Excited to launch my first browser extension, DOMLogger++! Now available for both Firefox and Chromium! 🎉
DOMLogger++ allows you to monitor, intercept, and debug JavaScript sinks based on customizable configurations 🔥
Check it out 👇
1/5
I'm glad to finally present my research about "Abusing Client-Side Desync on Werkzeug" at
@sstic
2023 📜
Research paper is available here:
Slides are available here:
My vulnerability reports on are now available! ⚠️
If you use the desktop version, think about updating it! More information bellow 👇
- RCE:
- XSS to RCE:
- XSS:
Last month, I did some research on NodeJS templating libraries. During this research, I found an interesting Server Side Prototype Pollution gadget inside EJS library that can be leveraged to RCE!
Technical details here:
For the
@GrehackConf
2023
#CTF
, I made 2 hard
#web
challenges 🚩
They were about:
[1] Python class pollution to RCE on Flask application
[2] HTTPOnly cookie leak due to Werkzeug improper Cookie parsing
Detailed writeups 👇
[1]
[2]
Il y a quelques semaines, j'ai trouvé une vulnérabilité sur qui me permettait notamment de Rick Roll tous les utilisateurs accédant au site 👀
Vous pouvez retrouver le writeups sur mon site :
DOMLogger++ v1.0.4 is now out and available in stores! It comes with new features that allow you, for example, to easily dig into DOM gadget occurrences after an innerHTML sink 🔥
More details can be found here 👇
1/3
Recently, I've started to search for full chains XSS to RCE on desktop application. With this objective in mind, I came up with an interesting concept of CSP script-src self bypass for local electron apps on Linux! ⏭️
Link below 👇
Recently, I discovered a DOMPurify bypass in the case of CUSTOM_ELEMENT_HANDLING and FORBID_CONTENT options usage ⏭️
This issue isn't a big deal as it doesn't involve a default configuration bypass. However, I thought it was interesting to document it 👇
I think it's time for a solution ⏰
To solve this challenge, you had to abuse the DOMPurify namespace misconfiguration to trigger an XSS this way 👇
Solution link:
1/6
Small XSS Challenge Time 🚩
Rules 📜
- You should only use the provided endpoint.
- The solution must not involve user interaction.
If you find the solution, please do not send it in the comments; send me a DM instead 📩
Challenge link 👇
Small XSS Challenge Time 🚩
Rules 📜
- You should only use the provided endpoint.
- The solution must not involve user interaction.
If you find the solution, please do not send it in the comments; send me a DM instead 📩
Challenge link 👇
Small Challenge Time 🚩
Rules 📜
- You should display an alert containing the flag cookie :)
If you find the solution, please do not send it in the comments; send me a DM instead 📩
Challenge link and sources👇
-
-
I wasn't knowing what to do yesterday night so, I decided to create an XSS challenge 🚩
There is nothing to win, I made it just for fun! If you want to try it out, click on the link below 👇
The final goal it to pop an alert without any interaction 🔥
In September, I looked into mlflow, and found several critical vulnerabilities 😁
Most of these reports are now patched and publicly available here:
My favorite one involves a fully controlled file write via a custom rogue FTP 👇
Yesterday, I did a talk on
@rootme_org
about
#electron
security. In this talk I also presented a step-by-step writeup of the research leading to finding the XSS to RCE vulnerability on
@drawio
last summer (CVE-2022-3133) ☀️
You can find the slides here:
Really proud of those bypass/mXSS variations. They involve some cool second-order DOM Clobbering and a new mutation gadget that I would like to call the elevator x)
1/2
DOMPurify 2.5.3 and 3.1.3 were released, covering a range of attack variations relating to nesting-based mXSS.
Thanks again to
@kevin_mizu
&
@ryotkak
for the invaluable help with finding new variations & verifying latest fixes 🙇
I think it's time for a solution ⏰
TL;DR
- Eventlet normalizes - to _ in header keys.
- The Fetch spec blocks Transfer-Encoding but not Transfer_Encoding.
- Bypass tracking policy on Firefox using open().
Detailed writeup 👇
1/2
Small Challenge Time 🚩
Rules 📜
- You should display an alert containing the flag cookie :)
If you find the solution, please do not send it in the comments; send me a DM instead 📩
Challenge link and sources👇
-
-
As expected, two variations of the so far known mXSS attacks have been spotted and new DOMPurify releases are ready to fix those.
