Just finished reading #javascriptforhackers by Gareth Heyes \u2028 , learned lots of new tricks, if you’re interested in javascript I highly recommend buying a copy

Surprisingly no one was able to solve the challenge so far🥲 Check it out if you have time and haven’t already👇

Very cool technique by Luke Jahnke for POST based CSRF without a content-type header using a Blob object, Interestingly it also seems to work using a Uint8Array

My blog post, "Exploring Javascript Events & Bypassing WAFs via Character Normalization" has been nominated for the Top 10 Web Hacking Techniques of 2024!☺️ If you found it useful, I’d greatly appreciate your vote at the link below 👇 portswigger.net/polls/top-10-w…

This month, 0x999 🇮🇱 made an awesome and difficult Intigriti XSS challenge. I really enjoyed the openness of this challenge resulting in an unintended solution and the first solve 🩸! Check out how I got there in my writeup below: jorianwoltjer.com/blog/p/hacking…

Here is my author's writeup for Intigriti's March 0325 CTF challenge, Thanks to everyone who participated & great job by all the solvers! 🔥 0x999.net/blog/intigriti…

Unicode characters with a decomposition of 2+ ASCII characters and are registrable domains by 0x999 🇮🇱 shazzer.co.uk/vectors/681bdf…

Crafty JavaScript-context XSS vector using ondevicemotion, setTimeout, and URIError spoofing to trigger alert(1) now added to the XSS cheat sheet. By 0x999 🇮🇱 inspired by terjanq. Link to vector👇

This vector adds an onerror handler with eval, rewrites all ReferenceError names, then triggers an error to execute the payload. Just added it to the XSS cheat sheet. Credit to 0x999 🇮🇱, inspired by terjanq. Link to vector👇

After reading 0x999 🇮🇱 blog on IP leaks i have discovered this: windscribe.com/blog/chromium-…

0x999.net/blog/exploring… This research from 0x999 🇮🇱 is truly a goldmine. I solved a challenge by combining the name and message properties — and later realized the article explains it in detail. 1)