On-site Request Forgery

OSRF is a type of vulnerability where an attacker is able to influence Clients to send crafted requests to their destined location on behalf of vulnerable application. That is, it sends request to your chosen URL with Referer and/or Origin of it's own.…

MS Edge – HTTP Access Control (CORS) Bypass

This is a short post about a vulnerability I had found in Microsoft Edge. TL;DR Edge failed to recognize HTTP Authentication information (i.e. Authorization Header) as credential information when sending fetch requests. So, if an application uses Basic or NTLM auth, Edge would send Authorization header in all…

Forging Content-Type Header With Flash

You might already know how you can forge HTTP request headers using flash. So, to keep it short, I’m talking about Content-Type only. Lately, I’ve been seeing tweets & reports about CSRF attack involving JSON data. In fact, I saw a tweet asking if it was safe to…

Referrer Policy

There are, atm, 5 different ways referrer policy can be delivered as defined by W3C. Setting referrer policy via meta is supported by all modern browsers (as shown above). The other ones, however, are new and aren't widely supported or used. The HTML Standard defines the concept of referrerpolicy attributes…

HackerOne XSSI – Stealing Multi Line Strings

I assume you already know what XSSI is. If not, here's a brief introduction cited from Identifier based XSSI attacks: Cross Site Script Inclusion (XSSI) is an attack technique (or a vulnerability) that enables attackers to steal data of certain types across origin boundaries, by including target data using SCRIPT…

Stealing CSVs Cross-domain

Back in 2008, Chris Evans found it was possible to steal data cross-domain in Firefox using script includes. We can still read his report at http://scary.beasts.org/security/CESA-2008-011.html In his own words: The modern web model permits remote domain <script> inclusion with no restrictions.…