educatedguesswork.org/posts/memory-m…

APPRENTICE LAB: DOM XSS in innerHTML sink using source location[.]search. This lab contains a DOM-based XSS vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location[.]search. To

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/cooki…

The DARPA AI Cyber Challenge was designed to advance cybersecurity technology and ensure that technology is applied to secure the code we all rely on. All seven finalist teams have released their competition cyber reasoning systems open source. archive.aicyberchallenge.com

I really enjoyed André Baptista's blog post "Fuzzing the Web for Mysterious Bugs". A great read on creative fuzzing techniques and strange edge cases in web apps. Highly recommended: 0xacb.com/2022/11/21/rec…

Rendering untrusted web content is fraught with security risks 🕸️ 🛡️. Read how SafeContentFrame, a new TypeScript library, offers a robust solution for isolating web content and protecting against threats like XSS and side-channel attacks. goo.gle/3K5DRQJ

We published a blogpost about SafeContentFrame - a library for rendering untrusted content inside an iframe. The library is a big party of what I've been up to in the few last years! Check out the blog and take a slice of my birthday cake 🎂! bughunters.google.com/blog/671552987…

Super cool potential ASLR leak via dictionary hashing by Jann Horn - [email protected]! googleprojectzero.blogspot.com/2025/09/pointe…

Something you may not know about Sonnet 4.5: it’s a special model for cybersecurity. For the past few months, the Frontier Red Team has been researching how to make models more useful for defenders. We now think we’re at an inflection point. New post on Red:

DOM XSS: Bypassing Server-side Cookie Overwrite, Chrome innerHTML Quirk, and JSON Injection, some good findings by El Mehdi elmahdi4.wordpress.com/2025/09/26/dom…

This is a pretty serious unfixed RCE on Android...

HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:

JS engines/compilers are fascinating targets for security, looking forward to this! I’ll be at POC this year as an attendee.

Although the target might not be as impactful as some others we ran against, these bugs in QuickJS are some of my favorite Big Sleep finds, because they demonstrate the ability of LLMs to reason about and detect classic JavaScript engine vulnerabilities. issuetracker.google.com/savedsearches/…

Great news for browser security (and not just because it cites my XSLT research :)). A lot of younger folks don't even know this feature exists, yet is/was the default attack surface in all major web browsers with a history of exploitation. developer.chrome.com/docs/web-platf…

We launched Gmail on April Fool’s Day in 2004. 20+ years later, we’re bringing Gmail into the Gemini era. AI Overviews, Suggested personalized replies, Proof read, AI Inbox with new streamlined views and suggested topics to catch-up on and loads more, read the full details

Security conference of the AI agents, by the AI agents, for the AI agents!

XS-Leaks challenges just got harder. Chrome shipped Socket Pool Randomization which should hopefully make it much harder to learn about opened sockets! chromestatus.com/feature/649675…

And this is how we implemented it! xsleaks.dev/docs/defenses/…