.svg)
%20TBHM%20Day%20One%202.5.png)
I am excited to share "Bug Chaining, Escalation, and Advanced Client-Side" a 4 hour recorded expansion to TBHM!
"Bug Chaining, Escalation, and Advanced Client-Side" is crafted for penetration testers, red teamers, and bug bounty hunters who want to push beyond basic payloads and alerts into the real escalation paths that matter today. This expansion focuses on the more modern application landscape, where combinations of subdomain XSS, misconfigurations, and overlooked JavaScript gadgets can open the door to high-impact exploitation. We’ll go deep into Content Security Policy (CSP) pitfalls, dangerous CORS setups, cookie tossing and scoping issues, taking advantage URL redirects, escalating self-XSS, and OAuth “dirty dancing”, and more!
We will focus on showing you how chaining these singular, low impact vulns, can lead to higher impact account takeover chains. Unlike surface-level XSS training, this course is hands-on and escalation-driven, with several live labs. Join us and learn how to take a self-XSS from “just another alert box low” to a full critical account takeover!
-- Launching Mid Q4 2025 - Preorder Available now --
== SYLLABUS ==
1) Intro: Framing the chaining mindset
• Chain vocabulary: self-XSS → login CSRF → OAuth misconfig → subdomain cookie abuse → ATO.
• Threat surface: identities, tokens, cookies, storage, iframes, upload/CDN edges.
• Mental model: “data that moves → trusts that break.
2) OAuth Dirty Dancing
• Parameters that matter (fast pass): client_id, redirect_uri strictness, response_type, response_mode, scope, state, nonce, code_verifier/PKCE.
• The Franz Rosen gadget: structure, preconditions, and where it hides (RP vs. IdP vs. proxy).
• Exploit code patterns:
• Crafting malicious redirect_uri/response_mode combos.
• State handling pitfalls (generation, storage, reflection).
• Token bounce/relay tricks; mixing origins with permissive allowlists.
• Hardening notes to call out (1 liners, not a lecture).
3) Login CSRF
• Preconditions: auto-login endpoints, weak state, token reuse, GET/POST quirks.
• Exploit code patterns:
• GET/POST login CSRF payloads that bind victim to attacker account.
• SameSite edge cases; silent auth endpoints.
• Outcome: stable victim session bound to attacker identity.
4) Self-XSS → ATO (Part 1)
• Typical footholds: profile fields, comment boxes, postMessage receivers.
• Exploit code patterns:
• From clipboard/console “self-XSS” to stored DOM sink.
• Piggyback the login CSRF to flip session/identity mid-flow.
• Outcome: self-XSS becomes real XSS with the victim’s privileges.
5) Client-side path traversal + open redirect
• Pitfalls: naïve new URL(), joiners, .. normalization, custom routers.
• Exploit code patterns:
• Traversal to internal loaders; force-load attacker script via open redirect.
• Build canonical XSS chain: traversal → open redirect → script sink.
• Outcome: reliable DOM XSS on strict frontends.
6) Client-side path traversal + file upload
• Key idea: PDF/WEBP that is also valid JSON/JS (polyglot conventions).
• Exploit code patterns:
• JSON-valid PDF/WEBP to smuggle attacker-controlled config.
• JS-valid PDF/WEBP served with lenient sniffing → CSP bypass route.
• Storage/hosting gotchas that make this land (CDN, MIME, sniffers).
7) postMessage bugs
• Anti-patterns: no origin check, loose schema, eval/Function.
• Exploit code patterns:
• Shaping messages to hit sinks; stealing tokens/CSRF via responses.
• Upgrading via Dirty Dancing: message → OAuth hop → account control.
8) XSS in a third-party iframe (Open-faced iframe sandwich)
• Model: parent ↔ 3P iframe ↔ IdP/RP surfaces.
• Exploit code patterns:
• Using the iframe XSS as a staging area for OAuth Dirty Dancing.
• Bypassing UI isolation with permissive postMessage bridges.
• Outcome: ATO via 3P content that “isn’t ours.”
9) The power of null-origin iframes
• What “null” actually strips—and what it doesn’t.
• Exploit code patterns:
• Driving OAuth/login CSRF flows from null-origin sandboxes.
• Moving data between contexts to retain the win.
10) Credentialless iframes
• Where credentialless helps attackers (and where it kills them).
• Exploit code patterns:
• Self-XSS → credentialless bridge → CSRF/XSS on primary.
• Cookie scoping surprises when requests lose credentials.
11) Subdomain XSS, Part 1 — Cookie smuggling (20m)
• Domain vs. host vs. path semantics in the real world.
• Exploit code patterns:
• Smuggling cookies that override RP expectations.
• Targeted path cookies → data exfil + CSRF in “secure” areas.
• Chain: subdomain XSS → smuggle → skip login CSRF → ATO.
12) Subdomain XSS, Part 2 — Cookie bombing
• Exploit code patterns:
• Forcing oversized cookie jars to clobber legitimate state.
• Dirty-dance variant: bomb → fall back path → unintended OAuth.
• Side effect: app-level DoS and auth instability.
13) Conclusion
• Visual chain map of all paths to ATO.
• Quick mitigations checklist (one slide).
• Disclosure hygiene: what to report, how to keep chains reproducible.
--------
Tooling you’ll see in code (minimal call-outs only)
• Browser: JS payloads, window.postMessage, URL games, CSP pokes.
• Interception: Burp/Caido for shaping OAuth params and redirects.
• Crafting: curl one-liners, tiny HTML/JS launchers, polyglot builders.
Pre-reads to send attendees
• OAuth state/nonce best practices; PKCE quick refresher.
• postMessage secure patterns; cookie scope/domain primer.
• Short note on polyglot file structure (PDF/WEBP/JSON/JS).
Having dedicated years to the cybersecurity community, I've decided it's time to embark on a new journey—launching Arcanum Information Security, infused with a unique approach that sets us apart. At Arcanum, our mission is to make a tangible impact on the security community with world class, modern, and accessible training. In parallel to our training efforts, Arcanum aims to disrupt the consulting model with our unique consulting services.
Stay looped in
Level up your security with Arcanum
We're trying to leave a tangible positive impact on cybersecurity through content, consulting, and training. Reach out to learn more!