Jorian
@jorianwoltjer.com
π€ 334
π₯ 103
π 94
Normalize being weird.
Thanks
@cryptocat.me
for inviting me to my first ever podcast! Check out the section at 29:36 π
add a skeleton here at some point
4 days ago
0
3
0
Happy to have made some web chllaenges for Plfanzen CTF. The evetn runs next weekend, cehck it out!
plfanzen.lol
loading . . .
plfanzen
https://plfanzen.lol
9 days ago
0
0
1
Cool exploit with
@0x999.net
: He found that \x7F breaks Chrome's "Copy as cURL (cmd)" command parsing in Windows Console Host. In combination with a ", it allowed you to add any arguments to curl. With -o writing files is easy, but we need the username for the startup path... (1/2)
18 days ago
1
6
1
We tested another mail client, Roundcube this time. The agents found a Stored Self-XSS vulnerability that could really only be exploited with Cookie Tossing. Scary for password reset tokens... Blog post below:
www.aikido.dev/blog/roundcu...
loading . . .
Roundcube XSS chained with cookie tossing for full inbox access
We found a stored XSS in Roundcube's draft attachment endpoint that, chained with a cookie tossing technique, gives an attacker full access to a victim's inbox. Here's how the exploit chain works and ...
https://www.aikido.dev/blog/roundcube-xss-cookie-tossing
20 days ago
0
4
1
New blog post is out! A few vulnerabilities in Mailcow. A critical unauthenticated XSS, and another interesting Self-XSS escalation involving a Login CSRF with a leftover tab. Check it out:
www.aikido.dev/blog/xss-vul...
loading . . .
Multiple XSS Vulnerabilities Found in Mailcow, Including Unauthenticated Account Takeover
Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.
https://www.aikido.dev/blog/xss-vulnerabilities-in-mailcow
24 days ago
0
1
1
Fun parser differential to fallback SVG sanitizer bypass:
github.com/freescout-he...
loading . . .
Stored XSS through SVG file upload with filter bypass
### Summary Bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of `.png` with content type of `imag...
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cvr8-cw5c-5pfw
about 2 months ago
0
3
2
WebSockets are not yet affected by Local Network Access permission in Chrome. Check out this blog post from my colleague Robbe!
www.aikido.dev/blog/storybo...
loading . . .
How Storybook's WebSocket Server Became a Supply Chain Attack Vector: CVE-2026-27148
CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise. Learn the attack path, impact, and how to remediate.
https://www.aikido.dev/blog/storybooks-websockets-attack
2 months ago
0
4
0
XSS on a password manager, about the scariest impact you can have...
github.com/aliasvault/a...
Luckily it was fixed super quick! Here's a simple script you can use to send raw HTML in emails. I think a lot more clients will benifit from sanitizer testing.
gist.github.com/JorianWoltje...
loading . . .
Cross-Site Scripting (XSS) via Email HTML Rendering
## Impact A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an ali...
https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q
2 months ago
0
1
1
reposted by
Jorian
aikido | no bullsh*t security for devs
2 months ago
Software can now secure itself. β
www.aikido.dev/attack/infin...
loading . . .
1
3
1
Just a few days later, there's the next blog post for
@aikidosecurity.bsky.social
! Another framework-level vulnerability this time affecting Astro, resulting in SSRF if an unvalidated connection can be made to the webserver. Read the details here:
www.aikido.dev/blog/astro-f...
loading . . .
Astro SSRF Vulnerability: Host Header Injection in SSR Error Pages (CVE-2026-25545)
Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. Learn how Host header injection in prerendered error pages allowed full inte...
https://www.aikido.dev/blog/astro-full-read-ssrf-via-host-header-injection
3 months ago
0
1
0
My first disclosed vulnerability since joining
@aikidosecurity.bsky.social
, and it's a banger! SvelteKit + Vercel = Cache Deception. This shows how AI agents can find framework-level vulnerabilities, and that caching will continue to cause headaches. Enjoy :)
www.aikido.dev/blog/sveltes...
loading . . .
