bug-bounty451
google354
xss338
microsoft283
facebook246
apple171
exploit163
rce160
malware102
account-takeover95
cve91
bragging-post86
csrf83
browser77
writeup75
privilege-escalation68
react60
authentication-bypass57
cloudflare54
dos53
node52
docker51
ssrf51
phishing50
aws48
access-control47
oauth45
smart-contract45
supply-chain44
ethereum43
defi42
web342
sql-injection41
lfi37
idor35
vulnerability-disclosure32
smart-contract-vulnerability32
clickjacking31
burp-suite31
info-disclosure31
race-condition31
web-application31
reverse-engineering31
wordpress30
input-validation30
web-security29
information-disclosure29
cloud29
reflected-xss29
solidity27
0
7/10
Advanced CORS exploitation techniques demonstrating two real-world cases: chaining XSS vulnerabilities with CORS misconfigurations to leak sensitive data, and bypassing CORS origin validation using special characters in domain names (particularly in Safari) to exploit wildcard subdomain whitelisting. The second technique leverages browser inconsistencies in domain validation to craft malicious origins like 'zzzz.ubnt.com=.evil.com' that pass CORS checks while resolving to attacker-controlled domains.
cors-misconfiguration
cors-exploitation
xss
cross-origin-request
subdomain-takeover
browser-quirks
special-characters-bypass
origin-header-validation
wildcard-dns
safari-vulnerability
credential-leakage
api-security
Ayoub Safa
Sandh0t
HackerOne
Ubnt
Corben Leo
Davide Danelon
PortSwigger
Geekboy