![]() But while Firefox now added support for nosniff the browser compatibility is still spotty (I am looking at you Safari!!).īut without waiting any further HERE is the live POC. It did not take long until I found the right approach.Ĭaveat #1: also in this case Github sets the X-Content-Type-Options: nosniff to prevent browsers from interpreting this content as valid JavaScript or other file types. So I thought I could do something similar here. And another great blog post: Plain text considered harmful: A cross-domain exploit. This is interpreted in JavaScript as the subtraction of two variables! This remember an old blog post of mine where I could possibly exfiltrate information from properties file formatted in a peculiar way. What immediately caught my attention was that the format of the code forms (with some exceptions) a valid JavaScript file with lines in the format of XXXXX-XXXXX, ten hex digits separated by a hyphen.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |