Back here after having a long relapse to the bird site. Old habits die hard

Exited to see if the content quality is still way better here 😊

@AlesandroOrtiz @thomasorlita That Regex was tricky! Did not get why a / would be allowed before the real redirect URL at first. Nice one!

Interesting write-up about a blockchain bug. Scoring 1M$ in bounty. Key takeaway after reading: It's all about domain knowledge! The same goes for all programs, there are tons of "simple" bugs that you can only find if you know the domain.

The bug found here was ”simple” (but as always hard to find anyhow). Finding it probably took some coding skill, some luck, but also tons of domain knowledge!

https://pwning.mirror.xyz/RFNTSouIIlHVNmTNDThUVb1obIeN5c1LAiQuN9Ve-ok

Hey! I’m going to give a #websec talk at #HIP22 in FIVE minutes:

"What if XSS was a browser bug?"

You can watch the stream at https://streaming.media.ccc.de/jev22/hip1 and I’m happy to answer questions here or on the Matrix channel linked from https://hip-berlin.de

@michenriksen And 2FA. I get angry every time I need to get my phone and remember which Athenticator app I used, and find the 2FA code. Know it is a good thing. But boy it is a bad experience

@freddy Yes that looks like it could be it! Thanks

Was a bit confused that target="name" worked, but I guess only target="_blank" will have the hidden "noopener" as default

@freddy https://joaxcar.com/utils/page.php?html=%3Ca+href%3D%22javascript%3Aalert%28%29%22+target%3D%22_blank%22%3Eno+trigger%3C%2Fa%3E%0D%0A%3Ca+href%3D%22javascript%3Aalert%28%29%22+target%3D%22test%22%3Ewill+trigger%3C%2Fa%3E%0D%0A%3Ca+href%3D%22javascript%3Aalert%28%29%22+target%3D%22test%22+rel%3D%22noopener%22%3Eno+trigger%3C%2Fa%3E&h%5B%5D=

@freddy I remember you asking Mike West why Chrome blocked javascript URLs from triggering when launched from a target="_blank" a tag.

It now looks like Firefox behaves in the same way, but I fail to find a mention of it in bugzilla. Do you know where and why the change was made?

Looks like JS is blocked when the opened window lacks an "window.opener". So

```
<a href="javascript:alert()" target="_blank">no trigger</a>
<a href="javascript:alert()" target="test">will trigger</a>
<a href="javascript:alert()" target="test" rel="noopener">no trigger</a>
```

GitLab have released a blog detailing their bug bounty program year summary.

I did manage to snag a mention ("Most valid reports to our program") which was one of my goals this year. I aimed for the more prestigious titles, but the competition is tough and @yvvdwf  's RCE was definitely one of the highlights of the year. The same goes for @vakzz flag capture and taraszelyk info leaks. Learned a lot from all of them!

https://about.gitlab.com/blog/2022/12/19/why-2022-was-a-record-breaking-year-in-bug-bounty-awards/

@insiderphd great sugestion 😊 I found afordable ones at 6 letters(including dot) with on pair being able to exchange for one unicode. Was happy about it, but it has yet to repay itself 😄

@fransrosen @ryotak might be your report? hard to tell who is who on mastodon :) great report anyhow!

I think the "dirty dance" none happy path OAuth "feature" discussed in @fransrosen s blog post will prove to prove useful again and again. Hard to package nicely for triagers. But high impact.

I have had the pleasure to use it once so far.

And this report to GitLab shows another great usage of it to escalate a chain of open redirects to an account takeover

https://gitlab.com/gitlab-org/gitlab/-/issues/377810

🔴 𝘖𝘶𝘵𝘱𝘶𝘵 𝘰𝘳𝘪𝘦𝘯𝘵𝘦𝘥 product development is when you have features in mind and you focus on the solution. 🟢 𝘖𝘶𝘵𝘤𝘰𝘮𝘦 𝘰𝘳𝘪𝘦𝘯𝘵𝘦𝘥 product development is when you focus on the problem and iterate to a solution.

An outcome is a measurable change in behaviour that drives business results.

That's what we want!

𝙝𝙤𝙬 𝙙𝙤 𝙮𝙤𝙪 𝙢𝙖𝙠𝙚 𝙩𝙝𝙚 𝙨𝙝𝙞𝙛𝙩?
𝙒𝙝𝙖𝙩 𝙝𝙖𝙨𝙣'𝙩 𝙖𝙣𝙙 𝙬𝙝𝙖𝙩 𝙝𝙖𝙨 𝙬𝙤𝙧𝙠𝙚𝙙 𝙛𝙤𝙧 𝙮𝙤𝙪?

In my next job, I would like to introduce the continuous discovery habits from @ttorres

#productmanagement

@AlesandroOrtiz Will definitely do that! Getting deeper into Chromium is my next goal. I have tried some other programs, but programs without public bug reports are not as fun. I learn so much from reading all these report

@AlesandroOrtiz You will get an honorable mention as your CVE-2022-1637 report sparked my interest in looking at browsers! 😊Unfortunately, I haven't had that much time to continue down that path since reporting this. Getting back into it is high on my todo-list for next year though!

A couple of days ago I managed to escalate my fist ever Chrome bug to account takeover cross (subdomain) origin. Really happy with the finding, which I would never had been able to find without the knowledge shared by security researchers over at Twitter. Really hope that the community stays as accessible for newcomers as it was before. Even after people scatter around different alternatives

Hope to be able to write my first ever write-up about the bug in the coming weeks, and give credit to the people that inspire me to dive deeper into this field

@ajxchapman @joern I know that Z-Wink talked about this. He seems to really enjoy looking for IDORs though, so it is not exactly the same situation. But one thing that gives you is high paying bugs that need close to zero report writing. "Here is the endpoint -> PII leak"

Avoiding complex report writing could fit into your number 6

@michenriksen are you at the level where it is all muscle memories yet? I find myself talking to myself: "delete inner big word" like I am hunt and pecking mentally. Still love i though, but don't know if it make me productive :)

@michenriksen fond memories! will answer some emails with this as a soundtrack right now! Thanks for the throwback