Shammah zealsham Agwor
@zealsham.bsky.social
Bugbounty hunter| Rust dev| The man of mankind | Application Security Engineer . OSCP in view , #Bitcoin-core contributor
Reposted by Shammah zealsham Agwor
Reposted by Shammah zealsham Agwor
I talk about this on the pod all the time, but CSRF is dead simple. You just need to know the conditions.
I'm not gonna recite them again here, but today a new condition came up:
No Content-Type header -> no CSRF restrictions
Same-site: None
POST
= CSRF
The research:
I'm not gonna recite them again here, but today a new condition came up:
No Content-Type header -> no CSRF restrictions
Same-site: None
POST
= CSRF
The research:
November 27, 2024 at 4:55 PM
I talk about this on the pod all the time, but CSRF is dead simple. You just need to know the conditions.
I'm not gonna recite them again here, but today a new condition came up:
No Content-Type header -> no CSRF restrictions
Same-site: None
POST
= CSRF
The research:
I'm not gonna recite them again here, but today a new condition came up:
No Content-Type header -> no CSRF restrictions
Same-site: None
POST
= CSRF
The research:
Reposted by Shammah zealsham Agwor
Got a CSRF attack being blocked by Content-Type validation? You might be able to bypass it with this quality technique.
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
November 27, 2024 at 1:28 PM
Got a CSRF attack being blocked by Content-Type validation? You might be able to bypass it with this quality technique.
Coding without a package manager in 2024 is like building a house by mining limestones first and making cement and mortal with that
Many think Rust is primarily about memory safety, but the real reason to use Rust is developer productivity (for C++-like system programming) from having a sane package manager and type system.
November 27, 2024 at 12:14 AM
Coding without a package manager in 2024 is like building a house by mining limestones first and making cement and mortal with that
As a #Bugbounty hunter , I was so mad when my workplace paid $30k for a pentest and only got horrible reports (ssl cert , httponly , rate limit ) . Mean while our bug bounty program had mediums and high reports
Moving forward I think every pentest company should have at least 2 bug bounty hunters
Moving forward I think every pentest company should have at least 2 bug bounty hunters
November 27, 2024 at 12:09 AM
As a #Bugbounty hunter , I was so mad when my workplace paid $30k for a pentest and only got horrible reports (ssl cert , httponly , rate limit ) . Mean while our bug bounty program had mediums and high reports
Moving forward I think every pentest company should have at least 2 bug bounty hunters
Moving forward I think every pentest company should have at least 2 bug bounty hunters
Trying to make a list of programs that have hosted a live event on hackerone
-epic games
-tiktok
-zoom
-salesforce
-uber
-PayPal
-DoD
-shopify
-airbnb
-yahoo
-Starbucks
-Amazon
Which did I miss #Bugbounty
-epic games
-tiktok
-zoom
-salesforce
-uber
-PayPal
-DoD
-shopify
-airbnb
-yahoo
-Starbucks
-Amazon
Which did I miss #Bugbounty
November 25, 2024 at 1:15 AM
Trying to make a list of programs that have hosted a live event on hackerone
-epic games
-tiktok
-zoom
-salesforce
-uber
-PayPal
-DoD
-shopify
-airbnb
-yahoo
-Starbucks
-Amazon
Which did I miss #Bugbounty
-epic games
-tiktok
-zoom
-salesforce
-uber
-PayPal
-DoD
-shopify
-airbnb
-yahoo
-Starbucks
-Amazon
Which did I miss #Bugbounty