SvelteSpill: Critical Cache Deception Bug in SvelteKit + Vercel
SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if youβre vulnera...
https://www.aikido.dev/blog/sveltespill-cache-deception-sveltekit-vercel
3 months ago
1
7
1
Had a fun XSS gadget chain with antoniusblock on a real world target, he made an awesome writeup:
blog.antoniusblock.net/posts/dom-cl...
loading . . .
A CTF-Style XSS Chain in the Wild: DOM Clobbering, Gadgets, and CSP Bypass
A bug bounty target that unexpectedly felt like a CTF. What began as simple recon turned into a nice chain of discoveries that ultimately led to a valid XSS
https://blog.antoniusblock.net/posts/dom-clobbering-xss/
3 months ago
0
9
2
Every year I look through this list with amazement for what all the people came up with. This year I suddenly saw my own article nominated, not 1 but 2! π€© 1. "Nonce CSP bypass using Disk Cache" on my blog 2 "Stopping Redirects" with
@ctbbpodcast.bsky.social
Go vote!
portswigger.net/polls/top-10...
loading . . .
Top 10 web hacking techniques of 2025
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.
https://portswigger.net/polls/top-10-web-hacking-techniques-2025
4 months ago
0
3
0
I made a shorter writeup for the CatGPT challenge during hxp CTF at 39C3! It featured a cool combination of JavaScript injections to escape our context and fix the remaining syntax. Check it out:
jorianwoltjer.com/blog/p/ctf/h...
loading . . .
hxpCTF 2025 - CatGPT | Jorian Woltjer
The hardest web challenge during 39C3's hxp CTF. Auditing RegExes in a PHP library to uncover small gadgets that allow escaping and fixing a JavaScript context.
https://jorianwoltjer.com/blog/p/ctf/hxpctf-2025-catgpt
4 months ago
0
5
1
Just arrived at
#39c3
, shoot me a DM if you wanna meet! π
5 months ago
0
1
1
Here is my writeup of Intigriti's December XSS challenge. It consisted of 6 smaller challenges combining into a big 1-click exploit. One of the most fun ones I've ever played. Loved the unique format by
@renwax23.bsky.social
!
jorianwoltjer.com/blog/p/ctf/i...
loading . . .
Intigriti December XSS Challenge (1225) | Jorian Woltjer
A unique 6-part challenge by @Renwa containing many interesting techniques that combine into one large exploit. Learn some HTML/JavaScript quirks, an XS-Leak and how to minimize user interaction
https://jorianwoltjer.com/blog/p/ctf/intigriti-xss-challenge/1225
5 months ago
0
3
1
There's a new post on the Critical Research Lab! I've seen a lot of questions and fun tricks related to this subject recently so I hope this helps answer some of them. Enjoy!
lab.ctbb.show/research/sto...
loading . . .
Stopping Redirects
Interesting ways to stop redirects of another site in the browser for use in OAuth and exploits requiring interaction
https://lab.ctbb.show/research/stopping-redirects
5 months ago
0
1
0
reposted by
Jorian
Rebane
5 months ago
my new blogpost is out!! this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration and i've already used it to get a google docs bounty ^^ have fun <3
lyra.horse/blog/2025/12...
loading . . .
SVG Filters - Clickjacking 2.0
A novel and powerful twist on an old classic.
https://lyra.horse/blog/2025/12/svg-clickjacking/
8
182
55
Really interesting technique from a local CTF. In gunicorn with --proxy-protocol --proxy-allow-from='*', the "Proxy Protocol" (
github.com/haproxy/hapr...
) allows you to spoof the source IP with a PROXY prefix like this! I feel like it might be useful as impact in Request Tunnelingπ
6 months ago
1
3
0
For the people who don't have time to read this entire thing, here are the coolest tricks I mentioned π: (1/5)
add a skeleton here at some point
7 months ago
1
3
1
Follow your rabbit holes is the takeaway from my latest CTF writeup. I found several interesting techniques that can help tricky situations, such as using the Connection Pool to make Client-Side Race Conditions easier! Read the whole thing on my blog:
jorianwoltjer.com/blog/p/ctf/o...
loading . . .
openECSC 2025 - kittychat-secure | Jorian Woltjer
Overcomplicating a hard client-side web challenge involving complex CSP script gadgets. Exploit Math.random() predictability, and learn how to use the Connection Pool to make Race Conditions easier.
https://jorianwoltjer.com/blog/p/ctf/openecsc-2025-kittychat-secure
7 months ago
0
3
4
I posted 2 more small articles to the Critical Thinking Research Lab: * Nonce CSS leak in MathML:
lab.ctbb.show/research/lea...
