Really interesting technique from a local CTF. In gunicorn with --proxy-protocol --proxy-allow-from='*', the "Proxy Protocol" (github.com/haproxy/hapr...) allows you to spoof the source IP with a PROXY prefix like this! I feel like it might be useful as impact in Request Tunneling👀

For the people who don't have time to read this entire thing, here are the coolest tricks I mentioned 😄: (1/5)

Follow your rabbit holes is the takeaway from my latest CTF writeup. I found several interesting techniques that can help tricky situations, such as using the Connection Pool to make Client-Side Race Conditions easier! Read the whole thing on my blog: jorianwoltjer.com/blog/p/ctf/o...

I posted 2 more small articles to the Critical Thinking Research Lab: * Nonce CSS leak in MathML: lab.ctbb.show/research/lea... * HTML fun facts: lab.ctbb.show/research/htm...

My first post for the @ctbbpodcast.bsky.social Research Lab is live. Super excited to be part of this team, can't wait to see what crazy research is gonna come from this! lab.ctbb.show/research/Exp...

AMAZING technique by @salvatoreabello, I've been inspired by the connection pool exploits he comes up with. Check out this crazy impact labeled as "working as intended": blog.babelo.xyz/posts/cross-...

While playing a challenge by Salvatore Abello, I found a pretty interesting way to exploit Dangling Markup with a strict CSP. All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.

@omidxrz.bsky.social shared this nice postMessage() challenge some time ago. I'm a bit late, but worth trying if you haven't already :D Otherwise, my solution is below, it's a really fun technique that makes me re-evaluate all the .source checks I've seen before...

The last Intigriti challenge by @0xblackbird was a fun combination of SSRF to RCE using a surprisingly exploitable pitfall in NextJS middleware. Check out my writeup below: jorianwoltjer.com/blog/p/ctf/i...

#bugbountytips Template Injection payload list: {{7*7}} ${7*7}} 49 <%=7*7%>

I made a hard @intigriti.com XSS challenge this July 😅 But, it involves some very interesting Mutation XSS & DOM Clobbering fun combined with a CSP Bypass using the powerful SocketIO gadget. Everything's explained in my writeup below! jorianwoltjer.com/blog/p/ctf/i...

Here's my writeup the technique allowing some nonce-based CSPs to be bypassed. I think it definitely has some practical use, so included some details about different scenario's. Don't let that HTML-injection of yours wait! jorianwoltjer.com/blog/p/resea...

Just found an interesting way to bypass some nonce-based CSPs and made a small XSS challenge with an exploitable scenario. See if you can find it before I tell! Source JS: gist.github.com/JorianWoltje... URL: greeting-chall.jorianwoltjer.com Found a solution? Please DM to avoid spoilers, thanks!

This is a Public Service Announcement to all client-side challenge authors: *XSS on any localhost origin makes RCE possible on selenium!*

This month @ToG gave us an unusual, but very cool challenge. It required some messing with a headless browser via Arbitrary File Write, and then to use a little-known Chromedriver CSRF → RCE trick. A must-know for challenge-cheesers like myself! jorianwoltjer.com/blog/p/ctf/i...

Many great techniques covered in this writeup by @rewhile for different cheesy 🧀 strategies and client-side fun. Show them some love! I promise you'll learn something new: t.co/hox8lncSEN

Small tip for the JavaScript reverse engineers out there, Chrome has a `debug()` function which triggers a breakpoint whenever its first argument is called. It even works on built-in methods, no more wrapping stuff in proxies :D debug(DOMParser.prototype.parseFromString)

Just pushed a new frontend for my site, and a new post! This one's about an tricky file write vulnerability on Windows in OBS. By crafting an image with very specific pixels, we can plant a backdoor on your PC all from an attacker's site by misconfiguring: jorianwoltjer.com/blog/p/resea...

JavaScript HTML templating framework in 153 bytes: t=(S,...V)=>(e=$=>$?._?$:$?.map?$.map(e).join``:($+'').replace(/[&"'<>]/g,c=>`&#${c.charCodeAt()};`),(o=Object(S.reduce((a,p,i)=>a+e(V[i-1])+p)))._=1,o);

Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing. Here's a flexible PoC: jorianwoltjer.com/blog/p/hacki...

This includes a fun trick with User Activation. It can be used to detect when actions like shortcuts and clicks happen inside cross-origin iframes:

The legendary @joaxcar.bsky.social made a really interesting XSS challenge this month for Intigriti. My solution involved winning a race condition with 100 <iframe>s to utilize a DOM Clobbering gadget after bypassing a RegEx. Check out the writeup below: jorianwoltjer.com/blog/p/hacki...

While collecting some HTML-Injection techniques, I thought of an interesting way to abuse existing <form>s when XSS isn't an option. You can inject <input>s with form= pointing to the form's id= to add params, and make a <button> with form= and formaction= to change its action.

