🚀Exciting News! Introducing my latest work: Beyond XSS. This series of articles aims to introduce front-end security topics, perfect for frontend devs and those intrigued by frontend security. Suitable for all skill levels from beginners to intermediates.

RT @kevin_mizu: I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Ha….

RT @terjanq: For this year Google CTF I created yet another Postviewer challenge called Postviewer v5². The challenge featured a seemingly….

Why is this critical 🤔.

RT @J0R1AN: Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this techniqu….

RT @slonser_: Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vuln….

RT @intenttoship: Blink: Intent to Deprecate and Remove: Remove auto-detection of ISO-2022-JP charset in HTML.

RT @tyage: In addition to this amazing discovery, there was another middleware bypass with the `__nextLocale` URL query that was fixed in 2….

RT @rootxharsh: New Blogpost - We identified a vulnerability in Discourse where a misconfiguration in Rails send_file + Nginx's internal di….

RT @zhero___: while waiting for the big article to come (soon), I share with you a small article concerning a small research which led to a….

RT @osec_io: NEW: A few months ago, we uncovered an authentication bypass in Web3Auth that could have led to full account takeover. In thi….

RT @salvatoreabello: It's possible to do CSS exfiltration under default-src: 'self'. Learn how:

RT @J0R1AN: Here's a way to exploit `eval(name)` on Firefox without user interaction:

RT @kevin_mizu: For this challenge, it was necessary to abuse a discrepancy between the DOM and the rendered page in Firefox's cache handli….

RT @BugsAggregator: Chrome Extension context isolation bypass. (reward: $10000)

RT @gregxsunday: Cross-Site POST Requests Without a Content-Type Header by @lukejahnke.#BBRENewsletter85 https://t.….

RT @icesfont2: x = open("/");.setTimeout(() => {.x.history.pushState(1,1,"/cookie");.setTimeout(() => {.x.location = "javascript:'zzz'";.se….

RT @kevin_mizu: My @HeroCTF #web challenges write-ups are now available! :D. Here's a short list of the topics cov….

RT @kinugawamasato: Here is a bypass fixed in DOMPurify 3.1.7. It works only if special settings are used. Notice why the comment is closed….

RT @ambionics: At long last: Iconv, set the charset to RCE (part 3): in this final part of the iconv series, @cfreal_ demonstrates how you….

finally finished my writeup(more like a note actually) for a few interesting web challenges in HITCON CTF & corCTF & sekaiCTF 2024. I didn't play all the challenges but still learn a lot from the writeup/solutions posted by others.