* HTML fun facts:
lab.ctbb.show/research/htm...
loading . . .
Leaking CSP nonces with CSS & MathML
By dangling a tag in HTML, leaking nonce attributes via CSS is possible again!
https://lab.ctbb.show/research/leaking-csp-nonces-css-mathml
7 months ago
0
5
1
My first post for the
@ctbbpodcast.bsky.social
Research Lab is live. Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
loading . . .
Exploiting Web Worker XSS with Blobs
Ways to turn XSS in a Web Worker into full XSS, covering known tricks and a new generic exploit using Blob URLs with the Drag and Drop API
https://lab.ctbb.show/research/Exploiting-web-worker-XSS-with-blobs
8 months ago
0
9
3
AMAZING technique by @salvatoreabello, I've been inspired by the connection pool exploits he comes up with. Check out this crazy impact labeled as "working as intended":
blog.babelo.xyz/posts/cross-...
8 months ago
0
6
3
While playing a challenge by Salvatore Abello, I found a pretty interesting way to exploit Dangling Markup with a strict CSP. All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.
8 months ago
2
1
0
@omidxrz.bsky.social
shared this nice postMessage() challenge some time ago. I'm a bit late, but worth trying if you haven't already :D Otherwise, my solution is below, it's a really fun technique that makes me re-evaluate all the .source checks I've seen before...
8 months ago
1
3
0
The last Intigriti challenge by @0xblackbird was a fun combination of SSRF to RCE using a surprisingly exploitable pitfall in NextJS middleware. Check out my writeup below:
jorianwoltjer.com/blog/p/ctf/i...
loading . . .
Intigriti August RCE Challenge (0825) | Jorian Woltjer
A challenge to achieve RCE through SSRF by @0xblackbird, involving an interesting NextJS middleware pitfall. We build a clean proxy for it and find some extra vulnerabilities along the way.
https://jorianwoltjer.com/blog/p/ctf/intigriti-xss-challenge/0825?2
9 months ago
0
10
1
#bugbountytips
Template Injection payload list: {{7*7}} ${7*7}} 49 <%=7*7%>
9 months ago
3
3
1
I made a hard
@intigriti.com
XSS challenge this July π But, it involves some very interesting Mutation XSS & DOM Clobbering fun combined with a CSP Bypass using the powerful SocketIO gadget. Everything's explained in my writeup below!
jorianwoltjer.com/blog/p/ctf/i...
loading . . .
Intigriti July XSS Challenge (0725) | Jorian Woltjer
My author's writeup of the July 2025 challenge. Perform Mutation XSS to DOM Clobber an change the insertion point into an iframe, then bypass the CSP using a new useful Socket.IO gadget
https://jorianwoltjer.com/blog/p/ctf/intigriti-xss-challenge/0725
10 months ago
0
7
1
Here's my writeup the technique allowing some nonce-based CSPs to be bypassed. I think it definitely has some practical use, so included some details about different scenario's. Don't let that HTML-injection of yours wait!
jorianwoltjer.com/blog/p/resea...
loading . . .
Nonce CSP bypass using Disk Cache | Jorian Woltjer
The solution to my small XSS challenge, explaining a new kind of CSP bypass with browser-cached nonces. Leak it with CSS and learn about Disk Cache to safely update your payload
https://jorianwoltjer.com/blog/p/research/nonce-csp-bypass-using-disk-cache
10 months ago
3
15
6
Just found an interesting way to bypass some nonce-based CSPs and made a small XSS challenge with an exploitable scenario. See if you can find it before I tell! Source JS:
gist.github.com/JorianWoltje...
URL:
greeting-chall.jorianwoltjer.com
Found a solution? Please DM to avoid spoilers, thanks!
