Real world example HackMD Stored XSS & Bypass CSP with Google Tag Manager (GTM + unsafe-eval) https://github.com/k1tten/writeups/blob/master/bugbounty_writeup/ HackMD_XSS_%26_Bypass_CSP.md A Wormable XSS on HackMD! (cdnjs + angular CSTI) https://blog.orange.tw/2019/03/a-wormable-xss-on-hackmd.html
Feature: Cookies default to SameSite=Lax https://chromestatus.com/feature/5088147346030592 Note: Chrome will make an exception for cookies set without a SameSite attribute less than 2 minutes ago. Such cookies will also be sent with non-idempotent (e.g. POST) top-level cross-site requests.… Support for this intervention ("Lax + POST") will be removed in the future.
Real world example CVE-2022-21703: cross-origin request forgery against Grafana https://jub0bs.com/posts/2022-02-08-cve-2022-21703-writeup/ Subdomain takeover on svcgatewayus.starbucks.com https://hackerone.com/reports/325336
Real world example Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
Is it vulnerable? Yes :) No :( app.get('/search', (req, res) => { const user = db.users.search(req.query.q) if(!user) return res.status(404) res.send(user) }) Found => 200 Not Found => 404
Can you exploit the vulnerability? app.get('/search', (req, res) => { const user = db.users.search(req.query.q) if (!user) return res.send('not found') res.redirect('/result?id='+user.id) })