RC RANDOM CHAOS

appsec

2 posts

The same-origin policy is not protecting your API
Article

The same-origin policy is not protecting your API

A permissive CORS header delegates the read decision to the requester, letting attacker script read authenticated responses through the victim's own browser.

Eight months building a Burp Suite replacement
Article

Eight months building a Burp Suite replacement

An honest write-up of building Interceptor, an open-source Burp Suite alternative - license choices, attacker math, defender economics, and what got cut.