Blog
Search
Featured posts
Intigriti December XSS Challenge (1225)
A unique 6-part challenge by @Renwa containing many interesting techniques that combine into one large exploit. Learn some HTML/JavaScript quirks, an XS-Leak and how to minimize user interaction
openECSC 2025 - kittychat-secure
Overcomplicating a hard client-side web challenge involving complex CSP script gadgets. Exploit Math.random() predictability, and learn how to use the Connection Pool to make Race Conditions easier.
Exploiting Web Worker XSS with Blobs
Ways to turn XSS in a Web Worker into full XSS, covering known tricks and a new generic exploit using Blob URLs with the Drag and Drop API
Nonce CSP bypass using Disk Cache
The solution to my small XSS challenge, explaining a new kind of CSP bypass with browser-cached nonces. Leak it with CSS and learn about Disk Cache to safely update your payload