Jorian
LightNews LightNews
banner
jorianwoltjer.com
Jorian
@jorianwoltjer.com
290 followers 99 following 75 posts
Normalize being weird.
Posts Replies Media Videos
jorianwoltjer.com
For the people who don't have time to read this entire thing, here are the coolest tricks I mentioned 😄: (1/5)
jorianwoltjer.com Jorian @jorianwoltjer.com · Oct 13
Follow your rabbit holes is the takeaway from my latest CTF writeup.
I found several interesting techniques that can help tricky situations, such as using the Connection Pool to make Client-Side Race Conditions easier!

Read the whole thing on my blog:
jorianwoltjer.com/blog/p/ctf/o...
openECSC 2025 - kittychat-secure | Jorian Woltjer
Overcomplicating a hard client-side web challenge involving complex CSP script gadgets. Exploit Math.random() predictability, and learn how to use the Connection Pool to make Race Conditions easier.
jorianwoltjer.com
October 17, 2025 at 8:43 AM
jorianwoltjer.com
Follow your rabbit holes is the takeaway from my latest CTF writeup.
I found several interesting techniques that can help tricky situations, such as using the Connection Pool to make Client-Side Race Conditions easier!

Read the whole thing on my blog:
jorianwoltjer.com/blog/p/ctf/o...
openECSC 2025 - kittychat-secure | Jorian Woltjer
Overcomplicating a hard client-side web challenge involving complex CSP script gadgets. Exploit Math.random() predictability, and learn how to use the Connection Pool to make Race Conditions easier.
jorianwoltjer.com
October 13, 2025 at 5:47 AM
jorianwoltjer.com
I posted 2 more small articles to the Critical Thinking Research Lab:
* Nonce CSS leak in MathML: lab.ctbb.show/research/lea...
* HTML fun facts: lab.ctbb.show/research/htm...
Leaking CSP nonces with CSS & MathML
By dangling a tag in HTML, leaking nonce attributes via CSS is possible again!
lab.ctbb.show
October 8, 2025 at 6:39 AM
jorianwoltjer.com
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Exploiting Web Worker XSS with Blobs
Ways to turn XSS in a Web Worker into full XSS, covering known tricks and a new generic exploit using Blob URLs with the Drag and Drop API
lab.ctbb.show
September 19, 2025 at 2:28 PM
jorianwoltjer.com
AMAZING technique by @salvatoreabello, I've been inspired by the connection pool exploits he comes up with.
Check out this crazy impact labeled as "working as intended":
blog.babelo.xyz/posts/cross-...
September 18, 2025 at 9:14 PM
jorianwoltjer.com
While playing a challenge by Salvatore Abello, I found a pretty interesting way to exploit Dangling Markup with a strict CSP.
All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.
Content-Security-Policy: default-src 'none' <object data="about:blank" name=' <form> <input type="hidden" name="csrf" value="SECRET"> </form> <script> console.log('Hello, world!'); </script>
September 16, 2025 at 8:08 AM
jorianwoltjer.com
@omidxrz.bsky.social shared this nice postMessage() challenge some time ago.
I'm a bit late, but worth trying if you haven't already :D
Otherwise, my solution is below, it's a really fun technique that makes me re-evaluate all the .source checks I've seen before...
<!DOCTYPE html> <html> <body> <h1>Impossible</h1> <div id="output">Waiting for messages...</div><br> <button id="loadIframeButton">Load Message Frame</button> <script> document.getElementById('loadIframeButton').addEventListener('click', () => { const iframe = document.createElement('iframe'); iframe.id = 'message_frame'; iframe.srcdoc = '<html><body><script>window.parent.postMessage("document.body.innerHTML = \'<h1>Impossible Message</h1>\'", "*");<\/script></body></html>'; iframe.style.display = 'none'; document.body.appendChild(iframe); }); </script> <script> window.onmessage = function (event) { if (event.source != window.message_frame?.contentWindow || window !== window.top) { document.getElementById('output').innerHTML = "No Hacker!"; return; } document.getElementById('output').innerHTML = "received"; const result = eval(event.data); }; </script> </body> </html>
September 13, 2025 at 6:10 AM
jorianwoltjer.com
The last Intigriti challenge by @0xblackbird was a fun combination of SSRF to RCE using a surprisingly exploitable pitfall in NextJS middleware.
Check out my writeup below:
jorianwoltjer.com/blog/p/ctf/i...
Intigriti August RCE Challenge (0825) | Jorian Woltjer
A challenge to achieve RCE through SSRF by @0xblackbird, involving an interesting NextJS middleware pitfall. We build a clean proxy for it and find some extra vulnerabilities along the way.
jorianwoltjer.com
August 27, 2025 at 3:00 PM
jorianwoltjer.com
#bugbountytips
Template Injection payload list:
{{7*7}}
${7*7}}
49
<%=7*7%>
August 1, 2025 at 7:32 PM
jorianwoltjer.com
I made a hard @intigriti.com XSS challenge this July 😅
But, it involves some very interesting Mutation XSS & DOM Clobbering fun combined with a CSP Bypass using the powerful SocketIO gadget.
Everything's explained in my writeup below!
jorianwoltjer.com/blog/p/ctf/i...
Intigriti July XSS Challenge (0725) | Jorian Woltjer
My author's writeup of the July 2025 challenge. Perform Mutation XSS to DOM Clobber an change the insertion point into an iframe, then bypass the CSP using a new useful Socket.IO gadget
jorianwoltjer.com
July 19, 2025 at 4:18 PM
jorianwoltjer.com
Here's my writeup the technique allowing some nonce-based CSPs to be bypassed. I think it definitely has some practical use, so included some details about different scenario's.

