🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

PSA: Web3 is plagued by the same bugs that threatened the internet over 2 decades ago. We compiled 3 case studies on how "old" bugs continue to reappear in the new era of decentralization and blockchain. Check out the deep dive here 👉🏼 osec.io/blog/2023-08-1…

🚀Exciting News! Introducing my latest work: Beyond XSS This series of articles aims to introduce front-end security topics, perfect for frontend devs and those intrigued by frontend security. Suitable for all skill levels from beginners to intermediates aszx87410.github.io/beyond-xss/en/

It's been a while since I did technical research just to take a break for the sake of my mental health, but we recently published a research related to Metamask Snaps, including : 1) How does the Metamask sandbox work, especially on the Snap environment 2) A bug on the sandbox

Today I turn 24, wanted to do an introspection post for 2024 because a lot of stuff happened but I am too lazy and was also super sick. But our research post "Metamask Snaps: Playing in the Sand" has been nominated here. Please vote it (if you like it).

Got a solution, even if mine probably wasn't the smartest one. I kinda like those minimalistic challenges with cool tricks. I recommend trying it.

I've just moved in Zurich and I'm already in love with the way of life here, I no longer miss Barcelona. And just realized how bad was living in Italy

Playing CTF kind of gives me anxiety and stress, I have a lot less motivation. However, I love those single good challenges on Twitter. I suggest this one :)

I think it's time for a solution ⏰ TL;DR - Eventlet normalizes - to _ in header keys. - The Fetch spec blocks Transfer-Encoding but not Transfer_Encoding. - Bypass tracking policy on Firefox using open(). Detailed writeup 👇 mizu.re/post/twitter-e… 1/2

New blog! This time a high severity session takeover in Zoom worth $15,000. Read the story of how sudi , BrunoZero and I chained 2 completely useless XSS vulns to steal OAuth tokens, hijack browser permissions, and more: nokline.github.io/bugbounty/2024…

New job research : 1) Check how Lavamoat can protect someone from supply chain attacks 2) A bypass on lavapack And some other fun stuff :)

Is it even possible to learn swiss german

Las Vegas is a city where everyone begs for tips even for doing something that requires 0 effort, not sure if it's an american thing or just Las Vegas

our new look is here 🎨 we're ushering in the next chapter of HackMD with an updated logo, bold colors, and a new site. read more in our announcement below or check it out for yourself at hackmd.io bit.ly/3MlvJZZ

I have so much fear every time I have to explain to a triager DOS via Cache Poison with some non conventional way.... pray for me 💀

If you like our research "Supply Chain Attacks: A New Era" please vote it :D. there is another article where I was involved " Zoom Session Takeover - Cookie Tossing Payloads" if you like that too pls feel free to vote it XD

We just finished an audit for Lavamoat webpack plugin and found an interesting behaviour related to how the URL costruct() was handled. Here's the details 👇

Metamask team has some js chads

NEW: A few months ago, we uncovered an authentication bypass in Web3Auth that could have led to full account takeover. In this deep dive, we break down how we found the issue and expose other authentication misconfigurations lurking in Web3. osec.io/blog/2025-07-0…

New research 🫡

Just completed this yesterday, it was fun with some cool tricks! It's been a while since I did a challenge, but I loved it. Thanks Johan Carlsson for the challenge