Gareth Heyes
@garethheyes.co.uk
javascript:/*--></title></style></textarea></script></xmp><svg/onload='-/"/-/onmouseover=1/-/[*/[]/-alert(1)//'>
https://garethheyes.co.uk/#latestBook
https://garethheyes.co.uk/#latestBook
Pinned
Gareth Heyes
@garethheyes.co.uk
· Sep 26
In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more.
www.amazon.com/dp/B0BRD9B3GS
www.amazon.com/dp/B0BRD9B3GS
Question is what do I build next? So exciting. So many ideas...
February 13, 2026 at 6:31 PM
Question is what do I build next? So exciting. So many ideas...
I've got to the point where I've implemented nearly every 1 of my ideas for Shazzer and Hackvertor. Claude played a big part in that. I'm proud of them both. My approach of semi-vibing was long winded but now I think it's really paid off in both knowledge and speed of development
February 13, 2026 at 6:19 PM
I've got to the point where I've implemented nearly every 1 of my ideas for Shazzer and Hackvertor. Claude played a big part in that. I'm proud of them both. My approach of semi-vibing was long winded but now I think it's really paid off in both knowledge and speed of development
I've added tool tips to the tags in Hackvertor!
February 13, 2026 at 12:51 PM
I've added tool tips to the tags in Hackvertor!
Last night I made web Hackvertor more beautiful. I followed the same process I did with Shazzer. The footer is cleaned up and the nav bar now remembers the section and is reorganized.
February 12, 2026 at 12:23 PM
Last night I made web Hackvertor more beautiful. I followed the same process I did with Shazzer. The footer is cleaned up and the nav bar now remembers the section and is reorganized.
Reposted by Gareth Heyes
just got xss with this 😎
New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission.
portswigger.net/web-security...
portswigger.net/web-security...
February 11, 2026 at 6:14 PM
just got xss with this 😎
I've added a modal dialog to confirm if you want to opt in to Shared fuzzing in Shazzer. If you've already made a choice it should not show. Sorry about the dialog they are annoying but necessary in this case.
February 11, 2026 at 12:39 PM
I've added a modal dialog to confirm if you want to opt in to Shared fuzzing in Shazzer. If you've already made a choice it should not show. Sorry about the dialog they are annoying but necessary in this case.
New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission.
portswigger.net/web-security...
portswigger.net/web-security...
February 10, 2026 at 3:03 PM
New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission.
portswigger.net/web-security...
portswigger.net/web-security...
Last night I fixed Hackvertor history to work when real time is enabled. I made the collapsable panels remember their state. Various UI fixes. In Shazzer I fixed the like count on the vector card.
February 10, 2026 at 12:19 PM
Last night I fixed Hackvertor history to work when real time is enabled. I made the collapsable panels remember their state. Various UI fixes. In Shazzer I fixed the like count on the vector card.
Reposted by Gareth Heyes
Added a small feature to cspbypass.com to warn the user if unsafe-inline is detected, in which case you typically don’t need to waste time hunting for 3rd-party whitelisted CSP bypasses and go straight to inline scripts / event handlers.
February 7, 2026 at 6:50 PM
Added a small feature to cspbypass.com to warn the user if unsafe-inline is detected, in which case you typically don’t need to waste time hunting for 3rd-party whitelisted CSP bypasses and go straight to inline scripts / event handlers.
Massive update to Hackvertor
- Syntax highlighting
- Code editors
- New auto decode box
- Tag and code completion
- Brand new auto decoder
- Syntax highlighting
- Code editors
- New auto decode box
- Tag and code completion
- Brand new auto decoder
February 7, 2026 at 3:24 PM
Massive update to Hackvertor
- Syntax highlighting
- Code editors
- New auto decode box
- Tag and code completion
- Brand new auto decoder
- Syntax highlighting
- Code editors
- New auto decode box
- Tag and code completion
- Brand new auto decoder
Having so much fun with Claude code writing a new auto decoder for Hackvertor. It experienced all the same problems I had. It's been really fun working together to find the flaws and best solution. Really excited to release this to web and Burp.
February 4, 2026 at 8:17 PM
Having so much fun with Claude code writing a new auto decoder for Hackvertor. It experienced all the same problems I had. It's been really fun working together to find the flaws and best solution. Really excited to release this to web and Burp.
🔥 Can you get RCE from an email address? Yep. In my NDC Manchester talk Splitting the email atom, I break down how RFC weirdness leads to auth bypasses, parser confusion, and full remote code execution. Watch here 👇 www.youtube.com/watch?v=kVPe...
Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls - Gareth Heyes
YouTube video by NDC Conferences
www.youtube.com
February 4, 2026 at 4:48 PM
🔥 Can you get RCE from an email address? Yep. In my NDC Manchester talk Splitting the email atom, I break down how RFC weirdness leads to auth bypasses, parser confusion, and full remote code execution. Watch here 👇 www.youtube.com/watch?v=kVPe...
I did further design improvements to Shazzer and added a debug fuzz option. This allows you to debug 10 code points at a time and prints the output of the template to the console. Useful when testing a vector.
February 4, 2026 at 2:23 PM
I did further design improvements to Shazzer and added a debug fuzz option. This allows you to debug 10 code points at a time and prints the output of the template to the console. Useful when testing a vector.
Made Shazzer even more beautiful I took inspiration from F1.
February 4, 2026 at 12:17 PM
Made Shazzer even more beautiful I took inspiration from F1.
