0x999 🇮🇱

New blog post is up: How I leaked the IP addresses of Brave's Tor window and Chrome VPN extension users--plus, a new Popunder technique and connect-src CSP directive bypass. Read more @ 0x999.net/blog/leaking-i…

@0xdef1ant @Mar0_0uane iirc an empty location header would only work on chrome, on firefox you can use ws/wss/resource schemes to make it work

@Mar0_0uane probably Firefox too, i haven't tested it

☝️did you know: if you have CRLF injection on a 302 redirect, you can still trigger XSS by providing an empty value for the "Location:" header #bugbountytip #hackerone

@Rhynorater It can! I remember reading this article by @garethheyes in which he used it to hijack service workers by clobbering the results of document.getElementById() -portswigger.net/research/hijac…

Another banger from Nowasky. I wonder if this can be used for DOMClobbering/querySelector hijacking...

@kabilan1290 @getsquarex Great find!👏

During our recent research at @getsquarex on Perplexity Comet, we were able to stomp their internal extension to achieve code execution. The affected APIs were chrome.perplexity.dxt.install(n) and chrome.perplexity.mcp.addStdioServer. More details: labs.sqrx.com/comet-mcp-api-…

@siunam321 text/plain;,text/html: parse_options_header() uses value.partition(";") to extract the part before the first semicolon and returns it in a tuple, the app uses [0] to get text/plain and compares with allowed CT, but sets the entire user-supplied input as the content-type header

Can you pop an alert box (XSS) in the following Flask web app even if the validation used a whitelisted approach? 👀 Comment your payload and your explanation down below! Source code: pastebin.com/MYpKEW8m

@LooseSecurity Great point (I assume you meant frame-src) btw in your POC isn't the srcdoc iframe redundant? as far as I can tell what makes it work is the fact that the lazy loaded iframe is pointing to another page that has a frame count of >0 as you pointed out or did I misunderstand?

@_0x999 I guess in cases of connect-src: 'self' the nested iframe can help.

We can't detect a scroll cross origin using a lazy loaded iframe, because it will hold onto its value of 1. However, if we nest another iframe inside of the lazy loaded iframe (eg using srcdoc) - Then we can! <iframe srcdoc='<iframe src="..." loading="lazy"></iframe>'></iframe>

#achieving-arbitrary-javascript-execution" target="_blank" rel="nofollow noopener">0x999.net/blog/exploring… This research from @_0x999 is truly a goldmine. I solved a challenge by combining the name and message properties — and later realized the article explains it in detail. 1)

After reading @_0x999 blog on IP leaks i have discovered this: windscribe.com/blog/chromium-…

@MaitaiThe Love to see it, great job! 👏

@WeizmanGal @MetaMask Wishing you all the best and lots of success in your future endeavors! 🫶

¹Today I'm moving away from my role as a Security IC @MetaMask's Security Lab, where I focused on futuristic security work for the rapidly evolving ecosystem of composable web & browser systems While being proud of our work, I can't help but think of what's left to be achieved🧵

@TalBeerySec Thank you! the only connection is that the WebAuthn API was used for all 3 bugs (IP leak, CSP bypass & Popunder) so I figured it’d be fitting to include them in the same post

@_0x999 That's a great research on IP leaks. Not sure though how the first part discussing IP leak findings is connected to the latter part discussing a CSP bypass

Malicious websites could reveal the real IP address of users behind VPN or TOR on Chrome browser. The culprits? new browser features that bypass the proxy settings: WebAuthN, Service Workers

@WeizmanGal It does also work for data exfiltration against a default-src none policy, in that case, would you consider it a browser level network cap bypass? I can’t say for sure that this isn’t a 0day but as far as I can tell Firefox isn’t vulnerable to this, only Chromium & Safari

@_0x999 Well deserved So what happens when deploying these techniques against a default-src none? Is this a browser-level network-csp bypass? "Out" is important enough even when there's no "in" - exfiltration is 100% a threat to the CSP model Can you tell for sure this isn't a 0day?

I get too lazy often to read excellent security research articles, but am glad i got sucked into this one Not only beautifully written, but genuinely a fantastic research Brilliant work @_0x999 + the connect-src bypass, is it a complete network-csp bypass? Or is that a stretch

@WeizmanGal While it does result in a GET request to a cross origin domain, as far as I can tell the data returned cannot be accessed programmatically since it’s only used internally by the browser to validate a list of related origins that are allowed to use the same passkey

@WeizmanGal Thank you very much for the kind words, it means a lot coming from you, I’m really glad to hear you found it useful!🫶 I might be wrong but I am pretty sure it can only be used as a bypass for the connect-src directive—

@jobertabma @NahamSec @stokfredrik @Hacker0x01 0x999

Hey hackers! We're running a beta for Hai for Hackers, our AI security agent. If you're interested, please reply with your HackerOne username (we will probably limit to ~100 hackers for now). After it's been enabled, you can start using it by clicking the Hai button in the top right corner of the app. It’s free to use (with a limited daily budget for now). It is like any other AI you’ve interacted with, with the added benefit that it has access to a whole bunch of HackerOne data, like reports and programs. We’re shipping improvements to Hai almost every day. Here are some neat use cases: - “take all the learnings from STÖK, jhaddix, and nahamsec's recon strategy and build one for me!” - “write a python script for a typical recon process” - “i need an XSS payload that doesn’t use single or double quotes” - “my XXE payload doesn't call back to my server, what could go wrong?” - “write a response for report #133337” The beta also comes with Hai Plays for you, which allows you to build your own security agents in HackerOne. You can create them at hackerone.com/settings/hai_p…. Some of the cool use cases we’ve seen so far are: - write reports with minimal input from you (efficiency++!) - convert reports into blogposts with a single prompt - AI mentor to give feedback about your communication and increase the likelihood of a reward In the background we’ve been working on agentic behavior, which we expect will soon come to Hai for Hackers as well. These AI agents can act like your hacking buddy and hack alongside you. We’ll keep you in the loop on our progress.

This vector adds an onerror handler with eval, rewrites all ReferenceError names, then triggers an error to execute the payload. Just added it to the XSS cheat sheet. Credit to @_0x999, inspired by @terjanq. Link to vector👇

Crafty JavaScript-context XSS vector using ondevicemotion, setTimeout, and URIError spoofing to trigger alert(1) now added to the XSS cheat sheet. By @_0x999 inspired by @terjanq. Link to vector👇

@J0R1AN Awesome writeup, very clever use of moveTo! 👏🔥

Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing. Here's a flexible PoC: jorianwoltjer.com/blog/p/hacking…