alex
@insertScript
@[email protected] # http://insert-script.blogspot.co.at Array(10).join('a'-1)+ Batman! #Cure53
Vous pourriez aimer
I can really recommend his book. I should know, I have read his previous books :-D
In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more. amazon.com/dp/B0BRD9B3GS
Want to learn how to craft payloads like these? Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work. 🧠 Learn to think like a hacker ⚡ Master the art of payload design Grab your copy 👉 amazon.com/JavaScript-hac…
Even if you are familiar with these vectors, its a really good summary to freshen up your memory.
How to turn iframes and window.open into weapons for XSS. From origin manipulation to sandbox escape, this paper by @aszx87410 is stacked with juicy info. Huli dives deep into the magical world of iframes and and is definitely worth a read!…
GMSGadget (Give Me a Script Gadget) is a collection of JavaScript gadgets that can be used to bypass XSS mitigations such as Content Security Policy (CSP) and HTML sanitizers like DOMPurify. gmsgadget.com A useful tool by @kevin_mizu
I’ve just published slides on Shadow DOM & security! 遅ればせながら #shibuyaxss の資料を公開しました!Shadow DOMとセキュリティの話です~ speakerdeck.com/masatokinugawa… (日本語) speakerdeck.com/masatokinugawa… (English)
<meta http-equiv="refresh" content="0;url='//example.com'@x.com/'"> Chrome redirects to x.com, Safari and Firefox redirect to example.com.
publication of my latest modest paper; Eclipse on Next.js: Conditioned exploitation of an intended race-condition - (CVE-2025-32421) enabling a partial bypass of my previous vulnerability, CVE-2024-46982 by chaining a race-condition to a cache-poisoning zhero-web-sec.github.io/research-and-t…
This will be one of the few occasion I will mention a brand, its not IT Security related and positive. My @HyperX wireless headset started to dismantle itself and the support just requested proof pictures and all was good, a new one was shipped.
I think many people are familiar with the topic of blind CSS exfiltration, especially after the post by @garethheyes However, an important update has occurred since then, which I wrote below ->
the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with @inzo____ that led to CVE-2025-29927 (9.1-critical) zhero-web-sec.github.io/research-and-t… enjoy the read!
What an awesome research! Also really well explained
I'm thrilled to finally share my research on HTML parsing and DOMPurify at @GreHack 2024 📜 The research article is available here: mizu.re/post/exploring… The slides are available here: slides.com/kevin-mizu/gre… 1/3
Absolutely stunning work from @pspaul95 on this CSS Injection - > text node exfil technique. blog.pspaul.de/posts/bench-pr…
MXSS Part 2: Why Client-Side HTML Sanitization is hard In this video, we dive into Parser Differentials, Namespace Confusion, and the Nesting Depth Limit that led to an XSS on Google and multiple DOMPurify bypasses. youtu.be/vVwo5tW6d3w
I really liked it - can't wait for any additional research in this field
This talk by Paul Gerste from @Sonar_Research is really cool 🤩 It applies the principles of "HTTP Desync" attacks to non-HTTP protocols, here database wire protocols 🧠 media.defcon.org/DEF%20CON%2032…
MXSS Explained Part 1: Why Server-Side HTML Sanitizers Are Doomed to Fail with this XSS! In this video, I dive into how sanitizers work, discuss the first known MXSS in IE, and showcase an MXSS vulnerability in the popular Node.js module, sanitize-html. youtu.be/aczTceXp49U
here is the story about CUPS unauthenticated RCE and the messy info dicslosure process the researcher had gone through... evilsocket.net/2024/09/26/Att…
really interesting documentation how history.back, iframes srcdoc and the sandbox attribute are evaluated/loaded to achieve XSS.
there is a challenge in idekCTF 2024 called srcdoc-memos made by icesfont, it's about iframe, sandbox, CSP, navigation, session history and policy container. I spent like a week to understand how it works lol, really complex but also interesting. blog.huli.tw/2024/09/07/en/…
XSS in PDF.js! I think this is going to cause some chaos both client-side and server-side... really nice finding by @CodeanIO codeanlabs.com/blog/research/…
Can't wait to see the payload - especially as I had looked at PDF.js in the past and back then their implementation seemed quite good to ensure XSS can't occure.
Holy shit, CVE-2024-4367 PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF github.com/advisories/GHS… #infosec
I've built a brand new version of my fuzzing tool Shazzer🚀 shazzer.co.uk - Easy fuzz browser behaviour - Find bugs - Share the results with the world
United States Tendances
- 1. New York 1.2M posts
- 2. New York 1.2M posts
- 3. Virginia 537K posts
- 4. Texas 228K posts
- 5. Prop 50 188K posts
- 6. #DWTS 41.3K posts
- 7. Clippers 9,744 posts
- 8. Cuomo 419K posts
- 9. Van Jones 2,579 posts
- 10. TURN THE VOLUME UP 22.7K posts
- 11. Harden 10.1K posts
- 12. Ty Lue 1,012 posts
- 13. Jay Jones 104K posts
- 14. #Election2025 16.7K posts
- 15. Bulls 37.3K posts
- 16. Isaiah Joe N/A
- 17. WOKE IS BACK 39.5K posts
- 18. #questpit 6,156 posts
- 19. AND SO IT BEGINS 8,546 posts
- 20. Eugene Debs 3,257 posts
Vous pourriez aimer
-
Gareth Heyes \u2028
@garethheyes -
Soroush Dalili
@irsdl -
Nicolas Grégoire
@Agarri_FR -
@[email protected]
@SecurityMB -
Jun Kokatsu
@shhnjk -
Orange Tsai 🍊
@orange_8361 -
André Baptista
@0xacb -
Joel Margolis (teknogeek)
@0xteknogeek -
Eduardo Vela
@sirdarckcat -
terjanq
@terjanq -
Masato Kinugawa
@kinugawamasato -
Alvaro Muñoz
@pwntester -
Jon Bottarini
@jon_bottarini -
Ashar Javed
@soaj1664ashar -
Roman Shafigullin
@shafigullin
Something went wrong.
Something went wrong.