corben.io

corben.io


infosec write-ups and ramblings

Tags


CORS

Advanced CORS Exploitation Techniques

I've seen some fantastic research done by Linus Särud and by Bo0oM on how Safari's handling of special characters could be abused. https://labs.detectify.com/2018/04/04/host-headers-safari/https://lab.wallarm.com/the-good-the-bad-and-the-ugly-of-safari-in-client-side-attacks-56d0cb61275aBoth article…

Corben Leo Corben Leo

Chaining Bugs to Steal Yahoo Contacts!

👨🏻‍💻 Introduction & Background:This is a write-up of how I chained two vulnerabilities (an XSS and a CORS misconfiguration) that allowed me to steal contacts from a victim's contact book. This data included: names, phone numbers, addresses, etc. ✗ Cross-Origin-Resource SharingCross-Origin Res…

Corben Leo Corben Leo

Tricky CORS Bypass in Yahoo! View

Recently, HackerOne hosted their second Hack The World competition. During this time I decided to take a look at Yahoo's bug bounty program because I have heard good things about them and also due to the fact that their scope is pretty big. After finding a few issues in my.yahoo.com and getting paid…

Corben Leo Corben Leo