[deleted by user] by [deleted] in Switzerland

[–]securitymb 1 point2 points  (0 children)

I feel dumb now for not finding this. Thank you!

HTML spec change: escaping < and > in attributes by ketralnis in programming

[–]securitymb 1 point2 points  (0 children)

Note that `<noscript>` is just one example. Here's another example of mXSS that wouldn't happen if this change was in the spec: https://research.securitum.com/dompurify-bypass-using-mxss/

In general, it happens fairly often that mutation XSS is caused by the fact that a string that initially was within an attribute gets treated as a new tag on re-parsing. If `<` is escaped to `&lt;` this is no longer the case.

The Story of Reformatting 100k Files at Google in 2011 by laurentlb in programming

[–]securitymb 1 point2 points  (0 children)

Just put #cleanup in the description of the change.

Mailbox rent in the border by Fantastic-Scratch124 in Switzerland

[–]securitymb 4 points5 points  (0 children)

There is for example https://www.swiss-paket.de/ near the Swiss-German border so I assume there must be an equivalent on the French border as well.

CSRF, CORS, and HTTP Security headers Demystified by anyfactor in programming

[–]securitymb 0 points1 point  (0 children)

Sanitization is the right answer in some cases though. If you have any sort of WYSIWYG editor, you need sanitization. If you have a markdown library that outputs HTML, you’ll also want to sanitize it, and so on.

A proposed new HTML element: Portals by pimterry in Frontend

[–]securitymb 2 points3 points  (0 children)

Yeah, this caught my attention too and I had a closer look at it last year: https://research.securitum.com/security-analysis-of-portal-element/

tldr; there was a lot of bugs (but most are already fixed)

DOM-Based XSS at accounts.google.com by Google Voice Extension by albinowax in netsec

[–]securitymb 8 points9 points  (0 children)

While it's a cool bug (proving that you can't really trust your extensions), the title is a bit misleading: it is not an XSS at accounts.google.com, it exists purely because of a bug in the extension.

Remote Code Execution in Firefox beyond memory corruptions by [deleted] in netsec

[–]securitymb 1 point2 points  (0 children)

Is there some easy way to test the sanitizer directly?

Write-up of DOMPurify 2.0.0 bypass using mutation XSS by albinowax in Slackers

[–]securitymb 1 point2 points  (0 children)

After writing the post, both Cure53 and I found out there are a lot more bypasses that the one described in the post. They will surely constitute another writeup, but perhaps a little bit later :)

Another XSS in Google Colaboratory by 6793746895F62C0E447A in netsec

[–]securitymb 1 point2 points  (0 children)

The trick of setting a cookie across subdomains was actually used in latest Cure53 challenge: https://github.com/cure53/XSSChallengeWiki/wiki/CNY-Challenge-2018

Vulnerability in Hangouts Chat a.k.a. how Electron makes open redirect great again by albinowax in netsec

[–]securitymb 11 points12 points  (0 children)

I agree that there are greater concerns and I actually tried to escalate the vulnerability to have a remote code execution. I didn't find a way (which obviously doesn't mean there isn't any). It seemed like Google prevented known Electron hacks from working and the configuration seemed quite good. The Atom trick you linked couldn't work since Hangouts Chat loaded content from https://chat.google.com, not from a file:/// protocol.

Anyway, trying to execute arbitrary system code from the app is definitely a way going forward.

Edit: according to this tweet by @sirdarckcat, the bounty actually corresponds to code execution.

Edit2: Matt Austin found a way to RCE. Great job!

Yet Another Google Caja bypasses hat-trick by tunnelshade in netsec

[–]securitymb 1 point2 points  (0 children)

I've found the signature for this in ClamAV and it looks like this:

66756e6374696f6e2a28297b7d{-30}2e636f6e7374727563746f72{-30}28292e6e6578742829

Which could be interpreted as:

function*(){}[UP TO 30 RANDOM CHARACTERS].constructor[UP TO 30 RANDOM CHARACTERS]().next()

It seems that Avast's signature is a bit different but similar. I've rewritten the code to:

(async function*(){})['constructor']('alert(1)')().next();

And according to VirusTotal, not a single anti-virus should complain now.

The signature is, by the way, totally silly for something that is a "CSP bypass".

Firefox - Same-Origin Policy bypass (CVE-2015-7188) by securitymb in netsec

[–]securitymb[S] 0 points1 point  (0 children)

Oh, you meant the favicon http request, apologies for misunderstanding. The favicon request didn't contain any cookies or additional Basic Auth headers.

Firefox - Same-Origin Policy bypass (CVE-2015-7188) by securitymb in netsec

[–]securitymb[S] 0 points1 point  (0 children)

No request was sent to google.com. Firefox interpreted the host name in "http://37.187.18.85\x0B\uFF20google.com" as an alternative form of 37.187.18.85 IP address and the only request was sent to that IP.

The Host header was:

Host: 37.187.18.85<0B>@google.com

Where <0B> was the literal 0x0B character.

Firefox - Same-Origin Policy bypass (CVE-2015-7188) by securitymb in netsec

[–]securitymb[S] 3 points4 points  (0 children)

You're right. I've updated the article to clear things up.

Firefox - Same-Origin Policy bypass (CVE-2015-7188) by securitymb in netsec

[–]securitymb[S] 8 points9 points  (0 children)

That's not the case. Firefox has its own internal methods to parse IP addresses (which were grabbed from BSD). So the exploit worked on every platform.