• authentication 4
• azure 1
• bitcoin 2
• bug-bounty 4
• bugbounty 16
• cdn 1
• click-jacking 1
• content-type 1
• cookies 1
• cors 1
• csrf 5
• dns 1
• ebay 1
• etsy 3
• facebook 7
• flickr 1
• instagram 1
• isp 1
• messenger 1
• microsoft 1
• office 1
• outlook 1
• passwords 1
• paypal 1
• periscope 1
• png 1
• safecurl 2
• selfxss 1
• sms 1
• ssrf 2
• twitter 1
• uber 1
• vodafone 1
• websec 22
• xss 5
• yahoo 1

authentication

• Bypassing Google Authentication on Periscope's Administration Panel
• Removing Covers Images on Friendship Pages, on Facebook
• Hijacking a Facebook Account with SMS
• Overwriting Banner Images on Etsy

azure

• Obtaining Login Tokens for an Outlook, Office or Azure Account

bitcoin

• SafeCurl "Capture the Bitcoins" Post-Mortem
• SafeCurl: SSRF Protection, and a "Capture the Bitcoins"

bug-bounty

• Framing, Part 1: Click-Jacking Etsy
• Persistent XSS on myworld.ebay.com
• Redirects & Relative Protocols
• My Experience with the PayPal Bug Bounty Programme

bugbounty

• From Bug Bounty Hunter, to Engineer, and Beyond
• Obtaining Login Tokens for an Outlook, Office or Azure Account
• Uber Bug Bounty: Turning Self-XSS into Good-XSS
• An XSS on Facebook via PNGs & Wonky Content Types
• Messenger.com Site-Wide CSRF
• Bypassing Google Authentication on Periscope's Administration Panel
• Bug Bounties 101 - Getting Started
• SafeCurl "Capture the Bitcoins" Post-Mortem
• SafeCurl: SSRF Protection, and a "Capture the Bitcoins"
• Abusing CORS for an XSS on Flickr
• Instagram's One-Click Privacy Switch
• Content Types and XSS: Facebook Studio
• Removing Covers Images on Friendship Pages, on Facebook
• Hijacking a Facebook Account with SMS
• Overwriting Banner Images on Etsy
• Stealing Facebook Access Tokens with a Double Submit

cdn

• An XSS on Facebook via PNGs & Wonky Content Types

click-jacking

• Framing, Part 1: Click-Jacking Etsy

content-type

• An XSS on Facebook via PNGs & Wonky Content Types

cookies

• Cookie Stealing on Customer Internet Connections

cors

• Abusing CORS for an XSS on Flickr

csrf

• Obtaining Login Tokens for an Outlook, Office or Azure Account
• Messenger.com Site-Wide CSRF
• Instagram's One-Click Privacy Switch
• Stealing Facebook Access Tokens with a Double Submit
• My Experience with the PayPal Bug Bounty Programme

dns

• Cookie Stealing on Customer Internet Connections

ebay

• Persistent XSS on myworld.ebay.com

etsy

• Overwriting Banner Images on Etsy
• Framing, Part 1: Click-Jacking Etsy
• Redirects & Relative Protocols

facebook

• An XSS on Facebook via PNGs & Wonky Content Types
• Messenger.com Site-Wide CSRF
• Instagram's One-Click Privacy Switch
• Content Types and XSS: Facebook Studio
• Removing Covers Images on Friendship Pages, on Facebook
• Hijacking a Facebook Account with SMS
• Stealing Facebook Access Tokens with a Double Submit

flickr

• Abusing CORS for an XSS on Flickr

instagram

• Instagram's One-Click Privacy Switch

isp

• Cookie Stealing on Customer Internet Connections

messenger

• Messenger.com Site-Wide CSRF

microsoft

• Obtaining Login Tokens for an Outlook, Office or Azure Account

office

• Obtaining Login Tokens for an Outlook, Office or Azure Account

outlook

• Obtaining Login Tokens for an Outlook, Office or Azure Account

passwords

• Vodafone: No Pasting into Password Fields

paypal

• My Experience with the PayPal Bug Bounty Programme

periscope

• Bypassing Google Authentication on Periscope's Administration Panel

png

• An XSS on Facebook via PNGs & Wonky Content Types

safecurl

• SafeCurl "Capture the Bitcoins" Post-Mortem
• SafeCurl: SSRF Protection, and a "Capture the Bitcoins"

selfxss

• Uber Bug Bounty: Turning Self-XSS into Good-XSS

sms

• Hijacking a Facebook Account with SMS

ssrf

• SafeCurl "Capture the Bitcoins" Post-Mortem
• SafeCurl: SSRF Protection, and a "Capture the Bitcoins"

twitter

• Bypassing Google Authentication on Periscope's Administration Panel

uber

• Uber Bug Bounty: Turning Self-XSS into Good-XSS

vodafone

• Vodafone: No Pasting into Password Fields

websec

• From Bug Bounty Hunter, to Engineer, and Beyond
• Obtaining Login Tokens for an Outlook, Office or Azure Account
• Uber Bug Bounty: Turning Self-XSS into Good-XSS
• An XSS on Facebook via PNGs & Wonky Content Types
• Messenger.com Site-Wide CSRF
• Bypassing Google Authentication on Periscope's Administration Panel
• Bug Bounties 101 - Getting Started
• SafeCurl "Capture the Bitcoins" Post-Mortem
• SafeCurl: SSRF Protection, and a "Capture the Bitcoins"
• Abusing CORS for an XSS on Flickr
• Cookie Stealing on Customer Internet Connections
• Instagram's One-Click Privacy Switch
• Content Types and XSS: Facebook Studio
• Removing Covers Images on Friendship Pages, on Facebook
• Hijacking a Facebook Account with SMS
• Overwriting Banner Images on Etsy
• Stealing Facebook Access Tokens with a Double Submit
• Framing, Part 1: Click-Jacking Etsy
• Persistent XSS on myworld.ebay.com
• Vodafone: No Pasting into Password Fields
• Redirects & Relative Protocols
• My Experience with the PayPal Bug Bounty Programme

xss

• Uber Bug Bounty: Turning Self-XSS into Good-XSS
• An XSS on Facebook via PNGs & Wonky Content Types
• Abusing CORS for an XSS on Flickr
• Content Types and XSS: Facebook Studio
• Persistent XSS on myworld.ebay.com

yahoo

• Abusing CORS for an XSS on Flickr