Online Hackvertor now does real time conversion. I've added a tag argument builder to make it easier to construct tags. I also added syntax highlighting and a code editor. The sandboxed code has been improved too. Check it out!
hackvertor.co.uk
hackvertor.co.uk
Hackvertor - Cutting edge conversion
An app to make conversion tags to help with web security research
hackvertor.co.uk
February 3, 2026 at 9:23 PM
Online Hackvertor now does real time conversion. I've added a tag argument builder to make it easier to construct tags. I also added syntax highlighting and a code editor. The sandboxed code has been improved too. Check it out!
hackvertor.co.uk
hackvertor.co.uk
Over the weekend I developed a major new feature for Shazzer: Teams! You can now share your vectors between team members and have your own fuzzing network.
shazzer.co.uk/blog/shazzer...
shazzer.co.uk/blog/shazzer...
Shazzer teams: Collaborative Fuzzing - Shazzer
I'm excited to announce a major new feature on Shazzer: Teams. Now you can collaborate with other security researchers on fuzzing projects, share vectors, and pool your browser resources for distribut...
shazzer.co.uk
February 2, 2026 at 1:02 PM
Over the weekend I developed a major new feature for Shazzer: Teams! You can now share your vectors between team members and have your own fuzzing network.
shazzer.co.uk/blog/shazzer...
shazzer.co.uk/blog/shazzer...
Reposted by Gareth Heyes
Had a fun XSS gadget chain with antoniusblock on a real world target, he made an awesome writeup:
blog.antoniusblock.net/posts/dom-cl...
blog.antoniusblock.net/posts/dom-cl...
A CTF-Style XSS Chain in the Wild: DOM Clobbering, Gadgets, and CSP Bypass
A bug bounty target that unexpectedly felt like a CTF. What began as simple recon turned into a nice chain of discoveries that ultimately led to a valid XSS
blog.antoniusblock.net
February 1, 2026 at 9:31 AM
Had a fun XSS gadget chain with antoniusblock on a real world target, he made an awesome writeup:
blog.antoniusblock.net/posts/dom-cl...
blog.antoniusblock.net/posts/dom-cl...
I did loads of updates this morning to Shazzer:
- Performance updates
- Fixed & improved cheat sheet
- Made the new vector screen easier to use & added examples
- General UI fixes
- Performance updates
- Fixed & improved cheat sheet
- Made the new vector screen easier to use & added examples
- General UI fixes
January 31, 2026 at 9:13 AM
I did loads of updates this morning to Shazzer:
- Performance updates
- Fixed & improved cheat sheet
- Made the new vector screen easier to use & added examples
- General UI fixes
- Performance updates
- Fixed & improved cheat sheet
- Made the new vector screen easier to use & added examples
- General UI fixes
I updated the Shazzer unicode table today. You can now copy all the ranges as hex, codepoints or characters separated by commas etc shazzer.co.uk/tools/unicod...
Shazzer - Shared online fuzzing
An app to enable to fuzz all sorts of browser behaviour. Share your fuzz results with the world and discover new bugs!
shazzer.co.uk
January 29, 2026 at 5:28 PM
I updated the Shazzer unicode table today. You can now copy all the ranges as hex, codepoints or characters separated by commas etc shazzer.co.uk/tools/unicod...
We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors!
Browse them here: portswigger.net/web-security...
Browse them here: portswigger.net/web-security...
January 28, 2026 at 1:38 PM
We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors!
Browse them here: portswigger.net/web-security...
Browse them here: portswigger.net/web-security...
January 26, 2026 at 12:18 PM
Did huge amounts of updates to Shazzer. The fuzzing network was particularly tricky. I had production issues but hopefully I've fixed them. You can now visually see the fuzzing network at:
shazzer.co.uk/network
shazzer.co.uk/network
Fuzzing Network - Shazzer
Real-time view of the distributed fuzzing network
shazzer.co.uk
January 25, 2026 at 9:39 PM
Did huge amounts of updates to Shazzer. The fuzzing network was particularly tricky. I had production issues but hopefully I've fixed them. You can now visually see the fuzzing network at:
shazzer.co.uk/network
shazzer.co.uk/network
Shazzer now has a generated cheat sheet that will improve over time as vectors are added and data is collected.
shazzer.co.uk/cheat-sheet
shazzer.co.uk/cheat-sheet
Shazzer - Shared online fuzzing
An app to enable to fuzz all sorts of browser behaviour. Share your fuzz results with the world and discover new bugs!
shazzer.co.uk
January 24, 2026 at 9:39 AM
Shazzer now has a generated cheat sheet that will improve over time as vectors are added and data is collected.
shazzer.co.uk/cheat-sheet
shazzer.co.uk/cheat-sheet
New Shazzer feature: Distributed Fuzzing 🔥
Your browser can now help test vectors across the community. Just visit Shazzer and your idle browser cycles contribute fuzzing results for everyone.
shazzer.co.uk/blog/distrib...
Your browser can now help test vectors across the community. Just visit Shazzer and your idle browser cycles contribute fuzzing results for everyone.
shazzer.co.uk/blog/distrib...
Distributed Fuzzing: Crowdsourced Browser Testing - Shazzer
Shazzer has always been about discovering browser quirks and security edge cases through fuzzing. Today, I'm excited to introduce a new feature that takes this to the next level: Distributed Fuzzing.
...
shazzer.co.uk
January 23, 2026 at 11:37 PM
New Shazzer feature: Distributed Fuzzing 🔥
Your browser can now help test vectors across the community. Just visit Shazzer and your idle browser cycles contribute fuzzing results for everyone.
shazzer.co.uk/blog/distrib...
Your browser can now help test vectors across the community. Just visit Shazzer and your idle browser cycles contribute fuzzing results for everyone.
shazzer.co.uk/blog/distrib...
January 23, 2026 at 7:20 PM