All the other challenge write-ups (not just web) are available in the #writeup channel of the CTF Discord server:
discord.gg/rwZY6hh8z8
Btw, all the challenges have also been (will be) added to hackropole.fr! 🚩
2/2
The #FCSC2026 ended today, and my write-ups are now available here:
mizu.re/post/fcsc-20... 🚩
I'm really happy with the challenges I managed to create this year! It would be too long to list everything, so here's a little teaser below 👇
1/2
I'm happy to release the first version of my DOMLogger++ plugin for @caido.io! 🔎
It improves the browser extension in several ways:
• Persistent, per-project storage
• Temporary session recording
• AI support
• Stack trace reconstitution
• ...
👉 github.com/kevin-mizu/d...
A quick update has been made to DOMLogger++ to add / update a few things. It's not a big deal, but it should allow interesting stuff to be done :)
It should be available on the stores in the coming hours.
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
For the @ASIS_CTF, I created a challenge based on an interesting (novel?) DOM Clobbering technique! 🚩
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Small teaser for Caido users :)
2/2
DOMLogger++ v1.0.9 is now out and available! 🎉
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
I was keeping this one for myself for a while, but after several discussions at DefCon I thought it would be nice to share it now :)
Btw! If you wonder how could this be abused, I recommend you looking at: mizu.re/post/explori... 😉
3/3
For example, using this configuration, it is possible to retrieve the @masatokinugawa.bsky.social CVEs in TinyMCE.
👉 subdomain1.portswigger-labs.net/xss/xss.php?...
2/3
I've released a DOMLogger++ config that helps detect any replacements occurring in a DOMPurify output by inserting and tracking a canary value at runtime.
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
This is still v1, there's lots to improve and many gadgets to add.
If you'd like to contribute or have any feedback, please don't hesitate to reach out 😁
4/4
Each library page includes:
* Affected versions
* A short description
* Root cause of the gadget
* Related links
* Credit to the discoverer
* And even a preview button to play with the gadget live!
3/4
The wiki lets you filter gadgets by browser, tags, attributes, CSP, and timing, making it as easy as possible to find interesting vectors (at least I hope so!) 🔎
2/4
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...
I've released my CTF bot template! :D
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall
joaxcar.com/blog/2025/05...
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the comments👇
Oups thank you 🙏
All the other challenge write-ups (not just web) are available in the #writeup channel of the CTF Discord server:
discord.gg/rwZY6hh8z8
Thanks again to @ECSC_TeamFrance for the opportunity! 💙
2/2
The #FCSC2025 ended yesterday, and my write-ups are now available here 👇
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
Firefox treats multipart/x-mixed-replace like HTML. Chrome doesn’t.
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
This year again, with @bi.tk, we've made the Web challenges 🚩
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
🔥 My Black Hat talk is now live! 🎥
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...
You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.
portswigger.net/research/sam...
For this challenge, it was necessary to abuse a discrepancy between the DOM and the rendered page in Firefox's cache handling 💽
👉 bugzilla.mozilla.org/show_bug.cgi...
This allows to shift iframe rendering from one to another leading to a sandbox bypass 🔥
👉 mizu.re/post/an-18-y...
