Thanks to HackerOne and my favorite program for this opportunity, hope to see bug bounty folks in Sydney.

a few days ago i was able to leak OAuth code using a similar technique, i changed the referrer policy of the page using a meta tag and then injected an img, even though the referrer policy header was set, the browser followed the new policy from the meta tag

it can also be used to leak the full URL of the parent by injecting it into the srcdoc of a sandboxed iframe

just wrote a blog post based on this technique and described the methodology to take advantage of it, the post also includes an easy-to-set-up testbed to practice with, hope you find it useful blog.voorivex.team/leaking-oauth-…

highly recommend checking out this article if you want to know more about referrer policy, html injection techniques and other cool stuff

We’ve created a lab to demonstrate how an OAuth token can be leaked using a referrer policy override. Check out the article and try the lab here github.com/VoorivexTeam/w…

Is this app vulnerable to XSS?

there’s always some juicy stuff in the endpoints that connect the web app to the macOS or Android app of the company

Google fixed the Referrer Policy override technique in under 10 days. During that window, I found the latest version of DOMPurify on a public HackerOne program, used the trick to demonstrate impact and exploit the OAuth flow, and earned a ~$4K bounty :D

this is the second challenge, and it’s a hard one, can you exploit it?

What do you get when you mix punycode and 0-click account takeover? A talk you absolutely don’t want to miss. @yshahinzadeh & @amirmsafari are teaming up at #NahamCon2025 to walk you through a wild exploit chain 🔥 🗓️ May 23 📍 nahamcon.com

what a presentation by AmirMohammad Safari and YS at NahamCon 2025 ( Ben Sadeghipour ) really cool and useful research, I was able to report several critical thanks to this novel research

been using this techniques to bypass many WAFs, open the console in the vulnrable page, run this code to extract variables refering to window object: for(let x in window)if(window[x]===window)console.log(x); then leaverage it to execute JS functions, happy hunting :]

Last week, I found a dependency confusion vulnerability and reported it HackerOne The program triaged it quickly as "medium" and paid me $750. Yesterday, I felt a bit disappointed because they usually pay $5K–$10K for critical issues, and I wasn’t sure why it was downgraded.

How did we (AmirMohammad Safari) earn $50k using the Punycode technique? I’ve published a detailed blog post about our recent talk, we included 3 attack scenarios, one of which poses a high risk of account takeover on any "Login with GitLab" implementation blog.voorivex.team/puny-code-0-cl…

In our NahamCon talk, we demonstrated how punycode email addresses can impact OAuth implementations. MySQL + GitLab OAuth by default can lead to zero-click account takeover. 🔍 Check out the demo app here: github.com/VoorivexTeam/w…

I got this from Twitter. they've had some delays in triage and payment, but their communication has been professional overall :]

This #NahamCon2025 talk has generated over $50,000 in bounties for YS and a few other hackers: Puny-Code, 0-Click Account Takeover. 🎥👉🏼youtu.be/4CCghc7eUgI

Ben Sadeghipour our talk with AmirMohammad Safari thanks for the amazing conference ❤️