11 months ago
1
6
2
This is a Public Service Announcement to all client-side challenge authors: *XSS on any localhost origin makes RCE possible on selenium!*
add a skeleton here at some point
11 months ago
0
3
0
This month @ToG gave us an unusual, but very cool challenge. It required some messing with a headless browser via Arbitrary File Write, and then to use a little-known Chromedriver CSRF β RCE trick. A must-know for challenge-cheesers like myself!
jorianwoltjer.com/blog/p/ctf/i...
loading . . .
Intigriti June RCE Challenge (0625) | Jorian Woltjer
A surprising RCE challenge instead of XSS, created by @ToG. I took an unintended approach involving the Preferences file and a chromedriver CSRF RCE issue, a must-know for CTF authors.
https://jorianwoltjer.com/blog/p/ctf/intigriti-xss-challenge/0625
11 months ago
1
3
1
Many great techniques covered in this writeup by @rewhile for different cheesy π§ strategies and client-side fun. Show them some love! I promise you'll learn something new:
t.co/hox8lncSEN
loading . . .
https://rewhile.github.io/posts/smiley-2025/
https://t.co/hox8lncSEN
11 months ago
0
3
0
Small tip for the JavaScript reverse engineers out there, Chrome has a `debug()` function which triggers a breakpoint whenever its first argument is called. It even works on built-in methods, no more wrapping stuff in proxies :D debug(DOMParser.prototype.parseFromString)
11 months ago
0
11
1
Just pushed a new frontend for my site, and a new post! This one's about an tricky file write vulnerability on Windows in OBS. By crafting an image with very specific pixels, we can plant a backdoor on your PC all from an attacker's site by misconfiguring:
jorianwoltjer.com/blog/p/resea...
loading . . .
OBS WebSocket to RCE | Jorian Woltjer
Disabling password authentication of your OBS WebSocket server can have devastating consequences. We'll attack from the browser to construct an RCE payload on Windows formed from the pixels of an imag...
https://jorianwoltjer.com/blog/p/research/obs-websocket-rce
11 months ago
1
5
2
JavaScript HTML templating framework in 153 bytes: t=(S,...V)=>(e=$=>$?._?$:$?.map?$.map(e).join``:($+'').replace(/[&"'<>]/g,c=>`&#${c.charCodeAt()};`),(o=Object(S.reduce((a,p,i)=>a+e(V[i-1])+p)))._=1,o);
11 months ago
1
15
4
Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing. Here's a flexible PoC:
jorianwoltjer.com/blog/p/hacki...
loading . . .
The Ultimate Double-Clickjacking PoC | Jorian Woltjer
Combing a lot of browser tricks to create a realistic Proof of Concept for the Double-Clickjacking attack. Moving a real popunder with your mouse cursor and triggering it right as you're trying to bea...
https://jorianwoltjer.com/blog/p/hacking/ultimate-doubleclickjacking-poc
12 months ago
2
6
2
This includes a fun trick with User Activation. It can be used to detect when actions like shortcuts and clicks happen inside cross-origin iframes:
add a skeleton here at some point
12 months ago
0
4
1
The legendary
@joaxcar.bsky.social
made a really interesting XSS challenge this month for Intigriti. My solution involved winning a race condition with 100 <iframe>s to utilize a DOM Clobbering gadget after bypassing a RegEx. Check out the writeup below:
jorianwoltjer.com/blog/p/hacki...
loading . . .
Intigriti May XSS Challenge (0525) | Jorian Woltjer
A challenge by @joaxcar with a small but complex XSS chain, hitting DOM Clobbering with a race condition and abusing a cool URL parsing quirk in JavaScript.
https://jorianwoltjer.com/blog/p/hacking/intigriti-xss-challenge/0525
12 months ago
2
12
7
While collecting some HTML-Injection techniques, I thought of an interesting way to abuse existing <form>s when XSS isn't an option. You can inject <input>s with form= pointing to the form's id= to add params, and make a <button> with form= and formaction= to change its action.
about 1 year ago
1
4
0
Servers listening on 127.0.0.1 are often still vulnerable to DNS Rebinding in the browser. Not many people know this and it blew my mind when I first found out about it π€― Check out the writeup below for details on how we could interact with local servers to exploit functionality
add a skeleton here at some point
about 1 year ago
0
1
1
reposted by
Jorian
Atomic
about 1 year ago
(Already posted this on X but) WE HACKED THE MODEL CONTEXT PROTOCOL!! Check out the writeup, chat:
blog.jaisal.dev/articles/mcp
loading . . .
