This post is a write up of an XSS in AMP4Email (obviously already fixed) I reported via Google Vulnerability Reward Program in August 2019. The XSS is an example of a real-world exploitation of well-known browser issue called DOM Clobbering.
Year: 2019
Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609)
Prototype pollution is a vulnerability that is specific to programming languages with prototype-based inheritance (the most common one being JavaScript). While the bug is well-known for some time now, it lacks practical examples of exploitation. In this post, I’m showing how to exploit it to achieve Remote Code Execution in Kibana.
JWT (JSON Web Token) (in)security
JWT (JSON Web Token) is a mechanism that is often used in REST APIs it can be found in popular standards, such as OpenID Connect, but we will also encounter it sometimes using OAuth2. It is used both in large companies and smaller organisations. There are many libraries available that support JWT, and the standard …
Write-up of DOMPurify 2.0.0 bypass using mutation XSS
Yesterday, a new version of DOMPurify (very popular XSS sanitization library) was released, that fixed a bypass reported by us. In this post I’ll show how exactly the bypass looked like preceded by general information about DOMPurify and how it works. If you are aware of how purifiers work and what mXSS is – you …
Server Side Template Injection – on the example of Pebble
Server-Side Template Injection isn’t exactly a new vulnerability in the world of web applications. It was made famous in 2015 by James Kettle in his famous blogpost on PortSwigger blog. In this post, I’ll share our journey with another, less popular Java templating engine called Pebble.
Security analysis of <portal> element
Portal is a fairly new HTML element that is currently supported only in Chrome Canary behind the #enable-portals flag. Their main objective is to enable seamless transitions to the web by pre-rendering content in an iframe-like element that can be then “promoted” (activated) to a top-level frame. In this article we focus of security analysis thereof.
HTTP 2 protocol – it is faster, but is it also safer?
Do we want the current web applications to run faster without additional expenditures on better network connection or server infrastructure? Yes, of course, and that was the main goal for the developers of the HTTP/2 protocol. To be more precise, it was about increasing the efficiency of communication between the client (in other words, the …
Basics of HTTP Protocol
Introduction HTTP headers, URLs, URIs, requests, responses, percentage encodings, HTML forms, parameters sent by the HTTP protocol, various HTTP server implementations resulting in security problems – these are just a few elements that I will address in this text. The beginner readers will learn the necessary basics to further explore the subject of web applications …