見てる。セミコロン区切りで Content-Type: image/png;text/html のように複数のC-T指定をしたときの解釈の混乱を利用したXSSの手法。おもしろい。by ^\AAzara(C|N)?$, 🦭 / XSS using dirty Content Type in cloud era - Speaker Deck speakerdeck.com/flatt_security…

Had some fun with infinite craft and had some fun first discoveries in the bug bounty scene #bugbountysyndicate neal.fun/infinite-craft/

New blog alert! 🚨 Delve into an intriguing browser based web attack vector I stumbled upon that is widespread and can be used to perform ATO. I call it Cross Window Forgery. 🫧🌊🌪️🌀

paulosyibelo.com/2024/02/cross-…

Never give Frans a target. Frans Rosén

Found some interesting bugs in Excalidraw used in Meta Messenger (w Nagli and Joel Margolis (teknogeek)) as well as Microsoft Whiteboard some time ago. Here's the writeup!

spaceraccoon.dev/clipboard-micr…

Here's some of my submission stats from 2023 similar to the yearly review chat from the latest Critical Thinking - Bug Bounty Podcast episode

Looks like tis the xss mas season. I did discuss this in this blackhat talk almost a decade ago.
speakerdeck.com/skepticfx/domf…

This trick was a common bypass for most DOM templating engines as well.