Many have seen the video where vexal modifies his Porsche 911 to run DOOM. It is the same guy who used a toaster to control a PC game a few years ago. How technically accurate these videos are can be discussed, but the underlying creativity is hard to question. Naturally, when we saw the video, we did not want to lag behind, but what is the best way to respond to something like this? Inventing the DOM DOOM XSS, of course!
TL;DR: Setting up access control of AWS S3 consists of multiple levels each with its own unique risk of misconfiguration. We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies. We also show how to do it properly and how to monitor for these sorts of issues.
Our guest blogger and Detectify Crowdsource hacker ak1t4 explains how he discovered and reported a persistent XSS vulnerability on Teamtailor that affected thousands of career sites – including Detectify’s external career site. Teamtailor patched the vulnerability within one day after the issue had been reported.
This is a walkthrough of a hard-to-reproduce bug I found in Slack a few months back. Even though the payload was only working because of a legacy migration, by utilizing Python’s AppKit to insert data into Chrome’s rich text format clipboard, I was able to add and modify the XSS payload already inside Slack.
A couple of weeks ago I put up a small challenge for a specific XSS problem, called Twins of Ten. The idea was to find a payload that was limited to ten characters, these characters would repeat once and you could expand it to how many pairs you wanted. The challenge was to both find the shortest payload but also find a way around the XSS Auditor inside Chrome / Safari.
Earlier this year I spent some days approaching Google as a target for some research. There was a long time since last time and I actually lost my 0x07 in their Security Hall of Fame. Some really great people took my spot, so it wasn’t that bad after all. Anyway, I wanted to share some funny techniques that I found to be really useful, you might already know about them – but with hindsight – not everyone seems to.