Here is the story of an interesting bug chain involving JSONP and SameSite that I found today. infosec.exchange/@jub0bs/1113...

Safari on iOS 17.1.1 still supports assigning the protocol to JavaScript! They block \n or \r but of course forget about \u2028 and \u2029. It's fixed in Safari TP.

If Twitter has brought me anything, it is multiple new social media accounts on a bunch of different platforms...

I've created a javascript bookmarklet that will extract all endpoints (starting with /) from your current DOM and from all the all the external script sources embedded on the page. You can find it here, if you want to try it out: https://0-a.nl/jsendpoints.txt #bugbountytips