A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF...

from blog Posts on jub0bs.com, | ↗ original
TL;DR ¶ A few months ago, while hunting on a public bug-bounty programme, I found a nice little bug chain that involved an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, a permissive CORS configuration, all to achieve CSRF against an in-scope asset. Read on for a deep dive about...
This is a short summary. ↗ Open original to view full content

Related

Exploiting Directory Traversal to View Customer Credit Card Information on Yahoo's Small Business Platform
Blog | Sam Curry | original ↗
Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts
Blog | Sam Curry | original ↗
How I stole the identity of every Yahoo user
Blog | Sam Curry | original ↗
Obtaining database passwords from a billion-dollar company
Mac's Tech Blog | original ↗
Hacking Starbucks and Accessing Nearly 100 Million Customer Records
Blog | Sam Curry | original ↗
How to add a million bugs to a program (and why you might want to)
Push the Red Button | original ↗
Fixing a Bug in Google Chrome as a First-Time Contributor
cprimozic.net Blog | original ↗
The Mechanics of Bug Injection with LAVA
Push the Red Button | original ↗
0Din: A GenAI Bug Bounty Program – Securing Tomorrow’s AI Together
Mozilla Hacks – the Web developer blog | original ↗
Bugs I’ve filed on browsers
Read the Tea Leaves | original ↗

More from Posts on jub0bs.com

Reconfigurable CORS middleware with jub0bs/cors
14 May 2024 | original ↗

TL;DR ¶ In this short follow-up to my previous post, I describe why and how I’ve added support for dynamic reconfiguration of CORS middleware in jub0bs/cors. Rethinking configuration immutability ¶ Up until now, I’ve been arguing that CORS middleware should not be reconfigurable on the fly and that any change to their configuration should require...

Existence oracle for Secure cookies on insecure Web origins
12 Sept 2022 | original ↗

TL;DR ¶ In this post, I present an XSLeak technique that allows an active network attacker to observe, from an insecure Web origin, the presence or absence of some Secure cookie that may have been set by the origin’s secure counterpart. Cookies’ crumbly beginnings ¶ Netscape (Lou Montulli, more precisely) invented cookies in 1994 in order to...

Scraping the bottom of the CORS barrel (part 1)
4 Aug 2022 | original ↗

James Kettle’s 2016 research was instrumental in raising awareness of the deleterious effects of CORS (Cross-Origin Resource Sharing) misconfiguration on Web security. Does the story end there, though? Is writing about CORS-related security issues in 2022 futile? I don’t think so. This post is the first in a series in which I will discuss more...

Subdomain takeover: ignore this vulnerability at your peril
12 Feb 2021 | original ↗

My third guest post on Honeybadger’s blog, entitled Subdomain Takeover: Ignore This Vulnerability at Your Peril has just been published!

The great SameSite confusion
29 Jan 2021 | original ↗

In this post, I dissect a common misconception about the SameSite cookie attribute and I explore its potential impact on Web security. TL;DR ¶ The SameSite cookie attribute is not well understood. Conflating site and origin is a common but harmful mistake. The concept of site is more difficult to apprehend than meets the eye. Some requests are...