Masato Kinugawa

@kinugawamasato

脆弱性を探す時間が幸せ。

Vrijeme pridruživanja: siječanj 2010.

Tweetovi

Blokirali ste korisnika/cu @kinugawamasato

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @kinugawamasato

  1. proslijedio/la je Tweet
    prije 12 sati

    DOMPurify 2.0.8 has been released: Please update asap in case you use jQuery 3.x and SAFE_FOR_JQUERY.

    Prikaži ovu nit
    Poništi
  2. proslijedio/la je Tweet
    26. sij

    As I have no cool new findings, lets start the year with an old IE bug - bypassing Content-Disposition: attachment with mhtml:

    Poništi
  3. 23. sij
    Prikaži ovu nit
    Poništi
  4. 23. sij

    報告したChromeの拡張機能のDoSが開示された。Windowsでchrome-extension:// URLの最後にドットをつけてアクセスするとその拡張機能が無効化されていたバグ。Chrome拡張の診断してるときたまたまみつけたやつ。

    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    27. stu 2019.

    Remember the mXSS via </p> or </br> I reported? Turns out that Chrome is correct according to spec. Spec bug is submitted here:

    Poništi
  6. proslijedio/la je Tweet
    18. stu 2019.

    Another write up of a bug found by in Google VRP! An XSS via Dom Clobbering in AMP4Email

    Poništi
  7. 10. lis 2019.

    Pop Under制限のバイパスとして報告したこのバグ、$500らしいです。多分Pop Underに対してじゃなくて一回のキー入力で2個ウインドウを開く動作がポップアップブロッカーのバイパス扱いになったからかな?たなぼた。

    Poništi
  8. 8. lis 2019.

    mXSS、思っていた以上に奥が深い。面白いんだけど知れば知るほどDOMPurifyの首を絞める結果に繋がる…。DOMは難しい

    Poništi
  9. proslijedio/la je Tweet
    5. lis 2019.

    I learned this week how I can perform an error-based without using any ! It takes advantage of *alternative text* when an object cannot be rendered and then styling it with a *custom font*. My full payload to the chall:

    Poništi
  10. 23. ruj 2019.

    × 2.0.1で発見された 〇 2.0.1で修正された

    Prikaži ovu nit
    Poništi
  11. 23. ruj 2019.

    DOMPurify 2.0.2で、デフォルト設定で使用しているとXSSが起きてしまう問題が修正されています。2.0.1で発見されたバイパスの亜種です。原因となっている部分はブラウザのバグであると信じていますが、影響を受けるブラウザが多くすぐに修正されるとは思えません。お使いの方は更新してください。

    Prikaži ovu nit
    Poništi
  12. 6. ruj 2019.

    You have to notice: ・"こんにちは(Hello) <b>[YOUR_INPUT]!</b>" is a valid JavaScript syntax ・You can execute arbitrary JavaScript without <>()&`= on the <script type=module> Thank you for challenging, all!

    Prikaži ovu nit
    Poništi
  13. 6. ruj 2019.
    Prikaži ovu nit
    Poništi
  14. proslijedio/la je Tweet
    5. ruj 2019.

    (CVE-2019-1030) Microsoft Edge uXSS write up

    Poništi
  15. proslijedio/la je Tweet
    23. kol 2019.

    Slides for my Hitcon 2019 talk has been uploaded! It covers everything I know about cookie exploitation.

    Poništi
  16. 19. kol 2019.

    WordPress、JSONPエンドポイントをデフォルトで持っているので、WordPressが使用されているホストをCSPのscript-srcで許可すると部分的なバイパスが可能(Same Origin Method Executionが可能)になりますねー。 http://host/wp-json/wp/v2/posts/?_jsonp=

    Poništi
  17. 11. kol 2019.

    これがIoT時代のXSSです ( さんから貰った!)

    Poništi
  18. proslijedio/la je Tweet
    5. kol 2019.

    A private talk I did few years ago, about how I turned a self-XSS to a site-wide CSRF on Twitter with MIME Sniffing, Cookie and OAuth tricks. I will present even more obscure Cookie tricks in this year .

    Prikaži ovu nit
    Poništi
  19. proslijedio/la je Tweet
    26. srp 2019.

    As I have to wait to release my LibreOffice finding: The JavaScript V8 engine has interesting features :) your research helped a lot to have a proper use case ^^

    Poništi
  20. 15. srp 2019.
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·