fix sandbox + COOP, change to getting started

config/_default/menus/menus.en.toml

@@ -1,6 +1,6 @@
 [[main]]
-  name = "Introduction"
-  url = "/docs/prologue/introduction/"
+  name = "Getting started"
+  url = "/docs/getting-started/introduction/"
   weight = 10
 
 [[main]]

content/en/docs/getting-started/_index.md

@@ -0,0 +1,10 @@
+---
+title : "Getting started"
+description: "Getting started"
+lead: "Getting started"
+date: 2020-10-06T08:48:45+00:00
+lastmod: 2020-10-06T08:48:45+00:00
+draft: false
+images: []
+weight: 100
+---

content/en/docs/getting-started/introduction.md

@@ -0,0 +1,24 @@
+---
+title: "Introduction"
+description: "OffensiveWeb aims to offer clear and comprehensive information on various web security concepts, such as vulnerability research, fuzzing and security measures."
+lead: "OffensiveWeb aims to offer clear and comprehensive information on various web security concepts, such as vulnerability research, fuzzing and security measures."
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
+draft: false
+images: []
+menu:
+  docs:
+    parent: "prologue"
+weight: 100
+toc: true
+---
+
+## OffensiveWeb
+
+{{< alert icon="⚠️" text="OffensiveWeb is intended for educational and informational purposes only, and should not be used for any illegal or malicious activities." />}}
+
+Welcome to **OffensiveWeb** ! Our goal is to provide clear and comprehensive information about web security concepts that can often be difficult to understand. More specifically, you will find resources related to web security, vulnerability research/analysis, fuzzing and also security measures to overcome various types of vulnerabilities.
+
+Whether you're a security researcher, web developer, or just interested in learning more about web security, our documentation can help you improve your understanding of web security, stay up-to-date and and even conduct your own research.
+
+Thank you for visiting, and we hope you find our site helpful in your journey towards a more secure web.

content/en/docs/getting-started/learning.md

@@ -0,0 +1,45 @@
+---
+title: "Learning"
+description: "List of resources to learn and stay up to date on the latest types of vulnerabilities."
+lead: "List of resources to learn and stay up to date on the latest types of vulnerabilities."
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
+draft: false
+images: []
+menu:
+  docs:
+    parent: "getting-started"
+weight: 100
+toc: true
+---
+
+## Courses
+
+- [OWASP - Cheat Sheet Series](https://cheatsheetseries.owasp.org/Glossary.html)
+- [Mozilla - MDN](https://developer.mozilla.org/en-US/docs/Learn)
+- [HTML Standard](https://html.spec.whatwg.org/)
+- [RFC 2616 - HTTP](https://www.rfc-editor.org/rfc/rfc2616)
+- [PortSwigger - WebSecurity Academy](https://portswigger.net/web-security/learning-path)
+
+## Articles
+
+- [PortSwigger - Research](https://portswigger.net/research)
+- [YesWeHack - Talent Development](https://blog.yeswehack.com/category/talent-development/)
+- [Synacktiv - Publications](https://www.synacktiv.com/en/publications)
+- [SonarSource - Security blog](https://www.sonarsource.com/blog/tag/security/)
+
+## Vulnerability Feeds
+
+- [Github Advisory Database (GHSA)](https://github.com/advisories?query=type%3Areviewed)
+- [HackerOne - Disclosed reports](https://hackerone.com/hacktivity)
+
+## Challenges
+
+- [PortSwigger - WebSecurity Academy](https://portswigger.net/web-security/learning-path)
+- [HackTheBox - Web challenges](https://app.hackthebox.com/challenges)
+- [CTFTime - Upcomming CTFs](https://ctftime.org/event/list/upcoming)
+- [HeroCTF - self promotion :')](https://github.com/HeroCTF/)
+
+## Books
+
+- JavaScript for hackers - Gareth Heyes

