I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥

The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇

gmsgadget.com

1/4

Finding Freedom, One Bug at a Time: My Journey from Pentester to Full-Time Hunter After seven years in pentesting, I transitioned full-time into bug bounty hunting, leveraging deep experience and continuous learning. This article shares key moments and insights from that journey.

Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...

With @gelu.chat, we created a challenge for the @pwnmectf inspired by a bug he found in bug bounty a year ago! 🚀

If you have some time this weekend, give it a try! 👀

👉 pwnme.phreaks.fr

Apparently, navigating to a javascript: URL returning a string will write it as HTML to the DOM. This allows for an interesting XSS payload:
x.com/icesfont2/st...

Check out the blog post for a full writeup and some other cool stuff :)
bsky.app/profile/jori...

My challenge has been out for about a week with only one half-intended solution, so here's my solution!

My latest blog post is live! nastystereo.com/security/cro...

Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon

XBOW – SSRF & URI validation bypass in 2FAuth XBOW discovered a Server-Side Request Forgery (SSRF) vulnerability in the OTP preview feature of the open-source project, 2FAuth.

I’ve to say that I’m impressed by how @xbow.com managed to identify this SSRF vulnerability (and bypass a MIME filter on its way) 🤖

Earlier this year, Assetnote's Security Research team discovered a vulnerability in Sitecore XP (CVE-2024-46938) that can lead to pre-authentication RCE.
Order of operations bugs are one of my favorite types of bugs :) Write up and exploit script here: assetnote.io/resources/re...

Nice idea, I would love to be on the list!

EP 163 | DomPurify & Bootstrap n-days + Frontend tricks Ft. @Geluchat, @kevin_mizu YouTube video by Laluka

P1/3 : DomPurify & Bootstrap n-days + Frontend tricks Ft. @geluchat.bsky.social @mizu.re 😘
www.youtube.com/watch?v=fnYS...

I've just published 'Smashing the state machine: the true potential of web race conditions'! Dive in to arm yourself with novel techniques & tooling, and help reshape this attack class:
portswigger.net/research/smashing-the-st...

Hello World \o/