Bruno Modificato's Avatar

Bruno Modificato

@brunomodificato

CTFer for: @Water_Paddler / Security auditor @osec_io Sometimes bug bounty and research

222
Followers 47
Following 15
Posts 30.11.2023
Joined
Posts Following

Latest posts by Bruno Modificato @brunomodificato

?

17.05.2025 12:25 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

it was fun :D

11.05.2025 20:47 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

New research :

osec.io/blog/2025-07...

This time is about an authentication bypass in a popular auth provider, which allowed account takeover of the wallet. Plus some other auth missconf in the wild

08.03.2025 14:59 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Do you think Musk's bullshit is affecting the climate that much in Germany too? I thought in europe he had much less influence

26.01.2025 18:30 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

If you like our research "Supply Chain Attacks: A New Era" please vote it :D. there is another article where I was involved "
Zoom Session Takeover - Cookie Tossing Payloads" if you like that too pls feel free to vote it XD

15.01.2025 16:59 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

nice one :)

04.12.2024 18:02 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

CloudFlare WAF pretty kek

04.12.2024 03:02 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 - Pastebin.com Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com/Q4L6XkJj don't know how to post code here, but came up with this during an audit, this wasn't catched by CloudFlare WAF cuz of Object.assign Lmfao, then from here url:#javascript: in order to pop-up metamask wallet transaction, kekwl

04.12.2024 03:01 πŸ‘ 4 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
CVE-2023-5480: Chrome new XSS Vector Chrome XSS The article is informative and intended for security specialists conducting testing within the scope of a contract. The author is not responsible for any damage caused by the application of...

blog.slonser.info/posts/cve-20... Chrome patched this, but many Web3 services still act as full proxies, forwarding HTTP link header. Found a case where this bypassed CSP with default-src 'none'. file.notion.so/f/f/97ab6450...

04.12.2024 02:48 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

new bounty coming with a weird case on web 3 wallet. I wish I wasn't always so tired and lazy that I could start writing writeups again. My last writeup on my personal github is from 2 years ago

04.12.2024 02:35 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Metamask Snaps: Playing in the Sand A deep dig into Metamask Snaps. We explore safety considerations, environment design, and break down a property spoofing vulnerability in the Snaps sandboxing layer.

osec.io/blog/2023-11... / Has been two years since i wrote a ctf writeup but here github.com/BrunoHalltar... :P

04.12.2024 02:23 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Content Security Policy Level 2

www.w3.org/TR/CSP2/#sou... this leads to interesting cases if there is a redirect πŸ‘€

24.11.2024 00:03 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

tumpicon :P

23.11.2024 21:14 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Supply Chain Attacks: A New Era Unpacking Lavamoat and how it fights supply chain attacks in Web3. We spill the beans on some sneaky bypasses, illustrating just how tricky it is to lock down JavaScript ecosystems.

Wanted to share our research regarding a Bypass on Lavamoat and how supply chain works

osec.io/blog/2024-06...

23.11.2024 15:49 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Hello BlΓΉΓ¨sky

20.11.2024 23:11 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0