Reversing and Tooling a Signed Request Hash in Obfuscated JavaScript buer.haus/2024/01/16/rev… Thanks to HackingHub for putting together a lab to learn more about it: app.hackinghub.io/surl

Just published a new write-up - Hacking 700 Million Electronic Arts Accounts battleda.sh/blog/ea-accoun…

josephthacker.com/hacking/2025/0…

Did you know an input can use the form attribute to link to a form by ID letting it submit with the form even if it’s placed outside of it!? 👀  In this PHP example, an input outside the form adds a URL argument and only the second parm value (1337) is echoed. S/O to Andreas Söderlund

#NullHyd June Meet 📅 Sat, Jun 21, 25 Venue: Garmin Technologies Time: 9:30 am RSVP eventbrite.com/e/null-hyd-jun…

Ryan Barnett (B0N3) Even full-er list here github.com/ACK-J/CSP-B-Go…

Let's create a certification... The exam: you find (and fix or get fixed) 12 issues in different open source projects with more than 10k stars on GitHub.

Here are the slides from my TumpiCon talk: Teaching LLMs how to XSS - An introduction to fine-tuning and reinforcement learning (using your own GPU) docs.google.com/presentation/d…

I am really trying to focus on some hands-on hacking recently, and more specifically I have been focused on client-side topics. Here is a little primer of tools/resources I have used and looked at so far :) Share yours with me! <3 youtu.be/y9hffgd8ikw

Hackers 🔥 I’ve set up this Nginx that forwards traffic to a Flask server and blocks access to /secret - throwing 403 🛑 Can you find a way to bypass this restriction and access /secret? 🥷 Drop your ideas or tricks in the replies — let’s see how creative you can get! ⚡️

Just dropped a new CSP bypass for salesforce.com on cspbypass.com : <script src="omtr2.partners.salesforce.com/id?callback=al…"></script>

New blog out! Think XSS is a thing of the past with today's Web frameworks? Think again! Our new article by canalun breaks down why this vulnerability persists and offers insights on how to stay secure. Read it here! flatt.tech/research/posts…

When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (Ian Carroll and I) discovered a vulnerability that could allow an attacker to access the over 64 million chat records using the password "123456". ian.sh/mcdonalds

1/4 dbugs LIVE dbugs.ptsecurity.com — vulnerabilities’ home See trends, discover more, read AI summaries, have all references at hand, and your profile with all your CVEs and CVSS score on a leaderboard. ⬇️ See thread: what’s live + what’s next ⬇️

I'm happy to release a script gadgets wiki inspired by the work of Sebastian Lekies, koto, and Eduardo Vela in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4

This post is SO GOOD! I knew nothing about easy auth, It's so interesting! And the abuse ideas are so creative! It's not the first time i see how env variables on app lead to such things (See MI research by NetSpy). Go read it! dazesecurity.io/blog/abusingEa…

What happens when a WAF blocks every XSS payload you throw at it? You get creative. 🔗 Read the full blog post: blog.ethiack.com/blog/bypassing…

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

Sleepless Strings - Template Injection in Insomnia - Tanto Security tantosec.com/blog/2025/06/i…

For YOU interested in JS exploitation: 2nd episode dissecting the current state of the art. Ready for fakeobj() ? We are looking for you at fuzzsociety.org to learn vulnerability research together, from scratch. youtu.be/hZU_KsShXGk +slides +docker