Chaining an IDOR with a business-logic error to achieve critical impact

TL;DR ¶ In this short follow-up to my previous post, I describe why and how I’ve added support for dynamic reconfiguration of CORS middleware in jub0bs/cors. Rethinking configuration immutability ¶ Up until now, I’ve been arguing that CORS middleware should not be reconfigurable on the fly and that any change to their configuration should require...

TL;DR ¶ A few months ago, while hunting on a public bug-bounty programme, I found a nice little bug chain that involved an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, a permissive CORS configuration, all to achieve CSRF against an in-scope asset. Read on for a deep dive about...

TL;DR ¶ In this post, I present an XSLeak technique that allows an active network attacker to observe, from an insecure Web origin, the presence or absence of some Secure cookie that may have been set by the origin’s secure counterpart. Cookies’ crumbly beginnings ¶ Netscape (Lou Montulli, more precisely) invented cookies in 1994 in order to...

James Kettle’s 2016 research was instrumental in raising awareness of the deleterious effects of CORS (Cross-Origin Resource Sharing) misconfiguration on Web security. Does the story end there, though? Is writing about CORS-related security issues in 2022 futile? I don’t think so. This post is the first in a series in which I will discuss more...

My third guest post on Honeybadger’s blog, entitled Subdomain Takeover: Ignore This Vulnerability at Your Peril has just been published!