Many thanks to
@kevin_mizu
and
@hash_kitten
for spotting and reporting those 🙇
Challenge time is now over ⏰
TL;DR
- HTML injection
- Axios DOM Based CSPP
- Axios CSPP response overwrite gadget
- jQuery DOM Clobbering + CSPP selector overwrite gadgets
- Setting src attr to "javascript:" for each HTML node ➝ XSS
Detailed writeup 👇
GG to all the solvers! However, no one solved it in the intended way :p
Before giving my solution, I'm extending the challenge for another week with a fixed version!
If you find the solution, please send me a DM 📮
The challenge is accessible here 👇
I'm glad to announce that I will present a talk at
@sstic
#2023
about an interesting Client-Side Desync case I found past year in Werkzeug that can be leveraged to XSS on default configurations 🔥
More information here:
Challenge time is now over, I hope you've liked it! 😁
TL;DR
- mXSS via client-side / server-side confusion
- auto download to store the payload on file://
- puppeteer bot without SOP ➝ devtools (CDP)
- open file:// ➝ leak the flag
Detailed writeup 👇
#FCSC2023
is over!
I ended 1st in the web category and 10th senior 🎉
Like every year, the CTF was incredible and I learned a lot of new stuff! Special thanks to
@BitK_
for the hardest web challenges 🔥
My writeups can be found here:
After a week of hard work,
@anssi_fr
's
#FCSC2022
#CTF
is finally over!
I've finished 9th out of 646 senior challengers, and 13th out of 1524 overall! 🎉
You can find my
#writeups
here:
Congratulations to all the other challengers! 👏
⏰ It's CHALLENGE O'CLOCK!
👉 Find the FLAG before Tuesday November the 7th!
👉 Win €300 in SWAG prizes!
👉 We'll release a tip for every 100 likes on this tweet!
Thanks
@kevin_mizu
for the challenge! 👇
I wasn't knowing what to do yesterday night so, I decided to create an XSS challenge 🚩
There is nothing to win, I made it just for fun! If you want to try it out, click on the link below 👇
The final goal it to pop an alert without any interaction 🔥
I really enjoyed doing the
@MidnightFlag
's qualification with my friends:
@PerceSecu
,
@voydstack
and
@Nishacid
(Maybe even more because we ended first :p)
Thanks to all the challenge makers 🙏
My writeups are available here:
This week, I solved an interesting challenge made by
@0xItarow
at
@_barbhack_
🌞
It was about RPO abuse on a file upload feature!
You can find the writeup here: 🎉
This issue looks incredible, but I don't understand how this could be triggered from the client-side. Does anyone have a more detailed write-up about it? Or simply more information?
From the advisory, it seems to be a queue poisoning vulnerability, but I'm not sure 🤔
GG to all the solvers! However, no one solved it in the intended way :p
Before giving my solution, I'm extending the challenge for another week with a fixed version!
If you find the solution, please send me a DM 📮
The challenge is accessible here 👇
⏰ Intigriti's January Challenge is over!
✅ 37 hackers found the right solution!!
📑 7 hackers wrote a cool writeup!
🏆 Check out the winners below and drop your write-up in the comments!
⏰ It's CHALLENGE O'CLOCK!
👉 Pop an alert before Tuesday January the 15th!
👉 We'll release a tip for every 100 likes on this tweet!
👉 Thanks
@kevin_mizu
for the challenge! 👇
We've made the web challenges with
@BitK_
, if you have some times, come take a look 🚩
Can't wait to see how many times it will take someone to clear the category 👀
#FCSC2024
🐔 la compétition est ouverte !
📢 Jusqu’au 14 avril, résolvez un maximum d’épreuves : crypto, reverse, pwn… pour gagner votre place au sein de l’
@ECSC_TeamFrance
qui représentera la France à l’ECSC.
🚩 RkNTQ3tnbCZoZiF9
➡️ À vous de jouer :
Last week, I organized with friends the
@ctf_esaip
, for this occasion, I made 5 web challenges 🚩
They were about mXSS, subdomain takeover, prototype pollution, OAuth... 🔥
I started to write my writeups, they can be found here: 🕸️
Last week, I created 3 web challenges for the
#10kCTF
organised by
@rootme_org
. 🚩
They were about: URL parsing confusion, SQLi in prepared query and HTML sanitizer bypass!
