https://kazama.in/tags/cookie-tossing/ Recent content in Cookie Tossing on kazama.in Hugo -- 0.118.2 en-us Mon, 06 Apr 2026 00:00:00 +0000 https://kazama.in/self-xss-to-cloudflare-single-click-approvals/ Mon, 06 Apr 2026 00:00:00 +0000 https://kazama.in/self-xss-to-cloudflare-single-click-approvals/ You know, that vulnerability class that triagers love to close as “informative” faster than you can type “but wait, there’s a chain.” I took three bugs that would each get laughed out of a triage queue – a Self-XSS nobody can reach, a Cookie Tossing that does nothing, and a predictable CSRF token with no delivery mechanism – and duct-taped them into a single-click bypass of Cloudflare Access’s Temporary Auth approval flow.