Detectify Labs

My stance on login/logout CSRF has changed. I, like many others, used to quickly dismiss them as a non-security issue. However, there are several situations where they could become a security issue.

TLDR; I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.

Frans Rosén postmessage Slack

SQL Injection in INSERT can be used not only to extract data, but also add/modify data in the table used in the query. This post describes how.

Mathias Karlsson SQL Injection

Our guest blogger and Detectify Crowdsource hacker Karim Rahal explains how he discovered and reported a stored XSS vulnerability that affected over a million of websites.

TL;DR: CSP can’t block <meta http-equiv="Set-Cookie" content="a=b">. XSS vulnerability on a page with CSP can still be source for attacks that are based on writing cookies. Let’s take a look at some examples of cookie fixation issues.

Cookie fixation CSP Mathias Karlsson

AddThis is a share button used by over a million sites. They were all vulnerable to XSS earlier this year. In my previous post I described the pitfalls of the postMessage API. This post will describe how I identified and exploited them on the AddThis widget.

AddThis Mathias Karlsson postmessage

The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities.

Mathias Karlsson postmessage

TL;DR, There used to be a bug in Internet Explorer allowing attackers to force victims to send requests with malformed Host headers. File Descriptor used it to steal GitHub OAuth tokens, and we used it to confuse Heroku and Fastly’s host routing to make them serve our content on their customers’ domains. Fastly and Heroku have since then patched the issue on their side.

bug bounty Fastly Frans Rosén Heroku Mathias Karlsson

When it comes to Amazon Web Services (AWS), both S3 and CloudFront lack domain validation. If a domain has a DNS entry pointing to either S3 or CloudFront but the domain is not actually claimed in S3 or CloudFront, it’s possible for anyone to claim the domain and serve their own content on the domain using these two AWS services. We will explain another problem with the lack of domain verification, combining trailing dot domains, conflict checks and how SSL common name matching works today.

Frans Rosén Hostile Subdomain takeover SSL

This is a walkthrough of a hard-to-reproduce bug I found in Slack a few months back. Even though the payload was only working because of a legacy migration, by utilizing Python’s AppKit to insert data into Chrome’s rich text format clipboard, I was able to add and modify the XSS payload already inside Slack.

Frans Rosén Slack XSS

Older

Login/logout CSRF: Time to reconsider?

Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token

SQLi in INSERT worse than SELECT

Stored XSS-ing Millions Of Sites Through HTML Comment Box

CSP flaws: cookie fixation

postMessage XSS on a million sites

The pitfalls of postMessage

Combining host header injection and lax host parsing serving malicious data

The story of EV-SSL, AWS and trailing dot domains

Using Chrome's web-custom-data UTI to inject a stored XSS in Slack