Sabitlenmiş Tweet
Roman Shafigullin
2.6K posts

Roman Shafigullin
@shafigullin
Security at LinkedIn
Sunnyvale, CA Katılım Nisan 2009
908 Takip Edilen5.7K Takipçiler
Roman Shafigullin retweetledi

Developers, tired of DOM XSS in your web applications? 😩 We were too. See how we refactored our code to solve Trusted Types violations in Gmail & AppSheet. Your guide to a safer web is here!
bughunters.google.com/blog/585078655…
English

Previously I bypassed XSS protection in Ember.js using {"string":xss} making framework think that this is SafeString object groups.google.com/g/ember-securi…
English

How I bypassed XSS protection in Ember.js using bug in Chrome issues.chromium.org/issues/40085732
English
Roman Shafigullin retweetledi

Full results and write-up: plasticlist.org
We also have instructions for running your own tests!
English
Roman Shafigullin retweetledi

Releasing full 2+hr video of my browser exploitation workshop from VXCON 2024: youtube.com/live/b9OhamkAY…
In which I show what goes inside the mind of a skilled hacker while exploiting a highly non-trivial vulnerability in v8, from zero to exploit concept.
Especially this workflow requires advanced abstract thinking, thereby emphasize the role of theoretical modeling in attacking hard zeroday research targets, which is a part of why it's fun. @zerodaytraining

YouTube
English
Roman Shafigullin retweetledi

We’re finally live! You can now watch “Listen to the whispers: web timing attacks that actually work” on YouTube: youtube.com/watch?v=zOPjz-…

YouTube
English
Roman Shafigullin retweetledi

I'm thrilled to finally share my research on HTML parsing and DOMPurify at @GreHack 2024 📜
The research article is available here: mizu.re/post/exploring…
The slides are available here: slides.com/kevin-mizu/gre…
1/3

English

@audiblesupport @audible_com fyi, during login on ios when app asks for otp, if you go to messages and return you see error and start login from beginning, i had to get otp via call to not loose ficus on the app

English
Roman Shafigullin retweetledi

Did you know about Strict Mode? 🤔
✨ "use strict"; ✨
Strict Mode catches silent errors, making your code more predictable and easier to debug. It also improves performance and helps you write more secure JavaScript code.
See how 👇
developer.mozilla.org/en-US/docs/Web…
English
Roman Shafigullin retweetledi

The dedication and hard work has payed off: "for hundreds of complex web applications that are built on Google’s hardened and safe-by-design frameworks, we've averaged less than one XSS report per year in total" (see page 9 of the whitepaper).
Heather Adkins - Ꜻ - Spes consilium non est@argvee
Secure by design takes dedication and years of hard work to get the balance right between velocity and safety. Read a bit about @Google’s commitment and journey in our new white paper. Humbled to work with the professionals that make this happen everyday. blog.google/technology/saf…
English

@ericlaw I heard that before, bank design security to protect bank’s money, not people’s money
English










