@kivikakk @0xabad1dea GitHub doesn't try very hard to prevent repo existence checks or so either, and their bug bounty excludes them
@0xabad1dea @kivikakk not if you consider clientside stuff. e.g. you can trigger a zip archive download, check whether download happened
-
-
@0xabad1dea@kivikakk (because a non-404 download will cause the download bar to appear in Chrome, and the page can measure its height) -
@0xabad1dea@kivikakk reasonably secure web stuff is easy, properly secure web stuff gets ugly very quickly
End of conversation
New conversation -
-
-
-
@0xabad1dea@kivikakk trigger a download in the victim's browser, I mean. the mitigation would be to add a CSRF token to the archive DL link - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.