I think the attack scenario of sending requests from the victim’s browser to desktop apps or their extensions is undervalued and you can get good bounties with this attack scenario. Like Dan McNulty, who described what the DAP protocol is and how you can abuse it for...
Articles by Issue
API Security Testing using AI in Postman
I am not a big fan of separating API testing from the rest of the web - to me it’s a part of the web. However, in this blogpost, Dana Epp described a methodology of testing the API in Postman, utilising its AI assistant. I must say it looks really good. I think...
Sources-to-sinks or sinks-to-sources – which approach works better when?
There are two major approaches to finding bugs in the source code - sources to sinks and sinks to sources. The natural question is: which one is better? The answer is, as usual, it depends. In this article, I’ll tell you on what it depends on. I’ll tell you my...
Client-side JavaScript Instrumentation
If you have been reading this newsletter for some time, you know I’m a heavy user of the DOM Invader browser extension. It’s great although it doesn’t come without cons and I’m not 100% comfortable relying on it. Especially since it only works in the embedded browser....
Novel ways of HTTP request splitting
CRLF is a commonly known vulnerability type - you send a request with CRLF characters and you look if you can they are reflected without sanitisation in the response. Whereas this scenario is the easiest to detect, it’s not the only one. There’s also a possibility...
How to make money for DoS bugs? DoS case study
DoS bugs were very intriguing to me. On one hand, I thought they were usually out of scope of web programs anyway. On the other, I saw big, even 5-digit bounties being awarded for them. So I decided to do what I like to do - extract all DoS reports from the Internet...
Who should worry about prompt injections?
Prompt injection is a very new subject in security. If you, like me, don’t have all the time to dedicate to it, it’s quite hard to grasp all the possible insecure scenarios. But luckily, rez0, probably the most active AI hacker, published Prompt Injection Primer for...
Almost $19k for bugs in browser extensions
I think browser extension hacking is quite a good niche at the moment. A lot of bug bounty programs have their extensions in scope but, I don’t know how about you, I know very little about vulnerabilities in them. This article contains multiple writeups about bugs in...
XSS with script CSP bypass
This writeup shows a very interesting way of bypassing CSP by exploiting the fact that the nginx error page has no CSP in combination with using apis[.]google[.]com JSONP endpoint. In short, first, Kevin created an iframe with a non-existing path and then in the JSONP...
Unminify JS with AI
A few new code analysis tools have dropped recently. One of them is Humanify, used for un-minifying JavaScript code using AI. I think I don’t need to convince anyone about the usefulness of this. I’m interested to see how it deals with bigger files....