Bruno Modificato
@brunomodificato.bsky.social
CTFer for: @Water_Paddler / Security auditor @osec_io
Sometimes bug bounty and research
Sometimes bug bounty and research
New research :
osec.io/blog/2025-07...
This time is about an authentication bypass in a popular auth provider, which allowed account takeover of the wallet. Plus some other auth missconf in the wild
osec.io/blog/2025-07...
This time is about an authentication bypass in a popular auth provider, which allowed account takeover of the wallet. Plus some other auth missconf in the wild
March 8, 2025 at 2:59 PM
New research :
osec.io/blog/2025-07...
This time is about an authentication bypass in a popular auth provider, which allowed account takeover of the wallet. Plus some other auth missconf in the wild
osec.io/blog/2025-07...
This time is about an authentication bypass in a popular auth provider, which allowed account takeover of the wallet. Plus some other auth missconf in the wild
If you like our research "Supply Chain Attacks: A New Era" please vote it :D. there is another article where I was involved "
Zoom Session Takeover - Cookie Tossing Payloads" if you like that too pls feel free to vote it XD
Zoom Session Takeover - Cookie Tossing Payloads" if you like that too pls feel free to vote it XD
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...
Top 10 web hacking techniques of 2024
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2024.
portswigger.net
January 15, 2025 at 4:59 PM
If you like our research "Supply Chain Attacks: A New Era" please vote it :D. there is another article where I was involved "
Zoom Session Takeover - Cookie Tossing Payloads" if you like that too pls feel free to vote it XD
Zoom Session Takeover - Cookie Tossing Payloads" if you like that too pls feel free to vote it XD
pastebin.com/Q4L6XkJj don't know how to post code here, but came up with this during an audit, this wasn't catched by CloudFlare WAF cuz of Object.assign Lmfao, then from here url:#javascript: in order to pop-up metamask wallet transaction, kekwl
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
pastebin.com
December 4, 2024 at 3:01 AM
pastebin.com/Q4L6XkJj don't know how to post code here, but came up with this during an audit, this wasn't catched by CloudFlare WAF cuz of Object.assign Lmfao, then from here url:#javascript: in order to pop-up metamask wallet transaction, kekwl
blog.slonser.info/posts/cve-20... Chrome patched this, but many Web3 services still act as full proxies, forwarding HTTP link header. Found a case where this bypassed CSP with default-src 'none'. file.notion.so/f/f/97ab6450...
CVE-2023-5480: Chrome new XSS Vector
Chrome XSS The article is informative and intended for security specialists conducting testing within the scope of a contract. The author is not responsible for any damage caused by the application of...
blog.slonser.info
December 4, 2024 at 2:47 AM
blog.slonser.info/posts/cve-20... Chrome patched this, but many Web3 services still act as full proxies, forwarding HTTP link header. Found a case where this bypassed CSP with default-src 'none'. file.notion.so/f/f/97ab6450...
new bounty coming with a weird case on web 3 wallet. I wish I wasn't always so tired and lazy that I could start writing writeups again. My last writeup on my personal github is from 2 years ago
December 4, 2024 at 2:35 AM
new bounty coming with a weird case on web 3 wallet. I wish I wasn't always so tired and lazy that I could start writing writeups again. My last writeup on my personal github is from 2 years ago
www.w3.org/TR/CSP2/#sou... this leads to interesting cases if there is a redirect 👀
Content Security Policy Level 2
www.w3.org
November 24, 2024 at 12:03 AM
www.w3.org/TR/CSP2/#sou... this leads to interesting cases if there is a redirect 👀
Wanted to share our research regarding a Bypass on Lavamoat and how supply chain works
osec.io/blog/2024-06...
osec.io/blog/2024-06...
Supply Chain Attacks: A New Era
Unpacking Lavamoat and how it fights supply chain attacks in Web3. We spill the beans on some sneaky bypasses, illustrating just how tricky it is to lock down JavaScript ecosystems.
osec.io
November 23, 2024 at 3:49 PM
Wanted to share our research regarding a Bypass on Lavamoat and how supply chain works
osec.io/blog/2024-06...
osec.io/blog/2024-06...
Hello Blùèsky
November 20, 2024 at 11:11 PM
Hello Blùèsky