TL;DR ¶ In this short follow-up to my previous post, I describe why and how I’ve added support for dynamic reconfiguration of CORS middleware in jub0bs/cors. Rethinking configuration immutability ¶ Up until now, I’ve been arguing that CORS middleware should not be reconfigurable on the fly and that any change to their configuration should require...
TL;DR ¶ A few months ago, while hunting on a public bug-bounty programme, I found a nice little bug chain that involved an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, a permissive CORS configuration, all to achieve CSRF against an in-scope asset. Read on for a deep dive about...
TL;DR ¶ In this post, I present an XSLeak technique that allows an active network attacker to observe, from an insecure Web origin, the presence or absence of some Secure cookie that may have been set by the origin’s secure counterpart. Cookies’ crumbly beginnings ¶ Netscape (Lou Montulli, more precisely) invented cookies in 1994 in order to...
James Kettle’s 2016 research was instrumental in raising awareness of the deleterious effects of CORS (Cross-Origin Resource Sharing) misconfiguration on Web security. Does the story end there, though? Is writing about CORS-related security issues in 2022 futile? I don’t think so. This post is the first in a series in which I will discuss more...
My third guest post on Honeybadger’s blog, entitled Subdomain Takeover: Ignore This Vulnerability at Your Peril has just been published!
In this post, I dissect a common misconception about the SameSite cookie attribute and I explore its potential impact on Web security. TL;DR ¶ The SameSite cookie attribute is not well understood. Conflating site and origin is a common but harmful mistake. The concept of site is more difficult to apprehend than meets the eye. Some requests are...
My second guest post on Honeybadger’s blog, entitled Protecting Your Apps From Link-based Vulnerabilities: Reverse Tabnabbing, Broken-Link Hijacking, and Open Redirects has just been published!
TL;DR ¶ To familiarise myself with the updated design draft on Type Parameters in Go, I wrote a generic implementation of a bidirectional map. You can try it out in this playground. Edit (2022-04-03): Now that Go 1.18 is out, I’ve spruced up this post a bit. Generics are coming to Go ¶ Support for parametric polymorphism (also colloquially known...
A server-side request forgery (SSRF) is a type of vulnerability that consists in tricking a server into sending network requests to unintended hosts. In some cases (e.g. Scott Helme’s Security Headers tool), allowing users to trigger HTTP requests from some backend to arbitrary hosts is a feature. In many other cases, though, it is a serious...
I recently stumbled upon a critical instance of broken-access control, and I thought its story would make for an interesting blogpost. I’ve deliberately omitted some details (e.g. irrelevant HTTP headers) in the interest of simplicity and concision. Morever, all clues to the identity of the organisation I was hacking have been expunged from this...
My first guest post on Honeybadger’s blog, entitled Plugging Git Leaks: Preventing and Fixing Information Exposure in Repositories has just been published!
(This post is also available in French on Human Coders' blog.) About two weeks ago, I had the privilege to attend dotGo 2019, the fifth edition of the European Go Conference. Whereas tech conferences I’ve attended in the past tended to be held in soulless hotels or convention centres, the dotGo team went all out and managed to secure the...
Go supports multiple programming paradigms, including object orientation. However, if you’re coming to Go from Java, you may be slightly… ehm… disoriented. One striking absence is that of any access modifiers. You may be wondering: Where are my public, protected, and private keywords? What mechanisms for access control does Go provide? Fret not!...
defer, in a nutshell ¶ When learning Go, one quickly comes across the defer keyword. For instance, the Tour of Go introduces defer thus: A defer statement defers the execution of a function until the surrounding function returns. The deferred call’s arguments are evaluated immediately, but the function call is not executed until the surrounding...