I'm very happy to finally share the second part of my DOMPurify security research 🔥 This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)! Link 👇 mizu.re/post/exploring… 1/2

We have published a blog post by RyotaK RyotaK ! It showcases techniques for achieving RCE by chaining multiple issues in a well-known Japanese business application built with Electron. Be sure to check it out! flatt.tech/research/posts…

Firefoxで見つけたSOPバイパス、CSPバイパス、XSS関連の脆弱性について話すクラ〜 browsercrashclub.connpass.com/event/350203/

インタビュー答えました。 いつまでも手探りでバグ探してるようなかんじなのにバグハンター歴14年は客観的にみたら大ベテランでやばい

I think many people are familiar with the topic of blind CSS exfiltration, especially after the post by Gareth Heyes \u2028 However, an important update has occurred since then, which I wrote below ->

昨年見つけたFirefoxの脆弱性について解説した Browser Crash Club #1 のスライドを公開しました！ありがとうございました！！ #browsercrashclub speakerdeck.com/masatokinugawa…

Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->

lol, this works on Firefox: <object data=# codebase=javascript:alert(document.domain)//> OR <embed src=# codebase=javascript:alert(document.domain)//>

#shibuyaxss、Shadow DOMによるカプセル化を突き破る様々な手法を紹介しながら、Shadow DOMをセキュリティ用途で使うことの是非について話します〜 shibuyaxss.connpass.com/event/357393/

> Fixed escaping < and > when serializing HTML attribute values. (295149@main) (150520333) 🥺🥺🥺

🚨 Heads up for web devs! 🚨 The HTML spec just got an important update to protect against mutation XSS (mXSS). Find out how escaping < and > in attributes is making the web a safer place. bughunters.google.com/blog/503874286…

My new research Escalation of Self-XSS to XSS using modern browser capabilities. blog.slonser.info/posts/make-sel…

Did you know that when Flash was killed, all major browsers started replacing certain URLs specified in <object> for compat? See: github.com/whatwg/html/is… I first learned about it last month and found this Firefox bug: mozilla.org/en-US/security…

#shibuyaxss ありがとうございました！資料は後日なるはやで公開します！

Here's the slide for the talk I gave at #shibuyaxss speakerdeck.com/shhnjk/operati…