Perhaps you're attacking an API with a solid CORS configuration, and your form-based CSRF attack using "text/plain" is failing because the server replies that it expects "application/json". 😭 Try this trick... 1/3 #bugbountytips
Send a no-CORS request with content type "text/plain; application/json". If your request only contains CORS-safelisted headers, no preflight request will be triggered! 🤯 2/3 UntrueTautTriangle.jub0bs.repl.co
If the stars are aligned, the server only checks that "application/json" is _contained_ within the value of the Content-Type request header (to allow for "application/json; charset=utf-8", etc.), and your attack will succeed. 🤞 3/3
Of course, such CSRF attacks against APIs only work if authentication relies on ambient authority (e.g. cookies). The new SameSite default shouldn't be a problem, though, as most CORS-aware servers need to set their session-identifying cookie with SameSite=None and Secure. 4/3
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I'm only halfway through Bertrand Meyer's 2014 book, "Agile! The Good, the Hype and the Ugly", but it's already proven its worth as a lucid, unrestrained appraisal of #Agile principles and methodologies. Here are a few passages that resonated with me...
"#XP's insistence that [pair programming] should be the absolute rule [...] makes little sense conceptually, as it neglects the role of programmer personality (some excellent developers like to concentrate alone and will resent having to be paired) [...]"
"Starting any significant software project (anything beyond a couple of months and a couple of developers) without taking the time to write some basic document defining core requirements is professional malpractice."