@kivikakk @0xabad1dea GitHub doesn't try very hard to prevent repo existence checks or so either, and their bug bounty excludes them
-
This Tweet is unavailable.
-
-
This Tweet is unavailable.
-
Replying to @0xabad1dea
@0xabad1dea@kivikakk not if you consider clientside stuff. e.g. you can trigger a zip archive download, check whether download happened2 replies 0 retweets 0 likes -
Replying to @tehjh1 reply 0 retweets 0 likes
-
Replying to @0xabad1dea
@0xabad1dea@kivikakk trigger a download in the victim's browser, I mean. the mitigation would be to add a CSRF token to the archive DL link1 reply 0 retweets 1 like -
Replying to @tehjh1 reply 0 retweets 0 likes
Replying to @0xabad1dea
@0xabad1dea @kivikakk they could solve it by sticking CSRF tokens on everything, but that might break some usecases, I don't know
6:25 PM - 17 Jan 2016
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.