|
James Kettle
@
albinowax
Manchester, England
|
|
Director of Research at PortSwigger Web Security aka @Burp_Suite
|
|
|
2.442
Tweetovi
|
63
Pratim
|
22.597
Osobe koje vas prate
|
| Tweetovi |
|
|
James Kettle
@albinowax
|
4 h |
|
I meant in the Symfony advisory. It's not a big deal though.
|
||
|
||
|
|
James Kettle
@albinowax
|
7 h |
|
I reported it to Drupal, they reported it to Symfony/Zend and therefore I didn't get credited. Full writeup (explaining where the poisoning comes in) at portswigger.net/research/pract…
|
||
|
|
||
|
|
James Kettle
@albinowax
|
7 h |
|
It was me the got the CVE for it...
|
||
|
|
||
| James Kettle proslijedio/la je tweet | ||
|
Web Security Academy
@WebSecAcademy
|
4. velj |
|
During his research into web-cache poisoning, @albinowax stumbled upon a new route-poisoning trick for systems built on Zend and Symfony frameworks. Try it for yourself: portswigger.net/web-security/a…
|
||
|
|
||
|
|
James Kettle
@albinowax
|
3. velj |
|
Yep you're right it shouldn't be on that page, but as described third parties turning evil isn't what our bounty policy is aimed at. For example, if your browser saves your password then any JS third party could steal it from literally any page.
|
||
|
|
||
|
|
James Kettle
@albinowax
|
3. velj |
|
The CSP is because we want to mitigate XSS. Nothing to do with third parties. Maybe I misunderstood what your original tweet is trying to draw attention to?
|
||
|
|
||
|
|
James Kettle
@albinowax
|
3. velj |
|
We have disabled crazyegg's higher-risk features, and a trusted third party hypothetically going rogue wouldn't qualify as a medium or higher severity bug under our bounty program. Also, you already publicly disclosed the issue.
|
||
|
|
||
|
|
James Kettle
@albinowax
|
3. velj |
|
I wouldn't bother
|
||
|
|
||
|
|
James Kettle
@albinowax
|
3. velj |
|
I miss chrome://cache bugs.chromium.org/p/chromium/iss…. At least Firefox's about:cache still exists.
|
||
|
|
||
|
|
James Kettle
@albinowax
|
3. velj |
|
This is automatically done by default. If you have further questions, the team between @Burp_Suite would love to help.
|
||
|
|
||
|
|
James Kettle
@albinowax
|
31. sij |
|
Some fonts were causing performance issues so we whittled the list down
|
||
|
|
||
|
|
James Kettle
@albinowax
|
31. sij |
|
It does both
|
||
|
|
||
|
|
James Kettle
@albinowax
|
31. sij |
|
I've been beta testing this update for a while, it's a good one :) twitter.com/Burp_Suite/sta…
|
||
|
|
||
|
|
James Kettle
@albinowax
|
31. sij |
|
The dotless domains feature was great for exploitation, so some people will miss it :)
|
||
|
|
||
|
|
James Kettle
@albinowax
|
31. sij |
|
Nice work! I love the domain name too...
|
||
|
|
||
|
|
James Kettle
@albinowax
|
31. sij |
|
If you didn't already see it, check out portswigger.net/web-security/c…
|
||
|
|
||
| James Kettle proslijedio/la je tweet | ||
|
FD
@filedescriptor
|
31. sij |
|
@ngalongc, @EdOverflow, and I are starting a new security blog.
In our first write-up, we will discuss the impact of "SameSite by default" and how it affects web app sec. Feel free to request future topics you would like us to cover.
blog.reconless.com/samesite-by-de… pic.twitter.com/5R23YmpksT
|
||
|
|
||
|
|
James Kettle
@albinowax
|
28. sij |
|
That said, these days I use novel unpublished desync techniques because unless you do a serious amount of recon, you are six months too late to get decent bounties with low effort using this technique.
|
||
|
|
||
|
|
James Kettle
@albinowax
|
28. sij |
|
I assumed you hadn't read that post because it answers the question of why the FP rate has changed. Of course I use my own tool; I mostly focus on 'confirmed' findings as detailed in that post.
|
||
|
|
||
|
|
James Kettle
@albinowax
|
28. sij |
|
Refer to portswigger.net/research/break… for further info
|
||
|
|
||