Stealing CSVs crossdomain

Back in 2008, Chris Evans found it was possible to steal data cross-domain in Firefox using script includes. We can still read his report at; http://scary.beasts.org/security/CESA-2008-011.html In his own words; The modern web model permits remote domain [crayon-5a31e1d195d27124856395-i/] inclusion with no restrictions. If the remote data, which does [...]

Read more

Referrer Policy

Referrer Policy Source: http://caniuse.com/#feat=referrer-policy There are, atm, 5 different ways referrer policy can be delivered as defined by W3C. Setting referrer policy [...]

Protected: HIDDEN

This content is password protected. To view it please enter your password below: Password: [...]

Forging Content-Type Header With Flash

You might already know how you can forge HTTP request headers using flash. So, to keep it short, I'm talking about [crayon-5a31e1d19a808251540027-i/] only. Lately, I've [...]

HackerOne XSSI – Stealing multi line strings

I assume you already know what XSSI is. If not, here’s a brief introduction cited from Identifier based XSSI attacks; Cross Site Script Inclusion (XSSI) is an attack [...]