Stealing CSVs crossdomain

Back in 2008, Chris Evans found it was possible to steal data cross-domain in Firefox using script includes. We can still read his report at; http://scary.beasts.org/security/CESA-2008-011.html In his own words; The modern web model permits remote domain [crayon-5a13a60d0046d259803755-i/] inclusion with no restrictions. If the remote data, which does [...]

Read more

Protected: HIDDEN

This content is password protected. To view it please enter your password below: Password: [...]

Forging Content-Type Header With Flash

You might already know how you can forge HTTP request headers using flash. So, to keep it short, I'm talking about [crayon-5a13a60d07eb0319463475-i/] only. Lately, I've [...]

HackerOne XSSI – Stealing multi line strings

I assume you already know what XSSI is. If not, here’s a brief introduction cited from Identifier based XSSI attacks; Cross Site Script Inclusion (XSSI) is an attack [...]