XFO All

I try to make a case for adding XFO to all responses.

Cross Browser LFD

The HTML5 filepicker was found to have 5 bugs across all three major browsers.

FireFox RCE

By chaining small bugs I was able to inject arbitrary privileged code. (SEC-MODERATE)

Chrome Address Bar Spoof

(CVE-2016-5218) A confused deputy problem leads to a full URL spoof temporarily (~20s)

FireFox LFD & SOP Bypass

Using the 'Save Page' functionality comes with security risks

FireFox uXSS & LFD

(CVE-2016-5265) Using the a .URL file (Internet Shortcut) we are able to bypass the same origin policy (SEC-MODERATE)

FireFox Local File Disclosure

Arbitrary local file disclosure in all FireFox browsers (NO-FIX)

FireFox Partial URL Spoof

(CVE-2015-7211) Partial URL spoofing using the data URI scheme (SEC-LOW)

FireFox Hide URL

(CVE-2016-1958) Show about:blank (placeholder "Search or enter address" in the URL bar) using javascript URI scheme (SEC-MODERATE)

FireFox Full URL spoof

While further testing the javascript URI scheme behavior on FF, I came across another bug which results in full address bar spoof (SEC-MODERATE)

FireFox JAR URI bug

local documents can use "jar:file:///" as an oracle to which other files exist (SEC-MODERATE)

FireFox SOP Bypass

Cross-Origin restriction bypass with fetch using 302 redirection (SEC-HIGH)

FireFox Worker SOP Bypass

SOP bypass using workers - Sensitive data retrieval (DUPE)

MS Outlook Office 365 bugs

Various valid bugs found in the emailing component of Office 365, Outlook. (VIDEOS)