And here’s part 2, presenting new techniques for reliable, split-second DNS rebinding in Chrome and Safari

Part 2 will be release on Wednesday, when I'm presenting the research at BHEU

Here's part 1, detailing how I hacked my company's own product using DNS rebinding: https://t.co/cPAxwGU10O

@BlackHatEvents @intruder_io I've been asked to hold off on the release of the first part until tomorrow, so sorry for the false alarm!

Excited to be talking about new DNS rebinding techniques at @BlackHatEvents #BHEU next week. The research for this talk will be released in 2 parts on the @intruder_io research blog - keep an eye out for part 1 on Thursday

A while ago I decided to try take on a big challenge and work out how to detect prototype pollution black-box. One thing I’m very happy with from this research is the simplicity of the solution I found

Why do I know so many Dan's in infosec? Is there something about the name Dan? I strongly advise being cautious of your data around anyone named Dan, until we work this out.

The technique isn’t new, but the vast majority of pentesters I’ve spoken to don’t know about it, so I thought it worth sharing with an example from a pentest. I’ve also created a tool to help you exploit this issue

As a newbie pentester I read the RFC for GUIDs out of a fear that I wasn’t testing them correctly. A few years later, it paid off.

This may in fact have been a good idea... but I think @mopman deserves some kind of recognition for a beautifully crafted social hack that it would appear has actually resulted in an amendment to an Act of Parliament. Nice work.

I was lucky enough to catch this talk at BH, and it was one of the highlights of the conference for me. Great research, and really well presented

Heading off to Vegas for the first time. If you see me about, say hi. I’m the lanky blond British guy with round black glasses.

If you only need to read info rather than modify it, then the trick of loading the application in two separate iFrames works well. @iamnoooob writes about it here: https://t.co/JNUHKSTxWb @avlidienbrunn has a great talk on this and other tricks:

This example works by using the self-XSS to set a session cookie with a limited path so that the self-XSS will still load when the victim logs back into their account. The self-XSS can then access the rest of the application as the victim, so is effectively regular XSS.

If you have stored self-XSS and login CSRF you can probably do something interesting, but you have to do slightly more than this tip says. Here's an example I put together against Moodle a few years ago:

My lesson from the past few days… Ignore the logical part of your brain that says “Nah ignore that, it’s not gonna be vulnerable”!

Nominations:

My advice for this list is to always take to time to read everything on the top 10, and then go through the nominations as well. There's so much good research in these lists that you'll almost certainly find something awesome that you missed, or forgot about.

Thank you to everyone who voted for me and has shared the research. I'm really happy to have made the list.

Look Mum! I'm on PortSwigger!