You can find the writeups here:
Ce mois-ci, j'ai participé à mon premier CTF solo
#DGhack
et réussi à atteindre la 7ème place étudiante et 19ème générale! 🎉
Les différents WU soon dispo ici:
Merci à la
@DGA
pour les challenges
PS: Un tool d'XXE devrait sortir d'ici là fin de l'année👀
Our contributors have struck again!! 5 new Web-Client challenges are now available on the
#RootMe
and Root-Me Pro environments.
Thanks to
@kevin_mizu
for his remarkable work 👏!
Good flag to all! 🚩
I made 2
#web
challenges (one with my friend
@_Worty
) for the
@HeroCTF
which occurred last 2 days 🚩
They were about header disclosure via client side path traversal, DOM Clobbering gadget in NextJs... 🔥
You can find writeups and sources here :
Sad de pas avoir pu être sur la photo mais, tout de même content de notre résultat 🎉
Merci aux créateurs de challenges et à la
@_barbhack_
pour le CTF 😁
All done – our live
#BugBounty
at
@nullcon
Berlin has just come to an end! Many thanks to our partner
@otto_de
for your trust, a big round of applause to all the hunters and special shout out to our top 3:
@hanno
Noxious and
@cWaveSoftware
👏
Here is
I'm really proud to announce that 2 of my challenges have been released on
@rootme_org
🔥
They introduce about DOM Clobbering and XS Leaks vulnerabilities🌐
You can find them here:
-
-
Hello👋
Pendant le CTF web de l'
@EuCyberCup
, avec
@Ooggule
et
@FeelProud_sec
, nous avons obtenu le flag du 2ème challenge "Panid" d'une manière non attendue, vous pouvez retrouver le writeup ici :
PS: Merci à l'admin pour le flag :)
@intigriti
As the payload it directly reflected from PHP to a JavaScript string, it is possible to use encoding notation to bypass PHP htmlspecialchars function 😁
For example, the following payload should makes an alert:
\x3cimg src=x onerror=alert(1)\x3e
@intigriti
There is definitely an SSRF vulnerability, but if I'm not mistaken, recent Chromium versions no longer allow the about:blank page to frame the file:// wrapper. So, it shouldn't be possible to leak local files 🤔
I found an interesting behaviour in the MDN documentation,
In case of a sparse Array, MDN said that methods such as entries, values... shouldn't do an "in" check and treats empty slots as "undefined", but chrome and firefox do these checks.
Source:
@Rhynorater
@MtnBer
Thanks for sharing the extension! If anyone is interested, it can be found here: .
Btw, I'm working on new features that will allow, for example, hooking selectors occurring after an innerHTML. This would be useful for leveraging sanitized HTML inputs :D
@pilvar222
This is a nice trick! If you are interested,
@terjanq
have made a challenge / article about it:
I also found something equivalent on drawio using a restrictive JSONP endpoint to bypass a CSP:
@sudhanshur705
In case cookies are set to SameSite=Lax, you could abuse the fact that iframes load only SameSite=None cookies while loads both SameSite=None and SameSite=Lax 😁
1/2
@yeswehack
The vulnerability describe in the snippet is about RCE via custom python library overwrite. In fact, the upload features does not check if the file exist and didn't sanitize the filename making possible to path traversal.
@sudhanshur705
@gregxsunday
One of the biggest problems with HTML injection during PDF generation is that if it is sanitized, you can't see what happens during the PDF generation process.
By using <plaintext>, you can get the raw HTML printed as text in the output :D
@Sonar_Research
This challenge is about path traversal to template overwrite to RCE.
In fact, it is possible to create a user which is called "../templates/error.html". This will cause the app to user the error.html template file as the current user's note.
@yeswehack
This challenge is about insecure password reset token generation to account takeover.
In fact, the token is generated using md5(random_int(1000, 9999) which make it vulnerable to brute force.
Hi friendz ! 🧙♂️
Prochain Stream : Mardi 17 Octobre à 21h ! 🔥
Topics :
- Open-Sourcing push-my-diffs by
@TheLaluka
🔭
- Kubestroyer, HowTo & WhatNot by
@Rolix_cy
🧊
- Hooking client side sinks using DOMLogger++ by
@kevin_mizu
🕸️
A très vite ! 😎🛠️
@intigriti
This snippet of code is about open redirect to XSS via redirectURL get parameter 💥
1) regexUrl allows any protocol with numbers, chars and tab.
