| Addressed AWS defaults risks: OIDC, Terraform and Anonymous to AdministratorAccess |
|
|
|
| Sign-in with World ID: XSS and ATO via OIDC Form Post Response Mode |
|
|
|
| How a Single Parameter Led to Two ATO Cases |
|
|
|
| POST to XSS: Leveraging Pseudo Protocols to Gain JavaScript Evaluation in SSO Flows |
|
|
|
| No keys attached: Exploring GitHub-to-AWS keyless authentication flaws |
|
|
|
| SSO Gadgets II: Unauthenticated Client-Side Template Injection to Account Takeover using SSO Gadget Chain |
|
|
|
| From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk |
|
|
|
| Exploiting misconfigured Google Cloud Service Accounts from GitHub Actions |
|
|
|
| Vulnerability Spotlight: CVE-2023-0264 |
|
|
|
| Identifying vulnerabilities in GitHub Actions & AWS OIDC Configurations |
|
|
|
| User impersonation via stolen UUID code in KeyCloak (CVE-2023-0264) |
|
|
|
| Flask Security |
|
|
|
| CVE-2020-13294 |
|
|
|
| Leaking OpenID tokens with “ — the bug right infront of you |
|
|
|
writeups.xyz
/
OIDC