Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Slack has a feature known as Blocked Previews. This is where workspace owners and admin can specify a list of URLs for which no link should have a preview occur.

Parsing URLs is crazy complicated though. There are so many different ways for a URL to be rendered. Simply doing an denylist without normalization would likely cause issues.

The author of this post found a few ways to bypass it. With domain names, we separate them with a period to represent a different section of it. A TLD, such as .com actually is not the highest part of it. The highest TLD is a period, but it normally left out.

For instance, https://jub0bs.com./posts/2021-01-29-great-samesite-confusion/ has an extra period after the .com.. The second bypass was using a directory traversal in the URL to break the path parsing.

URL parsing is really hard! Lead it to the professionals :) I enjoyed this bug since it went through the denylist by using alternative URL parsing methods. Good bug find!