renniepak
@renniepak.nl
Self-XSS connoisseur. Elite Hacker. MVH H11337UPBash. One-Percent Man. Creator of CSPBypass.com. (he/him)
Reposted by renniepak
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
October 21, 2025 at 9:16 AM
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
Reposted by renniepak
In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more.
www.amazon.com/dp/B0BRD9B3GS
www.amazon.com/dp/B0BRD9B3GS
September 26, 2025 at 11:20 AM
In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more.
www.amazon.com/dp/B0BRD9B3GS
www.amazon.com/dp/B0BRD9B3GS
Reposted by renniepak
Great interview with @racheltobac.bsky.social shining a light in a lot of important topics, like what are likely attack vectors, impact of #AI on #security, #ethics, affecting social interactions and #privacy .
"Be politely paranoid." 👏
www.youtube.com/watch?v=xEdZ...
"Be politely paranoid." 👏
www.youtube.com/watch?v=xEdZ...
Social Engineer: YOU are Easier to Hack than your Computer
YouTube video by Scammer Payback
www.youtube.com
September 2, 2025 at 11:15 AM
Great interview with @racheltobac.bsky.social shining a light in a lot of important topics, like what are likely attack vectors, impact of #AI on #security, #ethics, affecting social interactions and #privacy .
"Be politely paranoid." 👏
www.youtube.com/watch?v=xEdZ...
"Be politely paranoid." 👏
www.youtube.com/watch?v=xEdZ...
Coded some PHP today without using ChatGPT, like a mad man.
August 27, 2025 at 4:13 PM
Coded some PHP today without using ChatGPT, like a mad man.
Reposted by renniepak
Time to reveal what I was doing with @teknogeek.io back in '19.
All the hard work and sleepless nights have paid off!
All the hard work and sleepless nights have paid off!
August 26, 2025 at 9:02 AM
Time to reveal what I was doing with @teknogeek.io back in '19.
All the hard work and sleepless nights have paid off!
All the hard work and sleepless nights have paid off!
Just finished a major UI overhaul of CSPBypass.com and would love your feedback. Excited to welcome ProjectDiscovery as our first sponsor. Huge thanks to their team for supporting the project and recognizing its value to the community.
CSP Bypass Search
A tool designed to help ethical hackers bypass restrictive Content Security Policies
CSPBypass.com
August 25, 2025 at 12:31 PM
Just finished a major UI overhaul of CSPBypass.com and would love your feedback. Excited to welcome ProjectDiscovery as our first sponsor. Huge thanks to their team for supporting the project and recognizing its value to the community.
I enabled sponsorships on Github for cspbypass.com.
The main goal is to cover hosting fees etc. So if you want to support my work, I would highly appreciate it if you could become a sponsor.
github.com/sponsors/ren...
Thanks!
The main goal is to cover hosting fees etc. So if you want to support my work, I would highly appreciate it if you could become a sponsor.
github.com/sponsors/ren...
Thanks!
CSP Bypass Search
A tool designed to help ethical hackers bypass restrictive Content Security Policies
cspbypass.com
August 24, 2025 at 5:41 PM
I enabled sponsorships on Github for cspbypass.com.
The main goal is to cover hosting fees etc. So if you want to support my work, I would highly appreciate it if you could become a sponsor.
github.com/sponsors/ren...
Thanks!
The main goal is to cover hosting fees etc. So if you want to support my work, I would highly appreciate it if you could become a sponsor.
github.com/sponsors/ren...
Thanks!
Forgot how to bug bounty.
August 21, 2025 at 12:31 PM
Forgot how to bug bounty.
LOL. almost 3 years after reporting it and it being fixed, I got assigned a CVE for a vuln I found 🙃
nvd.nist.gov/vuln/detail/...
nvd.nist.gov/vuln/detail/...
NVD - CVE-2025-53836
nvd.nist.gov
July 17, 2025 at 7:30 AM
LOL. almost 3 years after reporting it and it being fixed, I got assigned a CVE for a vuln I found 🙃
nvd.nist.gov/vuln/detail/...
nvd.nist.gov/vuln/detail/...
Reposted by renniepak
Made hacking rooms work in real time. This demo connects three browsers with real time editing on. From Chrome I edit some HTML. This gets sent over websockets to the other browsers which call postMessage to a blob with a sandboxed iframe.
June 20, 2025 at 11:55 AM
Made hacking rooms work in real time. This demo connects three browsers with real time editing on. From Chrome I edit some HTML. This gets sent over websockets to the other browsers which call postMessage to a blob with a sandboxed iframe.