2) antiXSS block URL which start with JavaScript.
Thus, using jAvAScRIPt: or \tjavascript: wrapper should bypass the check.
It's time for a first hint 💡
Have you started reading the jQuery source code from the beginning of a $('selector') call to search for a gadget? If not, you should definitely start with it 😁
@huntr_ai
Thanks for the highlight! It's been a pleasure to look for issues in AI open source projects 😁
I hope to be able to find more cool bugs in the future!
𝗖𝗧𝗙 𝗱𝗲 𝗹'𝗘𝗦𝗔𝗜𝗣 : 𝗹𝗲𝘀 𝗶𝗻𝘀𝗰𝗿𝗶𝗽𝘁𝗶𝗼𝗻𝘀 𝘀𝗼𝗻𝘁 𝗼𝘂𝘃𝗲𝗿𝘁𝗲𝘀 ! 👀
Les inscriptions pour la 6ème édition du CTF sont lancées. Étudiants, professionnels, préparez-vous pour la nuit du 26 mai ! 💥
👉🏻Rendez-vous sur :
#CTF
#Hack
[1/4] TL;DR
Apache httpd doesn't automatically return Content-type to files without name (but with extension) or files with only dots as a name. For example, test.jpg will return Content-Type: image/jpeg, but ...jpg will not
Other web challenges (made by
@BitK_
) writeups can be found in the
#writeup
channel of the CTF Discord server:
Btw, all the
#FCSC2024
challenges are available on ! 👀
Thanks
@ECSC_TeamFrance
again for the opportunity 💙
2/2
To conclude, I would like to thank everyone who participated in this challenge 🙏
Furthermore, congrats to all the solvers and especially to the top 3:
🏆
@SecurityMB
🥈
@ixSly
🥉
@maple3142
Stay tuned, as another challenge might be released by the end of the year 👀
6/6
The true strength of DOMLogger++ is its flexible configuration ⚙️
With its JSON structure, you can easily hook any class, function, event, attribute, or custom elements 😎
For instance, the configuration below targets specific XSS sinks 🚰
2/5
@joaxcar
@renniepak
If using the Burp's browser is a problem, I've created an extension () which allows you to fully configure what you want to hook/replace and get a notifications from.
It is not yet ready for auto prototype pollution detection, but it might be a solution :D
Dans la perspective de disputer l'Open Tour et de participer à différentes LAN qui auront lieu cette année, nous nous associons à la structure
@HegemoniaFrance
qui nous accompagnera tout au long de cette saison 2019
#CKDO
@kevin_mizu
Good news! The challenge is back online and we've extended the deadline to Friday night 🥳🎉
We'd like to apologize for the downtime, so please take this free hint 💜
⛳️ Challenge time
Was a while since I did one of these. Don't post solutions in the thread; send a DM!
The flag is in the fragment of the URL. Pop an alert with the flag.
Will patch unintended solutions as they drop in 😅
@intigriti
This is a self XSS abuse to leak sensitive content in the DOM. Thanks to the opener link (check ), it is possible to setup 2 windows, 1 with the victim card and another with the XSS (CSRF) which will be able to access opener info (same origin) :p
I think it's time for a second hint ⏰
Everything happens inside the .select(). Perhaps you should find a way to bypass the document checks to reach it?
Once your JSON configuration is set and domains selected, you can fetch logs via devtools or webhook! 🔥
The devtools panel leverages datatable's strength and custom filters for detailed log analysis 🔎
For instance this is how it could looks like 👀
4/5
Mark your calendars, because HeroCTF v5 is coming with a lot of very cool challenges ! 😎
📆 12th-14th of May 2023 (registration opens in April)
📌 Online (team up to 5)
🔁 Help us by sharing this post
@intigriti
On the above sniper, the vulnerability occurs in JWT token verification. In fact, the key used for the token verification is read from a file defined by the JWT kid value (inside his header). This value can be change by an attacker by whatever he wants.
Next week I will present a
#talk
at
#BlackHat
Europe 2022 on how to automate the search of RPC functions allowing to coerce authentications on
#Windows
.
Alongside this talk, I'm publishing a brand new version of
#Coercer
!
➡️Check it out here:
To conclude this short write-up, I would like to congrats the 3 flaggers of the challenge:
🏆
@Blaklis_
🥈
@pilvar222
🥉
@ankursundara
Solution link: 🎉
6/6