Exploiting POST-based XSSI

We know, more and more client-side attacks are dying. But sometimes, with introduction of new features, an unexploitable becomes exploitable. Yes, combined with the power of Service Worker, XSSI is no longer limited to GET requests. This essentially means we can also include resources with POST requests and CORS-safelisted headers.…

XSS with length restriction

The more promising Proof of Concept in case of XSS, in my opinion, is to load external JavaScript from a domain under your control. This post lists ways one can load external JavaScript with as few characters as possible.…

MS Edge – HTTP Access Control (CORS) Bypass

This is a short post about a vulnerability I had found in Microsoft Edge. TL;DR Edge failed to recognize HTTP Authentication information (i.e. Authorization Header) as credential information when sending fetch requests. So, if an application uses Basic or NTLM auth, Edge would send Authorization header in all…

HackerOne XSSI – Stealing Multi Line Strings

I assume you already know what XSSI is. If not, here's a brief introduction cited from Identifier based XSSI attacks: Cross Site Script Inclusion (XSSI) is an attack technique (or a vulnerability) that enables attackers to steal data of certain types across origin boundaries, by including target data using SCRIPT…