Matan Berson
@MtnBer
Followers
2,928
Following
243
Media
6
Statuses
197
Hacking for fun | H1-65 Eliminator award | AWC23 Best New Hacker
Joined May 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Butler
• 705058 Tweets
الهلال
• 637702 Tweets
#KadınaVeÇocuğaDokunma
• 287645 Tweets
#TurkishWomenNeedHelp
• 165592 Tweets
#WWEBadBlood
• 145536 Tweets
Drew
• 95491 Tweets
Milton
• 71606 Tweets
Carvajal
• 64291 Tweets
Phillies
• 63307 Tweets
Yankees
• 48306 Tweets
Vini
• 29285 Tweets
Vandy
• 26607 Tweets
جيسوس
• 25727 Tweets
Bama
• 24808 Tweets
#precure
• 24465 Tweets
Wheeler
• 23489 Tweets
Iowa
• 23191 Tweets
Dark MAGA
• 22985 Tweets
الشوط الاول
• 22222 Tweets
Handi
• 21460 Tweets
Ohio State
• 18854 Tweets
فهد العتيبي
• 17458 Tweets
Vanderbilt
• 16001 Tweets
الشوط الثاني
• 15807 Tweets
Bayley
• 14748 Tweets
Hell in a Cell
• 13167 Tweets
Ave Maria
• 12997 Tweets
Macron
• 11333 Tweets
Hoffman
• 10064 Tweets
Pinned Tweet
Just released my blog post "Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs"! It's about a very impactful and technically interesting client-side bug I found in a major NFT site.
15
63
351
My Chrome bug just got disclosed! It’s a really cool chain of 4 vulns leading to local file read and universal XSS (including extensions). Maybe I’ll make a blog post about it
22
100
698
Just wrote a ~2.5 page blog post on Client Side Path Traversal, covering what CSPT is, why it can be so impactful, some advanced exploitation and WAF bypass techniques, and a bug which I found in a live hacking event (redacted ofc)
8
108
372
Query selector calls in JS are interesting both as a sink, and because they're often used by interesting functionality (as discussed in last week's
@ctbbpodcast
episode), so I threw together a short config for the DomLogger++ extension to find them
7
13
113
Continuing the
@PortSwiggerRes
streak,
@garethheyes
just gave a completely mindblowing talk about email addresses! I was completely stunned by some of the things he mentioned there.
He also gave me a copy of his amazing book JavaScript for Hackers 😄
0
5
113
This is super useful. I always forget which characters I can use where and have to set up a script to fuzz the HTML
Last time we showed you how to use encodings in <a>.
Now we've made a scheme what symbols in which points you can inject to bypass WAF, filters, sanitizers.
#BugBounty
#CyberSecurity
#BugBountyTip
4
239
608
1
4
68
I’m always surprised about how many devs overlooks this. I have found pretty much this exact issue in the chrome devtools frontend.
If you don’t know the answer to this then
1. You should go and read “JavaScript for Hackers” by
@garethheyes
2. Put a \r, \n or \t in the scheme
1
8
66
Had a blast in the
#H165
event by
@salesforce
and
@Hacker0x01
!
The location was amazing, the Salesforce team was super nice and helpful, and the hackers I met were incredibly talented.
I also won the eliminator award for one of my bugs!
5
1
58
Just noticed the for the whole episode I did on the
@ctbbpodcast
I was talking through my camera’s mic and not through the good mic I bought specifically for that episode😭😭😭
7
0
55
Really proud of my performance, apparently I made ~9% of the total bounties.
Shoutout to HackerOne and team Israel for an awesome event
One word recaps the 2023
#AmbassadorWorldCup
perfectly….EPIC! 🙌
12 countries represented, 799 valid submissions, and $1.7M in bounties paid!
Check out the finale recap and learn how AWC partners are taking these findings back to their security teams.
0
4
33
6
0
48
The preview for my latest blog post "Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs" is out for the Critical Tinkers tier on the
@ctbbpodcast
discord👀 It's about a really sick bug so I can't wait to release it and share it with all of you
3
1
40
These
@hackerscrolls
tips are so good
There is a popular opinion: bad CORS like <Access-Control-Allow-Origin: *> is unexploitable. Browser won't send cookies in this case.
It is a delusion. You can exploit it with a Chrome cache feature!
