OBS WebSocket to RCE
Disabling password authentication of your OBS WebSocket server can have devastating consequences. We'll attack from the browser to construct an RCE payload on Windows formed from the pixels of an image, a polyglot.
The Ultimate Double-Clickjacking PoC
Combing a lot of browser tricks to create a realistic Proof of Concept for the Double-Clickjacking attack. Moving a real popunder with your mouse cursor and triggering it right as you're trying to beat your Flappy Bird high score.
MCP: May Cause Pwnage - Backdoors in Disguise
Together with @AtomicByte, we found some vulnerabilities in the MCP protocol, debugging tools, and scanned for internet-exposed servers. This resulted in a ton of results ranging from headless browsers, databases or code evaluators.
Pressing Buttons with Popups (on Twitch, LinkedIn and more)
Combining existing research with my own experiments to create a realistic proof of concept that forces an OAuth authorization with a single key press. Learn the ins and outs of popup blockers and focusing through URL hashes.
x3CTF - blogdog (+ new CSS Injection XS-Leak!)
A "hard web xssbot" challenge about a fun browser quirk with the is= attribute to perform CSS Injection. Bypass the strict CSP with an unintended new technique to XS-Leak a selector's result by detecting the site crashing
Mutation XSS: Explained, CVE and Challenge
Learn how to bypass HTML sanitizers by abusing the intricate parsing rules and mutations. Including my CVE-2024-52595 (lxml_html_clean bypass) and the solution to a hard challenge I shared online
XS-Leaking flags with CSS: A CTFd 0day
Due to an XS-Leak vulnerability I found in CTFd versions 3.7.2 and below, it was possible to leak flags from admins. Using a novel technique abusing browser history and CSS it could be completely automated