Posts

• Reconfigurable CORS middleware with jub0bs/cors May 14
• jub0bs/cors: a better CORS middleware library for Go Apr 27

• A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF... May 5
• Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation) Feb 8

• Existence oracle for Secure cookies on insecure Web origins Sep 12
• Scraping the bottom of the CORS barrel (part 1) Aug 4
• CVE-2022-21703: cross-origin request forgery against Grafana Feb 8

• Abusing Slack's file-sharing functionality to de-anonymise fellow workspace members Oct 12
• Subdomain takeover: ignore this vulnerability at your peril Feb 12
• The great SameSite confusion Jan 29

• Protecting your apps from link-based vulnerabilities: reverse tabnabbing, broken-link hijacking, and open redirects Jul 29
• A glimpse at parametric polymorphism in Go: designing a generic bidirectional map Jul 21
• Leveraging an SSRF to leak a secret API key Jun 22
• Chaining an IDOR with a business-logic error to achieve critical impact May 26
• Plugging Git leaks: preventing and fixing information exposure in repositories Feb 26

• Summary of dotGo 2019 Apr 11

• Access control in Go: a primer for Java developers Aug 22
• Defer: sweet, but no syntactic sugar Aug 15