content/en/docs/getting-started/vulnerability-reports.md

@@ -0,0 +1,76 @@
+---
+title: "Vulnerability / CTF reports"
+description: "List of interesting vulnerability reports and CTF writeups."
+lead: "List of interesting vulnerability reports and CTF writeups."
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
+draft: false
+images: []
+menu:
+  docs:
+    parent: "getting-started"
+weight: 100
+toc: true
+---
+
+## Blog
+
+- [jub0bs.com](https://jub0bs.com/posts/)
+- [blog.ankursundara.com](https://blog.ankursundara.com/)
+- [terjanq.medium.com](https://terjanq.medium.com/)
+- [mizu.re](https://mizu.re/)
+- [spaceraccoon.dev](https://spaceraccoon.dev/)
+- [sekai.team](https://sekai.team/tags/web/)
+- [org.anize.rs](https://org.anize.rs/writeups/)
+- [larry.sh](https://larry.sh/)
+- [brycec.me](https://brycec.me/blog)
+- [blog.arkark.dev](https://blog.arkark.dev/)
+- [blog.huli.tw](https://blog.huli.tw/en/categories/)
+- [labs.detectify.com](https://labs.detectify.com/tag/frans-rosen/)
+- [ahmed-belkahla.me](https://ahmed-belkahla.me/#posts)
+
+## XSS
+
+- [GCP - XSS in POST Request & Markdown](https://obmiblog.blogspot.com/2022/12/gcp-2022-few-bugs-in-google-cloud-shell.html) - XSS in POST request using CSRF attack. Using [NEL](https://web.dev/network-error-logging/) to leak session token.
+- [html-janitor - Bypassing sanitization using DOM clobbering](https://hackerone.com/reports/308158)
+- [Microsoft Teams - XSS using a CSS class attribute inside AngularJS](https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own)
+
+## Client-Side
+
+- [Article - Shadow DOM data exfiltration](https://blog.ankursundara.com/shadow-dom/) & [CTF - shadow](https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md)
+- [Article - The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/)
+- [Article - CSP bypass on Wordpress using SOME](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
+
+## Server-Side
+
+- [Article - Exploiting HTTP Parsers Inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
+
+## XXE
+
+- [CTF - Client-Side XXE to exfiltrate a page](https://github.com/dicegang/dicectf-2023-challenges/tree/main/web/impossible-xss)
+
+## Information leakage
+
+- [Linkedin - Information disclosure by sending a GIF](https://hackerone.com/reports/1801427) - The victim automatically requests a webhook (fake GIF URL) when opening a message. This allows an attacker to retrieve the victim's UA and IP address.
+
+## Domains Takeover
+
+- [Brave - S3 Bucket Takeover](https://hackerone.com/reports/1835133) - An attacker can claim an S3 bucket that was previously used by Brave but now deleted.
+
+## SSRF
+
+- [Imgur - SSRF Attack Surface](https://hackerone.com/reports/115748) - SSRF vulnerability which allows an attacker to craft connections originating from imgur servers.
+- [GCP - SSRF Host Check Bypass](https://blog.geekycat.in/client-side-ssrf-to-google-cloud-project-takeover/) - SSRF host check bypass using an OPR on a google subdomain.
+
+## Misconfiguration
+
+- [Article - NGINX alias misconfiguration](https://labs.hakaioffsec.com/nginx-alias-traversal/)
+
+## Prototype pollution
+
+- [Huntr - Mongoose Prototype Pollution](https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467/)
+
+## Others
+
+- [Article - Detecting uBlock on Chrome Browser](https://blog.ankursundara.com/checking-enumerating-a-users-browser-extensions/)
+- [Article - Exploitation of iCalendar standard](https://spaceraccoon.dev/exploiting-icalendar-properties-enterprise-applications/)

content/en/docs/writeup/sekaictf2023_golfjail.md

@@ -82,9 +82,23 @@ We know how to execute an XSS, our next challenge is to bypass the 30 characters
 26
 ```
 
-When you're within an `iframe`, you can't employ the `location` attribute to access the top-level location. Using `top.location` exceeds the character limit. However, you can leverage the [baseURI](https://devdoc.net/web/developer.mozilla.org/en-US/docs/Web/API/Document/baseURI.html) property of the Node (in this case, the `svg`). This property provides the absolute base URL of the document housing the node.
+When you're within an `iframe`, you can't employ the `location` attribute to access the top-level location and you can't use the `top.location` attribute because it exceeds the character limit. However, you can leverage the [baseURI](https://devdoc.net/web/developer.mozilla.org/en-US/docs/Web/API/Document/baseURI.html) property of the Node (in this case, the `svg`). This property provides the absolute base URL of the document housing the node.
 
-> Futhermore, you cannot access the `top` window context because the [Cross-Origin-Opener-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) header is set to `same-origin` (cross-origin documents are not loaded in the same browsing context).
+{{< details "Iframe's sandbox & COOP" >}}
+Futhermore, you cannot access the `top` window context because of the [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox) iframe's attribute. Also, you cannot access the `opener` attribute from other origin because the [Cross-Origin-Opener-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) header is set to `same-origin` (cross-origin documents are not loaded in the same browsing context).
+
+```
+=> WORKING
+document.write("<iframe srcdoc='<script>alert(top.location)</script>'></iframe>")
+
+=> NOT WORKING (Blocked by sandbox attribute)
+document.write("<iframe sandbox='allow-scripts' srcdoc='<script>alert(top.location)</script>'></iframe>")
+
+=> Depends on Cross-Origin-Opener-Policy, here only same-origin
+document.write("<iframe sandbox='allow-scripts' srcdoc='<script>console.log(top.opener)</script>'></iframe>")
+```
+
+{{< /details >}}
 
 As we cannot directly evalute the `baseURI` property, we can create a string that will contain the URL, close this string and initiate our second payload. This means the second payload resides both within the URL and outside the `xss` parameter, allowing us to bypass the character limit.