anton

@safts0ppa

founder / pentester @ squirrel security

8
Followers 26
Following 10
Posts 31.12.2023
Joined

Posts Following

Latest posts by anton @safts0ppa

Sorry! 😅

06.12.2024 14:03 👍 1 🔁 0 💬 0 📌 0

This is pain to look at :')

05.12.2024 13:31 👍 2 🔁 0 💬 1 📌 0

I kinda get it if it requires additional development for the vendor to implement but it's kinda shitty if using standard stuff like okta or gsuite. Have found some fun findings in pentests where you're able to implement your own SSO though, like - if you control the SSO you can be whoever you want

28.11.2024 20:43 👍 0 🔁 0 💬 0 📌 0

Älmhult då!? 😅

28.11.2024 17:32 👍 0 🔁 0 💬 0 📌 0

I think this works best for developers who are familiar to understand when something's odd and worth investigating. Thoughts?

20.11.2024 12:51 👍 0 🔁 0 💬 1 📌 0

i get your point :) still, building tools usually gets you deep into how stuff actually works

19.11.2024 11:09 👍 1 🔁 0 💬 0 📌 0

That's not true :) and your csp bypass tool is really really really awesome

19.11.2024 10:51 👍 0 🔁 0 💬 1 📌 0

I actually think I know now, //example.com/<yolo> gets urlencoded since it's now part of the path.. and any value that get's parsed as an URL gets encoded. Or not? new URL("//yolo.com/") is rejected

19.11.2024 09:47 👍 1 🔁 0 💬 1 📌 0

@joaxcar.bsky.social i cheated :')

19.11.2024 09:39 👍 1 🔁 0 💬 1 📌 0

@joaxcar.bsky.social okay so href parses any valid url, and that's why it chops it off after // or http(s)://? I'm not really sure although why anchor.href = "//example.com<style onload=alert(1)>" works but not anchor.href = "//example.com/<style onload=alert(1)>"?

19.11.2024 09:38 👍 1 🔁 0 💬 1 📌 0