Egor Homakov

Security consulting: Sakurity Twitter: @homakov. homakov@gmail.com

Saturday, February 21, 2015

New blog

This blog is closed, new posts will be published at http://sakurity.com/blog Thanks for being with me here for so many years :)

Wednesday, December 17, 2014

Blatant CSRF in Doorkeeper, most popular OAuth2 gem

I read a post about CSRF on DigitalOcean (in Russian) by Sergey Belove . My first reaction was, obviously, how come ? DigitalOcean is not k...

Sunday, December 7, 2014

New Paypal gateway UI is a disaster

Hey. I decided to get a paid plan on Github and Paypal looked like a good payment option to me. Click the blue button here : This looks ...

Thursday, December 4, 2014

The No CAPTCHA problem

When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what? Finally it...

Sunday, November 30, 2014

Hacking file uploaders with race condition

TL;DR I use a race condition to upload two avatars at the same time to exploit another Paperclip bug and get remote code execution on Apach...

Tuesday, September 2, 2014

Bypassing ClearClick and X-Frame-Options:Visible

I bet, you know what Clickjacking (CJ) is. Old problem everybody's tired of hearing of. There are three types of web pages. Don...

Tuesday, July 22, 2014

Timing attack, 6.66% faster

Personally I'm not a big fan of timing attack as I believe they are impractical for web apps (while perfectly useful in other fields). ...

Friday, May 2, 2014

Covert Redirect FAQ

Hey, so called covert redirect was all over the news today. I was asked by our client Auth0 if everything is ok with them - they are alrig...

Friday, February 7, 2014

Paperclip vulnerability leading to XSS or RCE.

Paperclip is the most popular upload tool for Ruby on Rails, and I found a way to upload a file with arbitrary extension, which can lead to...

How I hacked Github again.

This is a story about 5 Low-Severity bugs I pulled together to create a simple but high severity exploit, giving me access to private reposi...

Tuesday, January 28, 2014

Turbo API: How to use CORS without Preflights

From official doc on Cross Origin Resource Sharing A header is said to be a simple header if the header field name is an ASCII case-...

Sunday, January 26, 2014

Two "WontFix" vulnerabilities in Facebook Connect

TL;DR Every website with "Connect Facebook account and log in with it" is vulnerable to account hijacking. Every website relying o...

Sunday, January 19, 2014

Header injection in Sinatra/Rack

Try to run this simple app: require 'sinatra' get '/' do redirect params[:to] if params[:to].start_with? 'http://...

Saturday, January 18, 2014

Cookie Bomb or let's break the Internet.

TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will k...

Tuesday, January 14, 2014

Account hijacking on MtGox

If it wasn't MtGox I wouldn't even mention it — XSS/fixation/etc are web sec routines, and are not worth a blog post. But it *is* ...

Monday, January 13, 2014

Evolution of Open Redirect Vulnerability.

TL;DR ///host.com is parsed as relative-path URL by server side libraries, but Chrome and Firefox violate RFC and load http://host.com inst...

Using Content-Security-Policy for Evil

TL;DR How can we use technique created to protect websites for Evil? (We used XSS Auditor for Evil before) There's a neat way: taking...

View web version

Powered by Blogger.