Hacking the new Edge Browser using a couple of XSS bugs.
(CVE-2019-1356) Stealing local files and changing flags by chaining several bugs
(CVE-2019-1030) Injecting Javascript into an unexpected context results in weird behavior leading to universal XSS.
I revisit Outlook after 4 years and compare bugs found.
We delve a bit deeper into WebExtension security featuring 5 bugs
(CVE-2018-8495) Chaining small bugs together to achieve RCE
CSS XSS came back for a bit which lead to an unusual uXSS
Quick intro to WebExtension security featuring four FireFox bugs.
I try to make a case for adding XFO to all responses.
The HTML5 filepicker was found to have 5 bugs across all three major browsers.
By chaining small bugs I was able to inject arbitrary privileged code. (SEC-MODERATE)
(CVE-2016-5218) A confused deputy problem leads to a full URL spoof temporarily (~20s)
Using the 'Save Page' functionality comes with security risks
(CVE-2016-5265) Using the a .URL file (Internet Shortcut) we are able to bypass the same origin policy (SEC-MODERATE)
Arbitrary local file disclosure in all FireFox browsers (NO-FIX)
(CVE-2015-7211) Partial URL spoofing using the data URI scheme (SEC-LOW)
(CVE-2016-1958) Show about:blank (placeholder "Search or enter address" in the URL bar) using javascript URI scheme (SEC-MODERATE)
While further testing the javascript URI scheme behavior on FF, I came across another bug which results in full address bar spoof (SEC-MODERATE)
local documents can use "jar:file:///" as an oracle to which other files exist (SEC-MODERATE)
Cross-Origin restriction bypass with fetch using 302 redirection (SEC-HIGH)
SOP bypass using workers - Sensitive data retrieval (DUPE)
Various valid bugs found in the emailing component of Office 365, Outlook. (VIDEOS)