🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

I'm thrilled to finally share my research on HTML parsing and DOMPurify at @GreHack 2024 📜 The research article is available here: mizu.re/post/exploring… The slides are available here: slides.com/kevin-mizu/gre… 1/3

If you're interested in the technical details, I wrote the blog post here: flatt.tech/research/posts… For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/open… (2/2)

Our talk at #BHEU is done! Hope you all enjoyed it. 😉 A detailed blog is on the way, but in the meantime, check out the pre-alpha website worst.fit for early access and the slides! Huge thanks to Black Hat and my awesome co-presenter splitline 👁️🐈‍⬛! 🐈‍

Some security advisories don't get the attention they deserve. Being a True Attack Surface Management solution, Assetnote focuses on the technologies that matter most to our customers. Our research on CVE-2024-8534 (CVSS 8.4) affecting Citrix NetScaler: assetnote.io/resources/rese…

Imagine opening a Discord message and suddenly your computer is hacked. We discovered a bug that made this possible and earned a $5,000 bounty for it. Here's the story and a beginner-friendly deep dive into V8 exploit development. Watch: youtube.com/watch?v=R3SE4V…

This was my first full year of full-time Bug Bounty and I would consider it a very successful year! My 2024 #HackerOne journey! 160 vulnerabilities reported, including 41 crits and 41 highs! hackerone.com/stories-of-202…

We discovered a pre-authentication RCE vulnerability in Craft CMS caused by an obscure PHP foot gun (CVE-2024-56145), approx 150k sites created with Craft CMS. You can read @Assetnote's Security Research team's blog on the issue: assetnote.io/resources/rese… #attacksurfacemanagement

I found you could use the ISO-2022-JP escape sequences inside JS URLs! Found using this: hackvertor.co.uk/hack-pad/5 Poc: portswigger-labs.net/xss/charset.ph…

Shane Parrish Simon Willison D Day HackerOne Jason Lengstorf Jesse Itzler Sam Parr Shaan Puri Zen kepano zseano Runa Sandvik iQimpz un1tycyb3r bsysop H2HC todayisnew Check out the full issue: hivefive.community/p/hive-five-20…

2024 was my first full year of full-time Bug Bounty and it was amazing!🎉 💰250%+ of my previous year's salary! 🥇#4 on USA HackerOne leaderboards! 🌴Took 4+ months off! 💥Built 24/7 Automation 🗒️Very successful SAML and Caching Research! Here's to an even better 2025!🥂

SSRFs can be tough to make critical without metadata, especially against a target like GitLab that strengthens its infra with every SSRF. Yet Johan Carlsson broke through with the first critical SSRF on GitLab since 2020. Enjoy our explanation from Sweden🇸🇪🔥 youtu.be/YQ5ixykKnyY

In 2024, I interacted a lot with Extensions. I decided to create a resource that will help with a basic understanding of extensions and key attacks. P.S. I tried to make everything as clear as possible and hope it won’t feel too overwhelming anywhere. extensions.neplox.security

very pleased to announce the release of my new article based on my research that led to CVE-2024-46982 titled: Next.js, cache, and chains: the stale elixir zhero-web-sec.github.io/research-and-t… note: does not cover the latest findings shared in my recent posts enjoy reading;

The results are in! We're proud to announce the Top ten web hacking techniques of 2024! portswigger.net/research/top-1…

I'm very happy to finally share the second part of my DOMPurify security research 🔥 This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)! Link 👇 mizu.re/post/exploring… 1/2

magic-box.dev/hacking/smolta… securityintelligence.com/x-force/smolta… wooo new blog on an rce i found in in Hugging Face's smolagents library 🥳. check it out if you ❤️ ai x security :)

🐵 MonkeHacks #52 Looking Back, Speed of Thought, Giveaway 🚨 I'm giving away a 1-year subscription of Caido Pro to celebrate 1 year of MonkeHacks. To enter: • Follow me! • Retweet this post. That's it! 😄 #bugbountytips #hacktheplanet #bugbounty monke.ie/p/monkehacks-52

Roni Carta (@0xlupin) dives deep into real-world DoS exploitation for bug bounty — N+1s, cache poisoning, GraphQL attacks, network-level DoS, and more. $150K+ in bounties, real examples, responsible testing. Full talk → youtu.be/ROqkbXtV2VQ #BugBounty #DEFCON #BBV #DoS