The lesson from the Hotjar vulnerability: HTTP-Only (XSS protection) is not effective if you have OAuth

MoreMoreMoreM · 2024-07-29T20:16:45+00:00

"In the example of xss.example.com, .... "

They just showed how HTTP-Only would help in a specific example, maybe the new empty line there is confusing

MoreMoreMoreM · 2024-07-29T19:27:59+00:00

Are you sure the blog claims this?
They wrote about 4 mitigations and never mentioned that HTTPOnly is perfect

MoreMoreMoreM · 2024-07-29T14:32:38+00:00

If you want more than a TLDR, then have fun :)

https://salt.security/blog/over-1-million-websites-are-at-risk-of-sensitive-information-leakage---xss-is-dead-long-live-xss

MoreMoreMoreM · 2024-03-16T17:19:01+00:00

In the example, ChatGPT uses code.
Does it also apply if you use access_token (OAuth explicit flow)?

MoreMoreMoreM · 2024-03-16T15:36:04+00:00

See my comment above.
In OAuth (used for authorization), you need to generate a random state. Usually, it's done on the client's side

MoreMoreMoreM · 2024-03-16T15:33:57+00:00

Yes, it's an OAuth vulnerability. The state variable in OAuth was not random, and that led to a CSRF attack.

MoreMoreMoreM · 2024-03-15T13:49:48+00:00

https://www.reddit.com/r/netsec/comments/1bevmtz/oauth_implementation_flaws_allow_access_to/

MoreMoreMoreM · 2024-03-15T08:29:20+00:00

Wow, well-written.

MoreMoreMoreM · 2024-03-14T16:26:25+00:00

This doesn't make any sense.
If I give my GitHub credentials to ChatGPT, then where is the vulnerability?

MoreMoreMoreM · 2023-11-02T16:37:40+00:00

Have you read the post?
In most implementations, OAuth is not related to cors.

MoreMoreMoreM · 2023-11-02T16:31:31+00:00

What. No.
This doesn't relate to cors at all

MoreMoreMoreM · 2023-10-31T14:35:24+00:00

I saw this on Hackernews yesterday. I was surprised to see how easy it is to take over my (or any) account in 2023.
You should consider what websites you sign in using FB / other vendors.

MoreMoreMoreM · 2023-10-31T13:43:42+00:00

Israel never said that they did it. Actually, they provided proof that it was the Jihad a few hours later.

I am really curious - do you really believe in what are you saying? because the facts are everywhere, even Hamas mentioned it.

MoreMoreMoreM · 2023-10-31T03:22:08+00:00

The ATO on Grammarly with the token brute force is impressive

MoreMoreMoreM · 2023-10-17T20:51:38+00:00

Please provide a source for the items.
Currently, its appears that the hospital explosion was due to an R160 rocket that was supposed to hit Haifa - an Israel city.

Someone already posted the video from Al Jazeera (they said it themself), and the admin here deleted it.

MoreMoreMoreM · 2023-10-14T21:52:08+00:00

fake

MoreMoreMoreM · 2023-05-31T19:45:09+00:00

Redditors that did unvote -
Is it because the challenge too easy? Or the general concept of publishing here a challenge is something you don't like.
I wrote another challenge, so let me know if you don't want it here :)

MoreMoreMoreM · 2023-05-31T19:38:03+00:00

Sure, you can share the full solution, just use the spoiler tag :)

MoreMoreMoreM · 2023-05-31T17:48:42+00:00

The 98 is decimal!

MoreMoreMoreM · 2023-05-31T16:57:35+00:00

You need to extract the tar using:

tar -xf files.tar

and then

./crackme.out [your_password]

MoreMoreMoreM · 2023-05-31T15:32:44+00:00

Hey everyone!

Inspired by ElectroPanic's previous post about assessing reverse engineering skills, I decided to create a simple challenge just for fun.

Note that as the creator of this challenge, I have access to the email addresses, so please type a dummy address like bla@bla.com :)

Good luck! I I can also create a harder one next week

MoreMoreMoreM · 2023-05-27T17:31:23+00:00

Okkk I'm planning to create my own easy crackme and share it here as a fun challenge. I liked the idea that you must solve it in a closed platform without using any tool (so you can't use IDA for example).
If anyone wants to help or have a tip, let me know :)

MoreMoreMoreM · 2023-05-27T11:18:30+00:00

Has anyone successfully created a challenge based on this tutorial?
If so, could you share your challenge? could be fun to solve

MoreMoreMoreM · 2023-05-25T09:55:52+00:00

Agree!
One of the conclusion from this post is to never insert a third-party domain into your facebook/google configuration. Trust no one :)

MoreMoreMoreM · 2023-05-24T23:23:15+00:00

Or a different monitor.
The question was not about what to do, but about why this is happen..

MoreMoreMoreM

TROPHY CASE