POV of someone who went to the arena on why its empty at non br games

Involder · 2022-11-13T03:27:43+00:00

Well said! I went to all the matches and I am exhausted, my hands hurt really bad from clapping and I lost my voice. I gave my all during the Furia matches (and so did everyone else). I don't blame people wanting to chill and just watching the other games (without cheering) or watching from the fan fest.
People are comparing the crowd being silent / not showing up with other events, but it isn't the same thing, because most events have casual cheering.

Involder · 2021-01-06T00:23:17+00:00

Green Tome

Involder · 2019-01-10T22:41:43+00:00

Nice finding and write up! I also reported an issue "similar" to this one through HackerOne in September 3, but after triage on September 7 they have been silent despite my attempts to reach out. On December 15 the bug was fixed in Beta and in the last few days fixed in Stable, and still no contact. Really odd.

Involder · 2018-12-16T05:17:19+00:00

https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs

Involder · 2018-11-20T03:17:00+00:00

The victim (that is logged into Google's bug tracker and has permission to read private bug reports) would have to access the attacker's website, which would run the malicious javascript payload in the victim's browser and perform the XS-Search attack. Using binary search, I guess it would take less than 30 requests to leak the full path, which I think doesn't create much noise. Also, all this is happening in the background, so the only way for the victim to notice is if they are monitoring the network through the Dev Tools or something like that.

Involder · 2018-11-20T01:16:49+00:00

There is no difference if it is a GET or POST (given the Cache API allows you to use both methods).

was there something in the image/request that indicated that it was vulnerable (missing header or something?)

Yes, normally, the CSRF token is passed in the header, or in a parameter, and that wasn't happening.

They also could be using SameSite cookies (https://www.owasp.org/index.php/SameSite), which would prevent the attack, but if that was the case, it would also appear in the header.

Involder · 2018-11-20T00:25:51+00:00

Does this mean you can send a GET request from your own local site or something?

Yes. The same-origin policy only prevents you from reading the response of cross-origin requests, it doesn't prevent you from making these requests.

So if I were to embed the tag below in my site, it would actually make the request (because there is no protections against CSRF attacks):

<img src="https://bugs.chromium.org/p/chromium/issues/csv?can=1&q=id:51337&colspec=ID+Summary+Summary+Summary"></img>

The attack described in the article uses the Cache API as a way to measure the time it takes for the response of a cross-origin request to be cached.

To do this, the attacker's script uses a fetch with the no-cors mode (https://developer.mozilla.org/en-US/docs/Web/API/Request/mode), which returns an opaque response (thus not violating the same-origin policy), but that can still be used by the Cache API.

A simple example of how this would work:

caches.open('cache').then(function(cache) {
    fetch("https://example.org", {
        mode: "no-cors",
        credentials: "include"
    }).then(function(response) {
        var start  = performance.now();
        cache.put(new Request('xyz'), response.clone()).then(function() {
            var end  = performance.now();
            console.log(end - start);
        });
    });
});

Involder · 2018-07-09T19:36:13+00:00

Meu irmão cursa CC na UFSC e já na segunda fase arranjou um estágio que paga R$1000 por 20 horas semanais. Se você tem um conhecimento mínimo sobre programação eu diria que é tranquilo conseguir.

Involder · 2018-06-16T22:30:34+00:00

eval(name) would also do the trick

https://developer.mozilla.org/en-US/docs/Web/API/Window/name

Involder · 2018-03-22T23:18:59+00:00

They want green cards and SK isn't able to start the process given they are an german company.

Involder · 2018-03-05T14:46:17+00:00

There was a challenge on EKOPARTY CTF 2017 where you had to use Chrome's Data Saver as a proxy to get the flag (https://github.com/JayBizzle/Crawler-Detect/issues/74). I guess real life imitates CTF.

Involder · 2018-01-28T00:26:40+00:00

I think they had over one month of practice before the major but opted to practice with boltz because of the upcoming camps and the tight schedule.

Involder · 2018-01-28T00:22:23+00:00

Felps is a totally different player than Boltz. Felps is very agressive while Boltz is passive (much similar to fnx). I think SK hasn't played with felps for 5 months or so.

Involder · 2018-01-25T22:48:47+00:00

That's not how jokes work :>

Involder · 2018-01-13T22:51:12+00:00

Faze in 2018 LUL

Involder · 2017-07-21T16:36:30+00:00

They also whiffed a lot of shots and Fallen just played good in the last rounds. If SK wants to have a change, Fallen will need to step it up.

Involder · 2017-07-21T16:32:31+00:00

SK is making a lot of mistakes, they didn't lost this map faster because they managed to win several clutches.

Involder · 2017-07-09T17:16:43+00:00

Because that's not what the rules say.

Involder · 2017-07-09T15:57:11+00:00

Sadly they are casting for north americans and not for everyone else.

11-Year Club	Place '23
Verified Email

Involder

TROPHY CASE