Erling Ellingsen

@steike

Oslo, Norway
alf.nu
Joined August 2008
7 Photos and videos Photos and videos

Tweets

@steike is blocked

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @steike.

  1. 4h

    Make your own colliding PDFs:

    7 retweets 6 likes
  2. Jan 7

    Posted four old browser bugs and a new one

    1 reply . 36 retweets 53 likes
  3. 24 Nov 2016

    In progress. and are back up, soon.

    Any plans to revive ? I can't get it to work through .
    1 reply . 1 retweet 8 likes
  4. 28 Aug 2016

    Oh hey, that's CVE-2011-3441! (except on iOS no extra tricks were needed, just 1.2.3.4%20.victim.㏄ and get cookies)

    Blogged again! Explaining same origin policy bypass in Firefox (CVE-2015-7188) thanks to quirk in IP address parsing
    3 likes
  5. 11 Aug 2016

    It looks like the same solution should work in all the modern browsers with small modifications. This is surprising.

    And by the way - are you going to perhaps provide us with some hint for random4? ;)
    1 reply . 1 like
  6. 3 Aug 2016

    Had a bunch of alert(1)-to-win levels left over that weren't really security related. General ecmascript golf time!

    1 reply . 14 retweets 19 likes
  7. 7 Apr 2016

    Psssht, don't tell anyone about `` resulting in a 400 without headers!

    2 retweets 8 likes
  8. 7 Apr 2016

    Is your entire domain 'X-Frame-Options: DENY', but not your error pages? Now's as good a time as any to fix it… (iframe UXSS in Safari)

    3 replies . 5 retweets 14 likes
  9. 18 Mar 2016

    We gave the whole internet keys so airport security won't break open your luggage. They do anyway. In other news, an FPGA dev kit is a bomb.

    1 retweet 2 likes
  10. 10 Mar 2016

    "Can you please provide me the last 4 characters of the cPanel password to verify ownership of the account?" - cc :-)

    1 reply . 1 like
  11. 5 Oct 2015

    "Code cleanup and fixes"

  12. 10 Sep 2015

    Slides for my talk about FireEye:

    6 replies . 270 retweets 173 likes
  13. 3 Mar 2015

    console.close = function() { console.log('%c', 'background:url(/proxy/http/foo%bar.com/)') }

    2 likes
  14. 2 Feb 2015

    Do you like JSON? Good. Because XSS Puzzle 6 is out and it's about json2.js and ES6. Please re-tweet :)

    21 retweets 13 likes
  15. 2 Sep 2014

    @ehomakov Hi Egor, uses SSL technology. Its certificate has been issued by Thawte. Regards, EK

    2 replies . 9 retweets 4 likes
  16. 21 Feb 2014

    How many ways can you steal this token in modern browsers?

    3 replies . 2 retweets 5 likes
  17. 29 Jan 2014

    Vendor that "fixed" account hijack CSRF last year by adding a token (but not checking it) has now removed the button; endpoint still there.

    3 likes
  18. 29 Jan 2014

    Next to "We escape \ and ", thus making it safe!", can we mention ${} and the RCE that got Yahoo/eBay?

  19. Erling Ellingsen followed , , and 128 others
    • @ProjectZeroBugs

      Checks for new bug reports every 10 minutes. Not affiliated with Google. Ran by

    • @FutureCNN

      It doesn't have to come to this. (And yes, parody account.)

  20. 10 Jan 2014

    .. And here it comes the second and more interesting solution part:

    6 retweets 2 likes

@steike hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·