Sebastian Lekies

Advice to untangle cyber PR: If someone says "we got attacked X times" without exactly saying what "attack" means it's cyber-bullshit.

We keep hearing rumors that there'll be an ★Allstars 2017★ during OWASP AppSec EU in Belfast. Maybe there is something to it… cc @AppSecEU

And another CSP bypass by @avlidienbrunn: https://labs.detectify.com/2017/01/12/csp-flaws-cookie-fixation/ …

How to write a research paper: a guide for software engineers & practitioners. https://docs.google.com/presentation/d/1LGcM3Jmd5ZkoYfn1Bph4W4-lYQD0lDnrtOKe3IpTiAs/edit?usp=sharing … /cc @inwyrd

Remove DOM nodes without JavaScript: <svg><animate id=a dur=1 /><circle r=100> <discard begin=a.end xlink:href=#x /><style id=x>*{fill:red}

Another dangling markup vector: http://sebastian-lekies.de/csp/nonces_reflected.php?inj=%3Cform%3E%3Cinput%20type=%22submit%22%3E%3Cselect%3E%3Coption%3E%3Cplaintext%3E … @kkotowicz @sirdarckcat @arturjanc

5 more CSP bypasses added to the list: http://sebastian-lekies.de/csp/bypasses.php …

any additional ideas? @0x6D6172696F @kkotowicz @garethheyes

Framework-specific bypasses are also welcome!

Added a few more CSP bypasses to the list. Happy to receive suggestions, ideas and PoCs. Just ping me. http://sebastian-lekies.de/csp/bypasses.php …

CC @mikewest @sirdarckcat @arturjanc @mikispag @we1x @jackmasa @0x6D6172696F

CSP-protected HTML injections can probably be used to break same-site cookies to conduct CSRF. (cc @sirdarckcat, @mikewest, @arturjanc)

Slightly surprised by how many ways there are to mutate HTML without JS! https://sirdarckcat.github.io/csp/attlist.xml  (by @0x6D6172696F http://html5sec.org/#67 )

@sirdarckcat hah, my CSP nonce bypass: https://jsbin.com/vigodiqifo/ 

Another type of CSP nonce bypass. FF+Chrome. Works with traditional reflected XSS. http://sirdarckcat.github.io/csp/fakexss.html … Happy new year!

@slekies and chrome too, soon! https://www.chromestatus.com/feature/5760616295825408 …