Fun parser differential to fallback SVG sanitizer bypass: github.com/freescout-he...

WebSockets are not yet affected by Local Network Access permission in Chrome. Check out this blog post from my colleague Robbe! www.aikido.dev/blog/storybo...

XSS on a password manager, about the scariest impact you can have... github.com/aliasvault/a... Luckily it was fixed super quick! Here's a simple script you can use to send raw HTML in emails. I think a lot more clients will benifit from sanitizer testing. gist.github.com/JorianWoltje...

Software can now secure itself. → www.aikido.dev/attack/infin...

Just a few days later, there's the next blog post for @aikidosecurity.bsky.social! Another framework-level vulnerability this time affecting Astro, resulting in SSRF if an unvalidated connection can be made to the webserver. Read the details here: www.aikido.dev/blog/astro-f...

My first disclosed vulnerability since joining @aikidosecurity.bsky.social, and it's a banger! SvelteKit + Vercel = Cache Deception. This shows how AI agents can find framework-level vulnerabilities, and that caching will continue to cause headaches. Enjoy :) www.aikido.dev/blog/sveltes...

Had a fun XSS gadget chain with antoniusblock on a real world target, he made an awesome writeup: blog.antoniusblock.net/posts/dom-cl...

Every year I look through this list with amazement for what all the people came up with. This year I suddenly saw my own article nominated, not 1 but 2! 🤩 1. "Nonce CSP bypass using Disk Cache" on my blog 2 "Stopping Redirects" with @ctbbpodcast.bsky.social Go vote! portswigger.net/polls/top-10...

I made a shorter writeup for the CatGPT challenge during hxp CTF at 39C3! It featured a cool combination of JavaScript injections to escape our context and fix the remaining syntax. Check it out: jorianwoltjer.com/blog/p/ctf/h...

Just arrived at #39c3, shoot me a DM if you wanna meet! 😄

Here is my writeup of Intigriti's December XSS challenge. It consisted of 6 smaller challenges combining into a big 1-click exploit. One of the most fun ones I've ever played. Loved the unique format by @renwax23.bsky.social! jorianwoltjer.com/blog/p/ctf/i...

There's a new post on the Critical Research Lab! I've seen a lot of questions and fun tricks related to this subject recently so I hope this helps answer some of them. Enjoy! lab.ctbb.show/research/sto...

my new blogpost is out!! this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration and i've already used it to get a google docs bounty ^^ have fun <3 lyra.horse/blog/2025/12...

Really interesting technique from a local CTF. In gunicorn with --proxy-protocol --proxy-allow-from='*', the "Proxy Protocol" (github.com/haproxy/hapr...) allows you to spoof the source IP with a PROXY prefix like this! I feel like it might be useful as impact in Request Tunneling👀

For the people who don't have time to read this entire thing, here are the coolest tricks I mentioned 😄: (1/5)

Follow your rabbit holes is the takeaway from my latest CTF writeup. I found several interesting techniques that can help tricky situations, such as using the Connection Pool to make Client-Side Race Conditions easier! Read the whole thing on my blog: jorianwoltjer.com/blog/p/ctf/o...

I posted 2 more small articles to the Critical Thinking Research Lab: * Nonce CSS leak in MathML: lab.ctbb.show/research/lea... * HTML fun facts: lab.ctbb.show/research/htm...

My first post for the @ctbbpodcast.bsky.social Research Lab is live. Super excited to be part of this team, can't wait to see what crazy research is gonna come from this! lab.ctbb.show/research/Exp...

AMAZING technique by @salvatoreabello, I've been inspired by the connection pool exploits he comes up with. Check out this crazy impact labeled as "working as intended": blog.babelo.xyz/posts/cross-...

While playing a challenge by Salvatore Abello, I found a pretty interesting way to exploit Dangling Markup with a strict CSP. All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.

@omidxrz.bsky.social shared this nice postMessage() challenge some time ago. I'm a bit late, but worth trying if you haven't already :D Otherwise, my solution is below, it's a really fun technique that makes me re-evaluate all the .source checks I've seen before...

The last Intigriti challenge by @0xblackbird was a fun combination of SSRF to RCE using a surprisingly exploitable pitfall in NextJS middleware. Check out my writeup below: jorianwoltjer.com/blog/p/ctf/i...

#bugbountytips Template Injection payload list: {{7*7}} ${7*7}} 49 <%=7*7%>

I made a hard @intigriti.com XSS challenge this July 😅 But, it involves some very interesting Mutation XSS & DOM Clobbering fun combined with a CSP Bypass using the powerful SocketIO gadget. Everything's explained in my writeup below! jorianwoltjer.com/blog/p/ctf/i...

Here's my writeup the technique allowing some nonce-based CSPs to be bypassed. I think it definitely has some practical use, so included some details about different scenario's. Don't let that HTML-injection of yours wait! jorianwoltjer.com/blog/p/resea...

Just found an interesting way to bypass some nonce-based CSPs and made a small XSS challenge with an exploitable scenario. See if you can find it before I tell! Source JS: gist.github.com/JorianWoltje... URL: greeting-chall.jorianwoltjer.com Found a solution? Please DM to avoid spoilers, thanks!

