Think of it in another scenario, what would a HSTS bypass be?
-
-
Replying to @Scott_Helme @kkotowicz and
Probably a better analogy is an XSS filter bypass.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @Scott_Helme and
That said, it's not bad to say $suchandsuch is a bypass if $trivialtechnique is stopped but $advancedtechnique is not. Purposefully or not $trivialtechnique was stopped, but $advancedtechnique was not. Hence, bypass.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @Scott_Helme and
If the XSS filter stops me from injecting a form, and I find a way to inject a form. I would say I bypassed the XSS filter. Even if the filter didn't mean to stop me from injecting a form.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @Scott_Helme and
If my XSS-able form field has a length limit which truncates a long inline payload, and you replace it with <script src=//evil>, would you consider your exploit a "length limit bypass"?
1 reply 0 retweets 0 likes -
-
Replying to @sirdarckcat @Scott_Helme and
This seems to lose a fair amount of the usual meaning because you "bypass" a lot of things not reasonably meant to be security controls. But... ¯\_(ツ)_/¯
1 reply 0 retweets 0 likes -
Replying to @arturjanc @Scott_Helme and
English is hard, what can I say :-)
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
Maybe evasion is more fitting? You evade the filter. This doesnt mean the filter sucks, just that you ignore it, or walk past it. If you evade a lock, you didn't compromise the lock's mechanism security.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
But then, I bypass traffic by taking a shorter route, rather than driving through it, so I don't know… I give up.
1 reply 0 retweets 0 likes
Makes sense -- I bypass CSP by watching a movie on a Friday night and not worrying about XSS ;-)
-
New conversation
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.