For example:
#BugBountyTip
#CyberSecurity
#BugBounty
4
333
754
2
3
37
This might be one of the best resource investments I've made, the exclusive perks and content are so good
2
3
30
Instead of a blog post I’m making a video on my chrome bug together with the amazing
@PwnFunction
! This will be awesome.
0
0
29
I thought I knew pretty much all there is to know about CSPT and I couldn’t be happier to be proven wrong.
I bet if you can pollute body params with query params in one endpoint you can probably do it everywhere, so because CSPT is usually systemic I bet you can wreck that target
CSPT is my favorite vuln type - and I yap about it on
@ctbbpodcast
all the time.
I've been reporting CSPTs for the past 2 years+ now, so in light of the new research dropped by
@Doyensec
, let me drop a couple of takes on this🔥research:
1
64
256
0
2
25
Overrides in chrome are an even more underrated feature. Yesterday I learnt that on top of letting you modify sources, this feature also lets you modify the headers of responses!
Plus, all of the overrides are stored in well structured dirs and can be easily shared and edited
One of the most underrated features in Caido/Burp is the Match&Replace feature. Here are a bunch of use cases for how to use match and replace to test effectively:
1. Turn on feature flags
Most of the time, when testing large applications, there are features present in the
12
63
242
2
2
22
@Rhynorater
@ctbbpodcast
Thanks for having me on the pod! I had a blast recording that episode and it really is such a banger
1
0
19
Found 2 SnowJS bypasses this morning
0
1
19
Mobile hunters - how do your bugs usually get rated in terms of CVSS? More specifically:
What are AC and UI usually set to in an attack that requires a malicious app to be installed?
Are there any common scenarios where Scope is usually set to changed (like reflected XSS in web)?
4
0
18
Also, from now on I'll start posting previews of my latest blog posts in the critical-thinkers channel a few days before I release them. There's a good one coming up on some advanced client side template injection exploitation so stay tuned!
0
0
16
@ArchAngelDDay
I used to test for SMTP injection which basically allows for this.
It usually got accepted as medium, and one program even explicitly said “This is definitely an issue and a really cool find” so I guess most programs like it
0
0
13
Does anybody know a way to exploit document.head.innerHTML = location.href?
Every payload I put in the query or the hash gets URL encoded
3
1
11
Special shoutout to
@shm0ul
,
@ArchAngelDDay
,
@Michael1026H1
@ryotkak
, and
@kongwenbin
, you all are awesome and I really look forward to hacking with you in the future!
1
0
11
@deryilz
Thanks!! I really liked your blog on the chrome XSS issue you found (). I especially liked the trick with the “filesystem” scheme it���s very clever
This morning someone asked me for article recommendations and I gave it to him
1
1
9
Always hungry for more gourmet research from
@albinowax
I'm thrilled to announce "Listen to the whispers: web timing attacks that actually work" will premiere at Black Hat USA!
After nine months of running bulk timing attacks on thousands of live sites, I've got a lot to share :D
#BHUSA
@BlackHatEvents
35
105
660
0
0
9
If you’re a dev, you should use the URL API for this type of validation:
0
3
8
Definitely gonna switch to early adopter for that update
0
0
7
Best episode yet imo, really worth a listen
Episode 52 is live and, to celebrate our one year anniversary, we put together a MEGA episode compiling the top technical content of 2023 into ONE episode.
If you're gonna see any CT episode, check this one out!
3
19
91
0
2
7
@_godiego__
Like this article where ChatGPT wrote it from the perspective of the program
“matanber reported this vulnerability through our HackerOne bug bounty program”
0
0
6
You know that CSS encoding magic trick that
@ctbbpodcast
mentioned once (\20 = “ “ etc.)?
Well today I found it works in JQuery and document.querySelectorAll too.
My spaces were getting URL encoded so it really saved me
0
1
6
@lalit80842
@xitsec
It’s not a generic bug type, just a very target-specific JS bug. If they will let me then I’ll write a blog post about it at some point
1
0
6
0
0
5
@kevin_mizu
@ctbbpodcast
Nice! I really like this extension, I’ve found some bugs with it that I wouldn’t have found otherwise
1
0
4
@sw33tLie
@0xteknogeek
this could probably be useful next time you need to fuzz a non-titlecase x-forwarded-for
0
0
4
@gregxsunday
@joaxcar
- A situation where the client does something like GET /asdf/[malicious input], and the server tries to prevent the malicious input from being “..”, which would cause a request to /asdf. This situation would require parsing but it’s super rare and I’ve never actually seen it
1
0
3
@gregxsunday
@joaxcar
Usually when you try to prevent CSPT you just URL-encode any slashes in the input so there’s no parsing envolved there. The only situations where I can see this being used to bypass a server-side parser is:
- WAF bypass, which is already pretty easy
1
0
3
@liran_tal
@PikuHaku
@LiveOverflow
The subdomain in app A has a token that allows it to interact with some API. The XSS leaks it and is able to interact with the API.