This is a Public Service Announcement to all client-side challenge authors: *XSS on any localhost origin makes RCE possible on selenium!*

This month @ToG gave us an unusual, but very cool challenge. It required some messing with a headless browser via Arbitrary File Write, and then to use a little-known Chromedriver CSRF → RCE trick. A must-know for challenge-cheesers like myself! jorianwoltjer.com/blog/p/ctf/i...

Many great techniques covered in this writeup by @rewhile for different cheesy 🧀 strategies and client-side fun. Show them some love! I promise you'll learn something new: t.co/hox8lncSEN

Small tip for the JavaScript reverse engineers out there, Chrome has a `debug()` function which triggers a breakpoint whenever its first argument is called. It even works on built-in methods, no more wrapping stuff in proxies :D debug(DOMParser.prototype.parseFromString)

Just pushed a new frontend for my site, and a new post! This one's about an tricky file write vulnerability on Windows in OBS. By crafting an image with very specific pixels, we can plant a backdoor on your PC all from an attacker's site by misconfiguring: jorianwoltjer.com/blog/p/resea...

JavaScript HTML templating framework in 153 bytes: t=(S,...V)=>(e=$=>$?._?$:$?.map?$.map(e).join``:($+'').replace(/[&"'<>]/g,c=>`&#${c.charCodeAt()};`),(o=Object(S.reduce((a,p,i)=>a+e(V[i-1])+p)))._=1,o);

Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing. Here's a flexible PoC: jorianwoltjer.com/blog/p/hacki...

This includes a fun trick with User Activation. It can be used to detect when actions like shortcuts and clicks happen inside cross-origin iframes:

The legendary @joaxcar.bsky.social made a really interesting XSS challenge this month for Intigriti. My solution involved winning a race condition with 100 <iframe>s to utilize a DOM Clobbering gadget after bypassing a RegEx. Check out the writeup below: jorianwoltjer.com/blog/p/hacki...

While collecting some HTML-Injection techniques, I thought of an interesting way to abuse existing <form>s when XSS isn't an option. You can inject <input>s with form= pointing to the form's id= to add params, and make a <button> with form= and formaction= to change its action.

Servers listening on 127.0.0.1 are often still vulnerable to DNS Rebinding in the browser. Not many people know this and it blew my mind when I first found out about it 🤯 Check out the writeup below for details on how we could interact with local servers to exploit functionality

(Already posted this on X but) WE HACKED THE MODEL CONTEXT PROTOCOL!! Check out the writeup, chat: blog.jaisal.dev/articles/mcp

Me and @jaisal.dev wanted to hack MCP servers, but *not* from an LLM's perspective. Looking at alternative ways to interact with the functionality and the tools around it. We found many client-side issues and discovered scary internet-exposed servers! blog.jaisal.dev/articles/mcp

Helping organize a CTF at my local BSides was soooo much fun, meeting the people who play your challenges. Would highly recommend to anyone to help out any such event in their area, either as a speaker or just by hosting something there :D

While listening to the @ctbbpodcast.bsky.social, I discovered that my own blog was vulnerable to Cache Deception! It would have allowed anyone to send me a link and then retrieve all hidden posts. This sent me down a caching deep dive, check out the details here: jorianwoltjer.com/blog/p/codin...

it's finally time... this is css clicker, a fully-featured incremental game where your goal is to design your own personal website and get as many views on it as possible the fun part? it's a pure-css game, meaning it runs no javascript or server-side code. have fun! lyra.horse/css-clicker/

This month, @0x999.net made an awesome and difficult Intigriti XSS challenge. I really enjoyed the openness of this challenge resulting in an unintended solution and the first solve 🩸! Check out how I got there in my writeup below: jorianwoltjer.com/blog/p/hacki...

⏰ It's CHALLENGE O'CLOCK! 👉 Find the FLAG before Monday the 30th March 👉 Win €400 in SWAG prizes 👉 We'll release a tip for every 50 likes on this tweet Thanks @0x999.net for the challenge 👇 challenge-0325.intigriti.io

@renwax23.bsky.social made an interesting challenge (x.com/RenwaX23/sta...). Instead of right-click and open in new tab, I found you can also use drag-and-drop into a popup window to achieve the same effect! With CSS you can make it convincing like clickjacking: gist.github.com/JorianWoltje...

Here's a way to exploit `eval(name)` on Firefox without user interaction:

Inspired by x.com/PaulosYibelo, I thought about what improvements I could make to trick users into pressing buttons that perform sensitive actions. Finding some vulnerable targets along the way! Read the details in my latest blog post below: jorianwoltjer.com/blog/p/hacki...

I recently found a pretty interesting attack on a friend's website where the `Link:` response header was automatically set to the requested path:

I'm very happy to finally share the second part of my DOMPurify security research 🔥 This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)! Link 👇 mizu.re/post/explori... 1/2

During #x3ctf, I discovered an unintended solution that turned out to be a pretty cool generic technique. It allows you to detect the result of a selector during CSS Injection, bypassing any CSP restricting external requests! Check out the writeup below: jorianwoltjer.com/blog/p/ctf/x...