Blog


Search

Featured posts

Thumbnail
WebXSS

Intigriti May XSS Challenge (0525)

A challenge by @joaxcar with a small but complex XSS chain, hitting DOM Clobbering with a race condition and abusing a cool URL parsing quirk in JavaScript.

Thumbnail
External

MCP: May Cause Pwnage - Backdoors in Disguise

Together with @AtomicByte, we found some vulnerabilities in the MCP protocol, debugging tools, and scanned for internet-exposed servers. This resulted in a ton of results ranging from headless browsers, databases or code evaluators.

Thumbnail
Web

Cache Deception on my new site!

A fun story about discovering my site was vulnerable to Cache Deception, allowing the visit of a link by me to leak all hidden blog posts to an attacker, thanks to URL-decoding and Path Traversals to confuse cache rules

Thumbnail
WebScripting

x3CTF - blogdog (+ new CSS Injection XS-Leak!)

A "hard web xssbot" challenge about a fun browser quirk with the is= attribute to perform CSS Injection. Bypass the strict CSP with an unintended new technique to XS-Leak a selector's result by detecting the site crashing