appsec
2 posts
Article
The same-origin policy is not protecting your API
A permissive CORS header delegates the read decision to the requester, letting attacker script read authenticated responses through the victim's own browser.
Article
Eight months building a Burp Suite replacement
An honest write-up of building Interceptor, an open-source Burp Suite alternative - license choices, attacker math, defender economics, and what got cut.