Blogged! I wrote about a Discord's RCE I found. (日本語) (English) (DEMO)

RT @d4d89704243: Introducing the Cookie Sandwich, a tasty technique to steal HttpOnly cookies using legacy RFC features:

@slonser_ I noticed the article has been updated :) I'm trying to reproduce it but got an error because SVG doc does not have `document.body`. And even if I set an element on SVG as the target of appendChild, I couldn't confirm that <img onerror> would be executed. Any ideas?

@RenwaX23 @slonser_ var style_container = document.createElement('style'); style_container.innerText = `.classname{ background: url(</style><img src=x onerror=alert()>); }`; var host = document.createElement('div'); host.innerHTML = style_container.outerHTML;//alert called

RT @slonser_: In 2024, I interacted a lot with Extensions. I decided to create a resource that will help with a basic understanding of ext…

RT @orange_8361: The detailed version of our #WorstFit attack is available now! 🔥 Check it out! 👉 cc: @_splitline_

昨年のXSSチャレンジの解説です。 自分の解説は68ページから。実際にみつけたバグをベースにした、近年再注目されている文字コードの自動選択を使ったXSSの問題でした。 最後には10年以上前にISO-2022-JPの自動選択を無効化していたある先進的な(？)ブラウザについてもおまけで触れています。

@shhnjk XSS was on a Blob URL, but I've used the auto-detection trick in the real world. FYI, I also noticed this Chrome's bug at that time:

RT @ThreemaApp: Threema 2.0 for desktop (beta), which was audited by @cure53berlin earlier this year, recently passed a bug bounty challeng…

RT @S1r1u5_: Imagine opening a Discord message and suddenly your computer is hacked. We discovered a bug that made this possible and earne…

@zcorpan @terjanq @shhnjk Yes, it is assumed that you can write arbitrary HTML. I think the hardest puzzle piece to get here is that the existing CSP script-src directive has 'inline-speculation-rules' source expression since as of now, there are almost no apps that use this.

RT @sudhanshur705: The challenge is over, so sharing a writeup as the solutions were really interesting. There were three challenges rela…

@terjanq @shhnjk Thank you for approving this interesting feature😄 The inline speculation rules are also interesting because it can be used to leak attribute values under certain CSP restrictions without using JS/CSS.

RT @MaitaiThe: Here there are the full solves for all of the 3 XSS challenges by @flatt_security. Looking forward…

@WeizmanGal Yes, I hope to share more details at some point. But maybe it will be a while before I can release it because this was achieved by combining 3 bugs, 2 of which have yet to be fixed :(

スコアボードアプリをハッキングしていないと誓います！！😂

@MiniMjStar XSS. Check "rules" :)