ᴌ̩̩̩̩̩Δ̩̩̩̩̩ϻ͢͢₱̻̻
@lamp-sec.bsky.social
Hacker 💡 DEFCON Black Badge Raffle Winner 💡 Power Glove Artificer 💡 Legendary Creature 💡 Light-emitting Appliance
For instance, here's a generated payload to exploit *.google whitelisting where most src directives are locked down, but remote font imports are still possible, to exfiltrate JavaScript localStorage to a tester-supplied endpoint.
May 12, 2025 at 4:52 PM
For instance, here's a generated payload to exploit *.google whitelisting where most src directives are locked down, but remote font imports are still possible, to exfiltrate JavaScript localStorage to a tester-supplied endpoint.
I believe we may have spoken before on twitter, but have you seen my tool, CSPwn? I also have some detections for domains with exploitable JSONP endpoints, though probably less than you, but focus more on custom payload generation and exfiltration. May be worth collaborating. cspwn.gg
CSPwn
cspwn.gg
May 12, 2025 at 4:48 PM
I believe we may have spoken before on twitter, but have you seen my tool, CSPwn? I also have some detections for domains with exploitable JSONP endpoints, though probably less than you, but focus more on custom payload generation and exfiltration. May be worth collaborating. cspwn.gg