Servers listening on 127.0.0.1 are often still vulnerable to DNS Rebinding in the browser. Not many people know this and it blew my mind when I first found out about it 🤯 Check out the writeup below for details on how we could interact with local servers to exploit functionality

(Already posted this on X but) WE HACKED THE MODEL CONTEXT PROTOCOL!! Check out the writeup, chat: blog.jaisal.dev/articles/mcp

Me and @jaisal.dev wanted to hack MCP servers, but *not* from an LLM's perspective. Looking at alternative ways to interact with the functionality and the tools around it. We found many client-side issues and discovered scary internet-exposed servers! blog.jaisal.dev/articles/mcp

Helping organize a CTF at my local BSides was soooo much fun, meeting the people who play your challenges. Would highly recommend to anyone to help out any such event in their area, either as a speaker or just by hosting something there :D

While listening to the @ctbbpodcast.bsky.social, I discovered that my own blog was vulnerable to Cache Deception! It would have allowed anyone to send me a link and then retrieve all hidden posts. This sent me down a caching deep dive, check out the details here: jorianwoltjer.com/blog/p/codin...

it's finally time... this is css clicker, a fully-featured incremental game where your goal is to design your own personal website and get as many views on it as possible the fun part? it's a pure-css game, meaning it runs no javascript or server-side code. have fun! lyra.horse/css-clicker/

This month, @0x999.net made an awesome and difficult Intigriti XSS challenge. I really enjoyed the openness of this challenge resulting in an unintended solution and the first solve 🩸! Check out how I got there in my writeup below: jorianwoltjer.com/blog/p/hacki...

⏰ It's CHALLENGE O'CLOCK! 👉 Find the FLAG before Monday the 30th March 👉 Win €400 in SWAG prizes 👉 We'll release a tip for every 50 likes on this tweet Thanks @0x999.net for the challenge 👇 challenge-0325.intigriti.io

@renwax23.bsky.social made an interesting challenge (x.com/RenwaX23/sta...). Instead of right-click and open in new tab, I found you can also use drag-and-drop into a popup window to achieve the same effect! With CSS you can make it convincing like clickjacking: gist.github.com/JorianWoltje...

Here's a way to exploit `eval(name)` on Firefox without user interaction:

Inspired by x.com/PaulosYibelo, I thought about what improvements I could make to trick users into pressing buttons that perform sensitive actions. Finding some vulnerable targets along the way! Read the details in my latest blog post below: jorianwoltjer.com/blog/p/hacki...

I recently found a pretty interesting attack on a friend's website where the `Link:` response header was automatically set to the requested path:

I'm very happy to finally share the second part of my DOMPurify security research 🔥 This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)! Link 👇 mizu.re/post/explori... 1/2

During #x3ctf, I discovered an unintended solution that turned out to be a pretty cool generic technique. It allows you to detect the result of a selector during CSS Injection, bypassing any CSP restricting external requests! Check out the writeup below: jorianwoltjer.com/blog/p/ctf/x...

We all use tools while pentesting, but what if these tools are vulnerable themselves? We found multiple high vulnerabilities in PwnDoc and its libraries docx-templater & angular-expressions. My favorites are the JavaScript templating sandbox escape tricks! warpnet.nl/blog/pwneddo...

My colleague is organizing the first ever BSides in Groningen, Netherlands! This is a community-driven event taking place May 2nd. If you have a cool story or piece of research for a talk and want to attend, be sure to submit to the Call for Presentations: sessionize.com/bsidesgrunn/

I loved playing with team Superflat during the IrisCTF 2025 last weekend, where we ended up in 4th place. The challenge I enjoyed most was about a cool DNS Rebinding technique with a cache, and learning some Java/Kotlin along the way! jorianwoltjer.com/blog/p/ctf/i...

Just arrived at #38C3, just as excited as I was last year 🙌

Have you tried my december XSS challenge? The solution's public now in this writeup! It includes two vulnerabilities in CodeIgniter that abuse the cache storage format and bypass its builtin XSS filter. Merry Christmas! 🎄

Today is the last day of the Intigriti December challenge 🎄 As a final hint, we'll give you our plan to save Christmas! 👀 First, look into this mysterious "cache" to find an escape route. Only then will you need to dodge the traps using a "mutation" of your own, to grant that sweet XSS 🎅

Got sniped into the challenge and ended up doing some cool XSS research :D 11 char XSS with mind-boggling race-conditions. TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char) It's shorter than location=name !! terjanq.me/solutions/jo...

I made an XSS challenge for Intigriti this month, good luck and have fun! x.com/intigriti/st...

Apparently, navigating to a javascript: URL returning a string will write it as HTML to the DOM. This allows for an interesting XSS payload: x.com/icesfont2/st...

My challenge has been out for about a week with only one half-intended solution, so here's my solution!

To summarize what I have learned about Mutation XSS, my CVE, and the solution to my challenge, I wrote a post going through it all. If you like regular XSS, this is a whole new world of crazy techniques and many sanitizer bypasses. You too can learn this! jorianwoltjer.com/blog/p/hacki...

I've been closely following the awesome Mutation XSS research that's been coming out, and have found some tricks of my own. Below is a challenge from me to you. This code removes comments, dangerous text nodes and all attributes. Bypass the filter to achieve XSS. Good luck!