I've made $500k+ from SSRF vulnerabilities. Here are my tricks:

it's been a long time since I posted a blog post ! Today I posted "Extract and monitor bugbounty scopes" blog.jomar.fr/posts/2025/ext… With new projects in the pipeline, I've already lined up a number of upcoming articles 😁

The #FCSC2025 ended yesterday, and my write-ups are now available here 👇 mizu.re/post/fcsc-2025… Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩 1/2

Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->

A trivial bypass was fixed in DOMPurify 3.2.5 (github.com/cure53/DOMPuri…). It works only if an attacker can write "-->". DOMPurify usually tries to prevent you from writing "-->" on attributes, but it can be written through DOMPurify hooks in some cases, for example. PoC👇

From SSRF to RCE and transfer money in core banking. It is really cool red team case. A perfect combination of external and internal vulnerabilities for each other to bypass the monitoring and detection of the blue team. Present by my colleague Q5Ca youtu.be/xBnMrNCuO_w?si…

Leaking the phone number of any Google user brutecat.com/articles/leaki…

Hey the community! I feel the need to react to x.com/GodfatherOrwa/…, as it targets me specifically and is doing a clear defamation there. I guess it's useless to say that the claims of me telling that I'll block people based on the fact that they're muslim is a complete lie,

How do we turn bad SSRF (blind) into good SSRF (full response)? The Assetnote Security Research team at Searchlight Cyber used a novel technique involving HTTP redirect loops and incremental status codes that leaked the full HTTP resp. It may work elsewhere! slcyber.io/assetnote-secu…

I wrote an article on bugcrowd talking about my current methodology to approach a hardened target And I’m pretty happy with it, as I found some nice bugs recently on huge public programs 😌 bugcrowd.com/blog/how-to-fi…

<meta http-equiv="refresh" content="0;url='//example.com'@x.com/'"> Chrome redirects to x.com, Safari and Firefox redirect to example.com.

Sometimes, SQL injection is still possible, even when prepared statements are being used. Our researcher hashkitten has written up a blog post about a novel technique for SQL Injection in PDO’s prepared statements: slcyber.io/assetnote-secu…

I'm happy to release a script gadgets wiki inspired by the work of Sebastian Lekies, koto, and Eduardo Vela in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4

I've released a DOMLogger++ config that helps detect any replacements occurring in a DOMPurify output by inserting and tracking a canary value at runtime. I think it highlights how useful DOMLogger++ can be for tracking JS execution :D 👉 github.com/kevin-mizu/dom… 1/3

Imagine you have a XSS vulnerability but you have a undefined variable before your injection. Is all hope lost? Not at all you can use a technique called XSS Hoisting to declare the variable and continue your exploit. Big thanks to ycam for the XSS cheat sheet submission

While playing a challenge by Salvatore Abello, I found a pretty interesting way to exploit Dangling Markup with a strict CSP. All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.

I found out that you can use "ftp::" to convert a limited Dom Clobering situation into a full CSPT. Then, while talking about it with m0z, he found that we can also use "https::" This can be used to prevent URL parsing of href, allowing us to hit other endpoints

A page can have only one <html> and one <body>. If you define more, their attributes are merged into the first. This can be used to split #xss vector attributes across multiple tags, as some sanitizers may not account for attribute merging. jsfiddle.net/n9j4w1zp/

Anchor/area tags can leak page URLs (origin, path, query, post-click fragment) by using href="#" with the ping attribute pointing elsewhere. Works in Chrome and Safari (Firefox disables ping by default). storage.googleapis.com/nowaskyjr/ping…

Modern Adversary TTPs: The Rise of 'Read Teaming' -deceptiq deceptiq.com/blog/rise-of-r…