$25k GitHub account takeover & justCTF 2023 CSRF+XSS writeup
Sponsored by:
HexRays – get 20% from IDA pro training sessions with exclusive code BBRE20: https://bbre.dev/hexrays
Trail of Bits: https://cutt.ly/veucZatb
OtterSec: https://cutt.ly/leucL7cz
SECFORCE: https://cutt.ly/5eoKRyNL
???? Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
???? Follow me on Twitter: https://bbre.dev/tw
This video is a writeup of my CTF task “phantom” from justCTF 2023 that involved a CSRF inspired by a $25,000 Oauth account takeover in GitHub and also involved an XSS due to invalid sanitisation.
GitHub’s Report: https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html
Timestamps:
00:00 Intro
00:37 CSRF protection bypass
04:29 HTML sanitisation bypass
Add comment