A deep dive into AWS S3 access controls – taking full control over your assets

labsdetectify

Google XSS Turkey

labsdetectify

Earlier this year I spent some days approaching Google as a target for some research. There was a long time since last time and I actually lost my 0x07 in their Security Hall of Fame. Some really great people took my spot, so it wasn’t that bad after all. Anyway, I wanted to share some funny techniques that I found to be really useful, you might already know about them – but with hindsight – not everyone seems to.

Building an XSS polyglot through SWF and CSP

labsdetectify

The mind twister was to abuse the CSP headers to inject a javascript through a third-party domain that only allowed SWF-upload. A few Payment Service Providers offers bug bounty programs. On one of the providers I was able to find a stored XSS on the receipt-page of a successful payment. The receipt page had a permalink-URL that was sent out by email to the buyer. This meant that the XSS could be accessed by anyone that had the receipt-link.