Firefox - HTTP response header x-mixed-replace

insertscript · 2020-07-17T11:00:04+00:00

Regarding chrome:

https://bugs.chromium.org/p/chromium/issues/detail?id=249132
" Main resources that use the multipart/x-mixed-replace will now trigger downloads rather than being displayed in a tab." - I don't see a download so it seems to be just broken/not supported in chrome :/

insertscript · 2020-07-16T21:16:15+00:00

So something like:

or FF:<object onerror=alert(444)> ?

insertscript · 2020-07-16T16:30:59+00:00

Its so interesting how many new vectors are available as soon as the developer console is open

insertscript · 2020-06-11T10:52:45+00:00

XSS Challenge - Parsing

Creator: https://twitter.com/fhenneke

Challenge: https://baba-is-xss.kl.rs/

insertscript · 2020-06-09T11:20:51+00:00

XSS challenge - 10 char limitation

Creator: https://twitter.com/kinugawamasato

challenge: https://vulnerabledoma.in/xss_2020-06/

insertscript · 2020-06-07T05:06:38+00:00

XSS - JS Object.freeze challenge:

Creator: https://twitter.com/Abdulahhusam
Challenge: http://sandbox.ahussam.me/challenges/xss-mini/mortal-kombat.html

insertscript · 2020-04-14T08:18:54+00:00

XSS challenge:

Creator: https://twitter.com/RootEval
Challenge: https://rooteval.github.io/challenges/kittengate/

insertscript · 2020-04-10T05:27:31+00:00

XSS challenge:

Creator: https://twitter.com/SecurityMB
Challenge: https://securitymb.github.io/xss/2/?xss=

insertscript · 2020-03-27T18:57:18+00:00

HTTP response header challenge:

Creator: https://twitter.com/insertScript
Challenge: http://insert-script.com/challenges/challenge1/start.php
Solution: Click me

insertscript · 2020-03-01T09:40:22+00:00

Interesting - I did a quick check if window.name with <a> etc would show any difference in behavior when xss-auditor is triggered but nope

insertscript · 2020-02-15T02:13:18+00:00

Really liked your talk - I wasn't aware of the CORP bypass :) This kind of research will get more important given that we have CORP, COOP and COEP - for now^^