcrowd....
Beating HTML Sanitisers
HTML is incredibly complex. With all the namespaces, foreign objects and integration points, it’s incredibly difficult to sanitise well. Not to even mention doing some custom transformations on the sanitised HTML which, (un)fortunately, some companies try to apply. If...
Magic tricks with iframes and windows
Deep knowledge of browser mechanics in regards to opening windows, window names, iframe sandboxes and others can be key for exploiting an edge cases with client-side bugs. In this blogpost, Huli goes over many of them. For example, you make window[.]open to reuse a...
Oauth #3 – response_mode
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...