Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Looking at professional reports gives you a good idea of what the real pentesting looks like and the bugs to look for.

This report has lots of standard bugs, such as reflected and stored XSS, broken access control and HTML injection.

Two reports stood out to me: XSS via postMessage and host header poisoning.

The postMessage feature is one way different origins communicate with each other. In particular, this is used when communicating between iFrames.

However, the iFrame listeners, if not properly checking the origin of the postMessage request, can take receive requests from other websites. This acts as a CSRF in some ways.

Finally, the request being sent via postMessage from injecting HTML directly into the page. This, then results in a CSRF XSS via the postMessage functionality.

The other bug was a host header injection attack. The password reset link would use the Host header in the request sent. However, this can be spoofed by an attacker, creating the ability to reroute the password reset tokens from anyone's account!