MCP: May Cause Pwnage - Backdoors in Disguise
Yeah I think the title says it all. Jorian and I penetration tested the model context protocol and had some fun breaking it. We ended up hacking a range of things, from cloud infrastructure to crypto
https://blog.jaisal.dev/articles/mcp
0
4
2
Me and
@jaisal.dev
wanted to hack MCP servers, but *not* from an LLM's perspective. Looking at alternative ways to interact with the functionality and the tools around it. We found many client-side issues and discovered scary internet-exposed servers!
blog.jaisal.dev/articles/mcp
loading . . .
MCP: May Cause Pwnage - Backdoors in Disguise
Yeah I think the title says it all. Jorian and I penetration tested the model context protocol and had some fun breaking it. We ended up hacking a range of things, from cloud infrastructure to crypto
https://blog.jaisal.dev/articles/mcp
about 1 year ago
1
8
5
Helping organize a CTF at my local BSides was soooo much fun, meeting the people who play your challenges. Would highly recommend to anyone to help out any such event in their area, either as a speaker or just by hosting something there :D
about 1 year ago
0
1
0
While listening to the
@ctbbpodcast.bsky.social
, I discovered that my own blog was vulnerable to Cache Deception! It would have allowed anyone to send me a link and then retrieve all hidden posts. This sent me down a caching deep dive, check out the details here:
jorianwoltjer.com/blog/p/codin...
loading . . .
Cache Deception on my new site! | Jorian Woltjer
A fun story about discovering my site was vulnerable to Cache Deception, allowing the visit of a link by me to leak all hidden blog posts to an attacker, thanks to URL-decoding and Path Traversals to ...
https://jorianwoltjer.com/blog/p/coding/cache-deception-on-my-new-site
about 1 year ago
1
9
1
reposted by
Jorian
Rebane
about 1 year ago
it's finally time... this is css clicker, a fully-featured incremental game where your goal is to design your own personal website and get as many views on it as possible the fun part? it's a pure-css game, meaning it runs no javascript or server-side code. have fun!
lyra.horse/css-clicker/
loading . . .
CSS Clicker
a pure-CSS idle game where you build your own website
https://lyra.horse/css-clicker/
42
479
221
This month,
@0x999.net
made an awesome and difficult Intigriti XSS challenge. I really enjoyed the openness of this challenge resulting in an unintended solution and the first solve π©Έ! Check out how I got there in my writeup below:
jorianwoltjer.com/blog/p/hacki...
loading . . .
Intigriti March XSS Challenge (0325) | Jorian Woltjer
A hard Cross-Site Scripting challenge chaining small bugs with one very hard step to leak a fragment directive using Self XSS
https://jorianwoltjer.com/blog/p/hacking/intigriti-xss-challenge/0325
about 1 year ago
0
4
2
reposted by
Jorian
Intigriti
about 1 year ago
β° It's CHALLENGE O'CLOCK! π Find the FLAG before Monday the 30th March π Win β¬400 in SWAG prizes π We'll release a tip for every 50 likes on this tweet Thanks
@0x999.net
for the challenge π
challenge-0325.intigriti.io
loading . . .
March Challenge - Intigriti
Find the FLAG and WIN Intigriti swag.
https://challenge-0325.intigriti.io
2
6
3
@renwax23.bsky.social
made an interesting challenge (
x.com/RenwaX23/sta...
). Instead of right-click and open in new tab, I found you can also use drag-and-drop into a popup window to achieve the same effect! With CSS you can make it convincing like clickjacking:
gist.github.com/JorianWoltje...
loading . . .
about 1 year ago
1
1
0
Load more
feeds!
log in
