Post

POST to XSS: Leveraging Pseudo Protocols to Gain JavaScript Evaluation in SSO Flows

Post

SSO Gadgets II: Unauthenticated Client-Side Template Injection to Account Takeover using SSO Gadget Chain

Post

SSO Gadgets: Escalate (Self-)XSS to ATO

Advisories

Flickr Account Takeover

Advisories

TikTok Careers Portal Account Takeover

Post

Real-life OIDC Security (VII): Responsible Disclosure

Post

Real-life OIDC Security (VI): Reusable state leads to DoS Amplification

Post

Real-life OIDC Security (V): Redirect URI

Post

Real-life OIDC Security (IV): Server-Side-Request-Forgery

Post

Real-life OIDC Security (III): CRLF Injections

Post

Real-life OIDC Security (II): Login Confusion

Advisories

CVE-2020-13294

Post

Real-life OIDC Security (I): Overview