jub0bs Profile picture
Independent software developer, #infosec enthusiast, and #golang trainer. Minimalist. Atheist. Chaotic good. #degrowth. He/him.
29 Aug
Perhaps you're attacking an API with a solid CORS configuration, and your form-based CSRF attack using "text/plain" is failing because the server replies that it expects "application/json". 😭 Try this trick... 1/3 #bugbountytips
Send a no-CORS request with content type "text/plain; application/json". If your request only contains CORS-safelisted headers, no preflight request will be triggered! 🤯 2/3 UntrueTautTriangle.jub0bs.repl.co
If the stars are aligned, the server only checks that "application/json" is _contained_ within the value of the Content-Type request header (to allow for "application/json; charset=utf-8", etc.), and your attack will succeed. 🤞 3/3
Read 4 tweets
26 Jun 18
I'm only halfway through Bertrand Meyer's 2014 book, "Agile! The Good, the Hype and the Ugly", but it's already proven its worth as a lucid, unrestrained appraisal of #Agile principles and methodologies. Here are a few passages that resonated with me...
"#XP's insistence that [pair programming] should be the absolute rule [...] makes little sense conceptually, as it neglects the role of programmer personality (some excellent developers like to concentrate alone and will resent having to be paired) [...]"
"Starting any significant software project (anything beyond a couple of months and a couple of developers) without taking the time to write some basic document defining core requirements is professional malpractice."
Read 19 tweets