Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
XSS and cache poisoning via upload.twitter.com on ton.twitter.com
filedescriptor - HackerOnePosted 2 Years Ago- This bug report is a doozy! It combines various vulnerability classes to create a horrifying exploit in Twitter.
- Twitter allows users to upload files. If a known file type is sent, then the response for the file will contain the proper
Content-Type. If it's a malicious file extension, such as HTML, it's rejected though. So, what happens if the file type is not known? NoContent-Typeis sent! - The web browser does not trust file extensions; it only likes the
Content-Type. If this header is not included, it attempts to deduce the type of the file based upon the content! This is called MIME Sniffing. By sending a file with a random file type, the browser will sniff the type of it based upon the content. This allows for malicious content, such as HTML, to be included in the file that will be executed! - Sadly, this was a self-attack though; we need another bug to make this hit other users. The author found out that an HTML5 AppCache manifest file can be uploaded to website. This allows a malicious user to control the caching behaviors over
ton.twitter.comin the browser. What can an attacker do with this? - The appcache manifest file has crazy capabilities. For instance, it can change the HTML on the page! Worse yet, it will stick in your browser, giving a user permanent XSS. Overall, a combination of MIME sniffing and clever usage of the appcache manifest file lead to permanent XSS. Pretty rad!