Don't let that HTML-injection of yours wait!
jorianwoltjer.com/blog/p/resea...
Nonce CSP bypass using Disk Cache | Jorian Woltjer
The solution to my small XSS challenge, explaining a new kind of CSP bypass with browser-cached nonces. Leak it with CSS and learn about Disk Cache to safely update your payload
jorianwoltjer.com
July 2, 2025 at 4:56 PM
jorianwoltjer.com
Just found an interesting way to bypass some nonce-based CSPs and made a small XSS challenge with an exploitable scenario. See if you can find it before I tell!
Source JS:
gist.github.com/JorianWoltje...
URL:
greeting-chall.jorianwoltjer.com
Found a solution? Please DM to avoid spoilers, thanks!
June 30, 2025 at 6:34 AM
jorianwoltjer.com
This is a Public Service Announcement to all client-side challenge authors:
*XSS on any localhost origin makes RCE possible on selenium!*
jorianwoltjer.com Jorian @jorianwoltjer.com · Jun 27
This month @ToG gave us an unusual, but very cool challenge. It required some messing with a headless browser via Arbitrary File Write, and then to use a little-known Chromedriver CSRF → RCE trick. A must-know for challenge-cheesers like myself!
jorianwoltjer.com/blog/p/ctf/i...
Intigriti June RCE Challenge (0625) | Jorian Woltjer
A surprising RCE challenge instead of XSS, created by @ToG. I took an unintended approach involving the Preferences file and a chromedriver CSRF RCE issue, a must-know for CTF authors.
jorianwoltjer.com
June 27, 2025 at 6:20 AM
jorianwoltjer.com
This month @ToG gave us an unusual, but very cool challenge. It required some messing with a headless browser via Arbitrary File Write, and then to use a little-known Chromedriver CSRF → RCE trick. A must-know for challenge-cheesers like myself!
jorianwoltjer.com/blog/p/ctf/i...
Intigriti June RCE Challenge (0625) | Jorian Woltjer
A surprising RCE challenge instead of XSS, created by @ToG. I took an unintended approach involving the Preferences file and a chromedriver CSRF RCE issue, a must-know for CTF authors.
jorianwoltjer.com
June 27, 2025 at 6:19 AM
jorianwoltjer.com
Many great techniques covered in this writeup by @rewhile for different cheesy 🧀 strategies and client-side fun. Show them some love! I promise you'll learn something new:
t.co/hox8lncSEN
https://rewhile.github.io/posts/smiley-2025/
t.co
June 18, 2025 at 9:14 PM
jorianwoltjer.com
Small tip for the JavaScript reverse engineers out there, Chrome has a `debug()` function which triggers a breakpoint whenever its first argument is called. It even works on built-in methods, no more wrapping stuff in proxies :D

debug(DOMParser.prototype.parseFromString)
June 13, 2025 at 9:55 AM
jorianwoltjer.com
Just pushed a new frontend for my site, and a new post!
This one's about an tricky file write vulnerability on Windows in OBS. By crafting an image with very specific pixels, we can plant a backdoor on your PC all from an attacker's site by misconfiguring:
jorianwoltjer.com/blog/p/resea...
OBS WebSocket to RCE | Jorian Woltjer
Disabling password authentication of your OBS WebSocket server can have devastating consequences. We'll attack from the browser to construct an RCE payload on Windows formed from the pixels of an imag...
jorianwoltjer.com
June 5, 2025 at 6:49 PM
jorianwoltjer.com
JavaScript HTML templating framework in 153 bytes:

t=(S,...V)=>(e=$=>$?._?$:$?.map?$.map(e).join``:($+'').replace(/[&"'<>]/g,c=>`&#${c.charCodeAt()};`),(o=Object(S.reduce((a,p,i)=>a+e(V[i-1])+p)))._=1,o);
June 2, 2025 at 12:26 PM
jorianwoltjer.com
Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing.
Here's a flexible PoC:
jorianwoltjer.com/blog/p/hacki...
The Ultimate Double-Clickjacking PoC | Jorian Woltjer
Combing a lot of browser tricks to create a realistic Proof of Concept for the Double-Clickjacking attack. Moving a real popunder with your mouse cursor and triggering it right as you're trying to bea...
jorianwoltjer.com
May 25, 2025 at 5:30 PM
jorianwoltjer.com
This includes a fun trick with User Activation. It can be used to detect when actions like shortcuts and clicks happen inside cross-origin iframes:
May 21, 2025 at 12:20 PM
jorianwoltjer.com
The legendary @joaxcar.bsky.social made a really interesting XSS challenge this month for Intigriti. My solution involved winning a race condition with 100