I learnt recently that the Connection header can have other values than close or keep-alive. When you put a header name there, it should mark the header as hop-by-hop which means it shouldn’t be forwarded further by the reverse proxy. You can use it in some more...
Articles by Issue
Exploiting Open Graph and oEmbed protocols
Whenever we share a link over social media, a preview like this shows up. To be honest, I thought it’s coded separately for services like YouTube and for smaller ones, it’s just extracted from the page’s title, its URL and maybe some smart crawling functionalities...
XSS – case study of 174 reports
XSSes are everywhere. They’ve been the most common vulnerability class for years. But while popping an alert may seem simple, there’s much, much more to cross-site scripting. What payloads are people using? Where are people finding XSSes? What about CSP? Can you...
JustCatTheFish CTF writeups
I’m getting messages asking about some CTF writeups as I’m playing them quite regularly. I will make some video writeups but only once in a while. Other ones I and other JCTF players will do (sometimes we have to due to a good finishing position) will be published on...
A surprising characteristic of a Connection header and scaling 0days
This blogpost is soo good! It’s about cache poisoning on Akamai servers for which hunters eventually got over $50,000. There are two major takeaways for me. The connection header Take a look at this request. When I first saw it, I thought “WTF does the Connection:...
How to make notes about a target? +my Notion template
When I was a pentester, I didn’t feel the need to make exhaustive notes about my targets. Usually, projects started on Monday and ended on Friday so everything I needed was either in my head or easily findable in Burp history. However, I could definitely benefit from...
How much money I made in my first year of bug bounty?
In bug bounty, we lack transparency yet I think it can hugely benefit many people. It surely would benefit me if I saw transparent people at the beginning of my career. I decided to be transparent myself and I made a video about how my first year after quitting...
Tips for working with obfuscated JavaScript – .js.map files
Working with obfuscated JS is hard and I hate to admit it but I’m sure the obfuscated has hidden some bugs we all could have found. However, there are a few things we can do to either avoid having to deal with them or make them easier to read. The .js.map file format...
Connection Contamination
I still feel like HTTP/2 is a relatively new thing but already, James Kettle looks forward to what threats will occur in HTTP/3. In this article, he describes connection contamination - a technique that you can use to escalate your XSS on one target’s subdomain into...
DEF CON 30 Presentations
The presentations from DEF CON 30 are now available on YouTube! I haven’t watched any of them yet but one that sounds very interesting to me is DEF CON 30 - Dongsung Kim - CSRF Resurrections Starring the Unholy Trinity The whole playlist:...