The subdomain in app B interacts with the API using cookies. The XSS is also able to interact with the API here and leak/modify the same data.
0
0
3
0
0
3
1
0
3
@joaxcar
If you can’t do anything more interesting like what
@gregxsunday
mentioned, then you can inject CSS with the “Link” header
0
0
3
@NinjaRooker
Thanks! The most important language to learn for web client side bugs is definitely javascript. Some good resources for learning js or learning about js are MDN and "JavaScript for Hackers" by Gareth Heyes
1
0
3
@Rhynorater
These info nuggets on browser behavior are always useful and the episode specifically about them is one of my favorites. Thanks!
1
0
2
@WeizmanGal
@AbhinabTweets
@ynsmroztas
@ctbbpodcast
So I’ve checked and the snaps feature is in scope for the bbp, but I don’t see LavaDome mentioned anywhere. Do you think submissions for it would get accepted? If not then I can still test it a bit but I won’t sink too much time into it
1
0
2
@liran_tal
@PikuHaku
@LiveOverflow
Can you clarify what you're trying to say with point 3?
Isn't this whole discussion about what the impact of a successful XSS attack (that isn't blocked by a WAF) would be for a site that stores tokens in localStorage vs one that doesn't
2
0
2
Here's a prototype of a cool idea I had: the "Rainbow Phishbar".
It hashes the origin of a URL (protocol+domain+port) and sets the color of the lock icon according to that hash, to make phishing URLs look visually different. You can find this demo at matanber[.]com/phishbar
0
0
2
@ryancbarnett
@garethheyes
@hackerscrolls
Just registered for the site and it looks great! Creating a dynamic visual like the one you described would definitely make the fuzzing results easier to understand
1
0
2
@WeizmanGal
@AbhinabTweets
@ynsmroztas
@ctbbpodcast
What are some good use cases for it? Only thing I could come up with so far is querying a certain "cluster" of functions/classes like this and seeing the relationships between the results
1
0
2
@liran_tal
@PikuHaku
@LiveOverflow
In that scenario, if the architecture is implemented correctly I'd argue the XSS has the same impact in both apps.
1
0
2
@NinjaRooker
@ctbbpodcast
It’s exclusive to the Critical Thinkers tier of subscribers, so it’s in the “critical-thinkers” channel. I’m not affiliated with the podcast or anything but I really like it so I’m trying to help them get some more subscribers.
0
0
2
@caitlinnallison
Nag I’m just kidding a lizard was walking on the sign so it looked like one of the ingredients
1
0
2
@WeizmanGal
@AbhinabTweets
@ynsmroztas
@ctbbpodcast
Very interesting, I might start messing around with that snaps feature and try to use prototree to see if you missed anything
1
0
1
@proabiral
@galnagli
@Bugcrowd
Why would a VDP be private? Doesn’t that defeat the whole purpose of it😂
0
0
1
@samwcyo
@infosec_au
@iangcarroll
These writeups are always so great. I still often quote from the threat model section of your web3 writeup in my reports.
It’s super fun to see you hack nearly all forms of traversal known to man and I’m looking forward to a writeup on nuclear submarines
0
0
1
Another one bites 20% of the dust
1
0
1
@ctbbpodcast
I learnt this technique some time ago from tinyxss by
@terjanq
, It’s really useful resource.
Here’s the short version I saw there:
import(/\example[.]com/)
Thanks terjanq!
0
0
1
@securibee
I don’t like how brave makes a lot of noise in devtools. I will probably use some degoogled version of chromium if it helps mitigate this
0
0
1
@Silou_Atien
@LiveOverflow
@Burp_Suite
Good idea! I think you can do:
./chrome-renamed —custom-arg=value “$@“
in the script to keep the parameters added by burp. You can also just make a python script and “forward” argv[1:], which is how I do it in my scripts
0
0
1