Combining host header injection and lax host parsing serving malicious data

labsdetectify

TL;DR, There used to be a bug in Internet Explorer allowing attackers to force victims to send requests with malformed Host headers. File Descriptor used it to steal GitHub OAuth tokens, and we used it to confuse Heroku and Fastly’s host routing to make them serve our content on their customers’ domains. Fastly and Heroku have since then patched the issue on their side.

The story of EV-SSL, AWS and trailing dot domains

labsdetectify

Building an XSS polyglot through SWF and CSP

labsdetectify

The mind twister was to abuse the CSP headers to inject a javascript through a third-party domain that only allowed SWF-upload. A few Payment Service Providers offers bug bounty programs. On one of the providers I was able to find a stored XSS on the receipt-page of a successful payment. The receipt page had a permalink-URL that was sent out by email to the buyer. This meant that the XSS could be accessed by anyone that had the receipt-link.