🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Great trick by Kévin GERVOT (Mizu)! I always thought caches were scoped to the current JS context, but apparently they’re scoped to the entire origin

This was a good one, I’m proud of it. We managed to get very technical and even drop a new technique while not requiring too much prior knowledge Thanks to Critical Thinking - Bug Bounty Podcast for having me again

Here's a code snippet that as far as I can tell pretty much solves prototype pollution. It's based on github.com/tc39/proposal-…, and after running it you can access an object's prototype with object[Symbol.instanceProto], and object["__proto__"] will be undefined.

I'm thrilled to finally share my research on HTML parsing and DOMPurify at @GreHack 2024 📜 The research article is available here: mizu.re/post/exploring… The slides are available here: slides.com/kevin-mizu/gre… 1/3

We made it, y'all! 100 Episodes. We put together a banger for y'all to celebrate: 8 crazy bugs from top hackers giveaways sad announcement from Joel Margolis (teknogeek) Shift - Caido AI announcement It has been a great ride - cheers to many more episodes! youtu.be/ANYtLQrT-F0

Our talk at #BHEU is done! Hope you all enjoyed it. 😉 A detailed blog is on the way, but in the meantime, check out the pre-alpha website worst.fit for early access and the slides! Huge thanks to Black Hat and my awesome co-presenter splitline 👁️🐈‍⬛! 🐈‍

.Cybernews did a short documentary on bug bounties and it’s 🔥!! youtu.be/Vtj-RHEQn8M?si…

The character that broke Safari's cookies (with @mtnBer)

I’m very excited to be part of the team! I can’t wait to collaborate with all of these amazing hackers and learn from them

In 2024, I interacted a lot with Extensions. I decided to create a resource that will help with a basic understanding of extensions and key attacks. P.S. I tried to make everything as clear as possible and hope it won’t feel too overwhelming anywhere. extensions.neplox.security

New blog post with shubs: We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here: samcurry.net/hacking-subaru

I freaking love the Critical Thinkers discord 😂 Matan Berson xssdoctor FEAT: Balint&Demo

Got back last week from Tokyo🇯🇵 where I caught Renée Boudreault & @Slonser's talk with kumavis Being part of the web/browser/JavaScript security niche from the perspective of crypto wallets specifically, felt like a talk to not miss Here's what I learned 🧵 x.com/neploxaudit/st…

The legendary Johan Carlsson made a really interesting XSS challenge this month for Intigriti. My solution involved winning a race condition with 100 <iframe>s to utilize a DOM Clobbering gadget after bypassing a RegEx. Check out the writeup below: jorianwoltjer.com/blog/p/hacking…

New video! XSS like you’ve never seen before youtube.com/watch?v=RLyhPG… Huge thanks to Matan Berson

I’m in a pwnfunction video! Check it out, it’s very well made and the vulnerability chain is quite unique youtube.com/watch?v=RLyhPG…

The vector: <svg><title><![CDATA[--></title><img src onerror=alert(1)>]]>