Talking of a bug I found a long time back which led to the bypassing of CSP in an electron app :)

Automation helps get easy $$$ rXSS

Mutations are `edit` or `create` queries used in Graphql. Gitlab prevents CSRF in this functionality by sending a POST request with a X-CSRF-Token header. The bug I found here was that, when we...

First to understand postMessage xss attack you need to understand this two things :

New web targets for the discerning hacker

Approaching a target from all angles

What is SAML? Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties.
Source: Wikipedia
SAML is often used for single-sign on (“Sign in with Google”, “Sign in with Twitter” etc.).…

Unpack the source code of React and other Webpacked Javascript apps!

Site isolation security break uncovered

Cross-Site Scripting and the alert() function have gone hand in hand for decades. Want to prove you can execute arbitrary JavaScript? Pop an alert. Want to find an XSS vulnerability the lazy way? Inje

In this video we walk through how a security researcher named Augusto Zanellato was able to discover a GitHub Personal Access Token (PAT) that had read/write access to private Shopify repositories, and earned them a $50,000USD bounty!

You can read the report…

Don’t get me wrong but I couldn’t find more appropriate title in order to describe the specific vulnerability. I don’t know what happens…

Greetings awesome Hackers. I’m Sahil Dari and this is my first blog on my first easiest Critical report triaged on HackerOne. I don’t need…

Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.

This write-up will be about Broken Object Level Authorization (BOLA), which is #1 topic of API Security 101 (OWASP).

I found an internal gem (Ruby library) in use by Basecamp that was not registered on Rubygems (the public Ruby package repository). I registered a gem of my own under the name that would call back...