A WAF bypass by confusing the Adobe Experience Manager Dispatcher (load balancer/waf/etc).Not a crazy idea but I don't think we've covered any WAF bypass quite like this on the podcast before...
For a GitLab bug, this one is nice and simple, stored XSS in the "default branch name" field.For a group you can setup what the group's default branch name should be for any new repositories created...
When SmugMug bought Flickr from Yahoo they had to move the authentication system away from Yahoo's authentication.A side-effect of this was that the account deletion process previously had used the Yahoo authentication code as the CSRF token so in the move the token was removed and not replaced with anything functionally equivalent...
The vulnerability here is simply that Opera's Pinboard feature allows pinning URLs starting with `javascript:` creating a clickable link on a Pinboard that will execute JavaScript. Unfortunately (for the attacker) these tabs open in a new window and not within the Pinboard context unless middle clicking, then these links will trigger them within the Pinboard context.
The Shopify GraphQL endpoint has a mutation `appCreditCreate` for Shopify apps to issue credits to merchants that can be used towards future app purchases.While this mutation cannot be used through the GraphQL endpoint at `/admin/internal/web/graphql/core` the GraphiQL app provided by Shopify however does allow the mutation...
Easy vulnerability that shows how checking the magic numbers of a file isn't always sufficient.For some types of files all that matters is that the processor can detect its own content within another file...
**tl;dr** - The Oauth endpoint parses URL paramters `redirect_uri` and `redirect_uri[0` (note the missing `]`) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the `redirect_uri` while the endpoint validates that the other value points to a whitelisted location
I'm not sure what the normal flow for a "One Tap Password" is but `/scauth/otp/droid/logout` can be used to retrieve OTP token in the response. Which can be passed to `/scauth/otp/login` along with the username to login.