Popular Posts
-
TL;DR OAuth2 sucks. Please don't think about OAuth2 as about the next generation of OAuth1. They are completely different like colors: ... -
TL;DR We (me and @isciurus ) chained several different bugs in Facebook, OAuth2 and Google Chrome to craft an interesting exploit. Mallory... -
" Thanks! " to many of you, who shared the following promotion for J.Crew Factory. J.Crew is offering Factory Store shoppers a... -
Playing with 302-based header injection (majority of web servers is not vulnerable to it btw) i found one tricky neat bug which can be reall...
-
TL;DR Every website with "Connect Facebook account and log in with it" is vulnerable to account hijacking. Every website relying o... -
I discovered [1, nil] attack, but while i was checking unsafe query generation and DoS with symbols people on twitter found RCE for YAML thr...
-
Remember OAuth1 session fixation? No? Read writeup from Eran Hammer (the guy who hates OAuth2 as much as I do). Guess what - there's ex... -
Try to run this simple app: require 'sinatra' get '/' do redirect params[:to] if params[:to].start_with? 'http://host....
-
From official doc on Cross Origin Resource Sharing A header is said to be a simple header if the header field name is an ASCII case-ins...
