Persistent XSS is Not Self-XSS

Participating in bounty programs the past few years I have seen a lot of discrimination against what has been dubbed Self Cross-Site Scripting (XSS). This is a version of XSS that can only be exploited by the victim due to either protection by the server or the method of attack is strictly client-side with no way for an attacker to force a victim to execute.

Lately I have seen programs state that they do not accept any form of self-XSS. I will give some scenarios to explain the various types of self-XSS, their impacts, and how they can be exploited to hopefully debunk some misconceptions that these are not vulnerabilities.

Scenario 1: DOM Based Self-XSS

Continue reading

ESEA Server-Side Request Forgery and Querying AWS Meta Data


For anyone familiar with the Counter-Strike competitive scene, you know about ESEA. They just recently launched a bounty program that puts their website, game client, and game servers in scope for security research.

I spent a night taking a look over the website and found a few vulnerabilities. The most interesting discovery was a Server-Side Request Forgery vulnerability. Using a cool trick that Ben Sadeghipour (@NahamSec) showed me, I was able to pull private information from ESEA’s AWS metadata.

Continue reading

CSAW 2015 – Web 500 (Weebdate) Writeup

Challenge Info

  • CTF: CSAW 2015
  • Challenge: Weebdate
  • Category: Web
  • Points: 500

Challenge Description

    Since the Ashley Madison hack, a lot of high profile socialites have scrambled to find the hottest new dating sites. Unfortunately for us, that means they're taking more safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site called "weebdate" and also selling cocaine to fund his presidential campaign. We need you to get both his password and his 2 factor TOTP key so we can break into his profile and investigate.

    Flag is md5($totpkey.$password)

Continue reading

DEFCON 23 Badge Challenge

Authors: image Brett Buerhaus, image Jason Thor Hall

Original Post:


Brett, Jon, and I recently went to DEFCON and completed the Badge Challenge put together by 1o57. Here is the entire adventure as we experienced it with all of the puzzles, their solutions, and the steps to solve them. Understand that this document contains MASSIVE spoilers so if you do not want to ruin it for yourself please stop reading now.

Continue reading – Mobile Feedback URL Redirect Regex/Validation Flaw

Back in October of last year I discovered a JavaScript flaw on that bypassed protocol validation by abusing an if check against a URL parsed by regex. I was unable to find a way to attack this vector, but was still rewarded a bounty of $500 due to Google knowing of an active browser vulnerability that allowed them to exploit it successfully.

Continue reading

Flickr API Explorer – Force users to execute any API request.

Flickr has a developer application section called The App Garden. Developers are able to create apps that make API calls to Flickr as an authenticated user via OAuth. I discovered a Cross-Site Request Forgery (CSRF) attack vector that allowed you to attack any user on Flickr.

Continue reading