I feel like I have all the pieces to a ATO chain. I just have no idea what the chain would be...
June 12, 2025 at 11:51 AM
I feel like I have all the pieces to a ATO chain. I just have no idea what the chain would be...
Reposted by renniepak
Epic Firefox XSS vectors by Masato Kinugawa. Now available on our XSS cheat sheet including variants found by me.
Link to vectors👇
portswigger.net/web-security...
Link to vectors👇
portswigger.net/web-security...
June 9, 2025 at 1:26 PM
Epic Firefox XSS vectors by Masato Kinugawa. Now available on our XSS cheat sheet including variants found by me.
Link to vectors👇
portswigger.net/web-security...
Link to vectors👇
portswigger.net/web-security...
Reposted by renniepak
Abuse EvalError, onpageswap, and setTimeout to get JS execution without parens.
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
June 4, 2025 at 1:25 PM
Abuse EvalError, onpageswap, and setTimeout to get JS execution without parens.
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
Such a DOM XSS tease:
var s=document.createElement('style');s.innerHTML=decodeURIComponent(location.hash.slice(1));document.head.appendChild(s)
var s=document.createElement('style');s.innerHTML=decodeURIComponent(location.hash.slice(1));document.head.appendChild(s)
May 26, 2025 at 10:00 AM
Such a DOM XSS tease:
var s=document.createElement('style');s.innerHTML=decodeURIComponent(location.hash.slice(1));document.head.appendChild(s)
var s=document.createElement('style');s.innerHTML=decodeURIComponent(location.hash.slice(1));document.head.appendChild(s)
Web2 Bugs + Crypto Bug Bounty Program = Drama.
May 25, 2025 at 2:19 PM
Web2 Bugs + Crypto Bug Bounty Program = Drama.
For those who missed it, check out my talk, “Widgets Gone Wild: Exploiting XSS through Flawed postMessage Origin Checks.”
📺 Watch here: www.youtube.com/watch?v=qgB0...
🖥️ Follow along with the slides: 0-a.nl/nahamcon/
📺 Watch here: www.youtube.com/watch?v=qgB0...
🖥️ Follow along with the slides: 0-a.nl/nahamcon/
Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks
YouTube video by renniepak
www.youtube.com
May 24, 2025 at 7:33 PM
For those who missed it, check out my talk, “Widgets Gone Wild: Exploiting XSS through Flawed postMessage Origin Checks.”
📺 Watch here: www.youtube.com/watch?v=qgB0...
🖥️ Follow along with the slides: 0-a.nl/nahamcon/
📺 Watch here: www.youtube.com/watch?v=qgB0...
🖥️ Follow along with the slides: 0-a.nl/nahamcon/
The slides and examples for my talk "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks" at NahamCon can be found here: 0-a.nl/nahamcon/
May 24, 2025 at 9:23 AM
The slides and examples for my talk "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks" at NahamCon can be found here: 0-a.nl/nahamcon/
The security team running a bug bounty program as soon as your report comes in:
May 23, 2025 at 8:50 AM
The security team running a bug bounty program as soon as your report comes in:
Reposted by renniepak
Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall
joaxcar.com/blog/2025/05...
joaxcar.com/blog/2025/05...
Confetti: Solution to my Intigriti May 2025 XSS Challenge - Johan Carlsson
joaxcar.com
May 20, 2025 at 3:59 PM
Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall
joaxcar.com/blog/2025/05...
joaxcar.com/blog/2025/05...
The schedule got an update:
Tune in at 1:35 PM (PDT) / 10:35 PM (CEST) for my talk!
Tune in at 1:35 PM (PDT) / 10:35 PM (CEST) for my talk!
If you’re into bug bounty hunting and like finding weird XSS bugs (like me 😊) in places most people overlook, come check out my talk at NahamCon 2025 this Friday, May 23.
"Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"
"Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"
May 23, 2025 at 5:59 AM
The schedule got an update:
Tune in at 1:35 PM (PDT) / 10:35 PM (CEST) for my talk!
Tune in at 1:35 PM (PDT) / 10:35 PM (CEST) for my talk!
If you’re into bug bounty hunting and like finding weird XSS bugs (like me 😊) in places most people overlook, come check out my talk at NahamCon 2025 this Friday, May 23.
"Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"
"Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"
May 20, 2025 at 9:04 AM
If you’re into bug bounty hunting and like finding weird XSS bugs (like me 😊) in places most people overlook, come check out my talk at NahamCon 2025 this Friday, May 23.
"Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"
"Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"