???? Challenge yourself in 2024 justCTF online teaser: https://2024.justctf.team
Sponsored by:
HexRays – get 20% from IDA pro training sessions with exclusive code BBRE20: https://bbre.dev/hexrays
Trail of Bits: https://cutt.ly/veucZatb
OtterSec: https://cutt.ly/leucL7cz
SECFORCE: https://cutt.ly/5eoKRyNL

???? Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
???? Follow me on Twitter: https://bbre.dev/tw

This video is a writeup of my CTF task “phantom” from justCTF 2023 that involved a CSRF inspired by a $25,000 Oauth account takeover in GitHub and also involved an XSS due to invalid sanitisation.

GitHub’s Report: https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html


00:00 Intro
00:37 CSRF protection bypass
04:29 HTML sanitisation bypass

Add comment

Your email address will not be published. Required fields are marked *