0x999
@0x999.net
Reposted by 0x999
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
July 24, 2025 at 3:31 PM
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
New blog post is up: How I leaked the IP addresses of Brave's Tor window and Chrome VPN extension users--plus, a new Popunder technique and connect-src CSP directive bypass. Read more @ 0x999.net/blog/leaking...
Leaking IPs in Brave Tor Window & Chrome VPNs + Popunders + CSP Bypass
This writeup details multiple IP leak vulnerabilities I discovered affecting Brave's Tor window and Chrome VPN extensions that allowed a malicious actor to leak the real IP address of any visitor to a...
0x999.net
July 16, 2025 at 11:00 AM
New blog post is up: How I leaked the IP addresses of Brave's Tor window and Chrome VPN extension users--plus, a new Popunder technique and connect-src CSP directive bypass. Read more @ 0x999.net/blog/leaking...
Reposted by 0x999
Abuse EvalError, onpageswap, and setTimeout to get JS execution without parens.
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
June 4, 2025 at 1:25 PM
Abuse EvalError, onpageswap, and setTimeout to get JS execution without parens.
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
Reposted by 0x999
This vector adds an onerror handler with eval, rewrites all ReferenceError names, then triggers an error to execute the payload. Just added it to the XSS cheat sheet. Credit to @0x999.net , inspired by @terjanq.me
portswigger.net/web-security...
portswigger.net/web-security...
June 3, 2025 at 1:07 PM
This vector adds an onerror handler with eval, rewrites all ReferenceError names, then triggers an error to execute the payload. Just added it to the XSS cheat sheet. Credit to @0x999.net , inspired by @terjanq.me
portswigger.net/web-security...
portswigger.net/web-security...
Reposted by 0x999
Crafty JavaScript-context XSS vector using ondevicemotion, setTimeout, and URIError spoofing to trigger alert(1) now added to the XSS cheat sheet. By @0x999.net inspired by @terjanq.me
Link to vector👇
portswigger.net/web-security...
Link to vector👇
portswigger.net/web-security...
May 29, 2025 at 1:49 PM
Crafty JavaScript-context XSS vector using ondevicemotion, setTimeout, and URIError spoofing to trigger alert(1) now added to the XSS cheat sheet. By @0x999.net inspired by @terjanq.me
Link to vector👇
portswigger.net/web-security...
Link to vector👇
portswigger.net/web-security...
Reposted by 0x999
Unicode characters with a decomposition of 2+ ASCII characters and are registrable domains by _0x999
shazzer.co.uk/vectors/681b...
shazzer.co.uk/vectors/681b...
Unicode characters with a decomposition of 2+ ASCII characters and are registerable domains - Shazzer
This vector shows Unicode characters that have a decomposition of 2 or more ASCII characters, which get normalized by the browser. These characters are valid for use as domain names, expanding short s...
shazzer.co.uk
May 8, 2025 at 7:18 AM
Unicode characters with a decomposition of 2+ ASCII characters and are registrable domains by _0x999
shazzer.co.uk/vectors/681b...
shazzer.co.uk/vectors/681b...
Reposted by 0x999
This month, @0x999.net made an awesome and difficult Intigriti XSS challenge. I really enjoyed the openness of this challenge resulting in an unintended solution and the first solve 🩸!
Check out how I got there in my writeup below:
jorianwoltjer.com/blog/p/hacki...
Check out how I got there in my writeup below:
jorianwoltjer.com/blog/p/hacki...
Intigriti March XSS Challenge (0325) | Jorian Woltjer
A hard Cross-Site Scripting challenge chaining small bugs with one very hard step to leak a fragment directive using Self XSS
jorianwoltjer.com
April 2, 2025 at 6:51 AM
This month, @0x999.net made an awesome and difficult Intigriti XSS challenge. I really enjoyed the openness of this challenge resulting in an unintended solution and the first solve 🩸!
Check out how I got there in my writeup below:
jorianwoltjer.com/blog/p/hacki...
Check out how I got there in my writeup below:
jorianwoltjer.com/blog/p/hacki...
Here is my author's writeup for Intigriti's March 0325 CTF challenge, Thanks to everyone who participated & great job by all the solvers! 🔥
0x999.net/blog/intigri...
0x999.net/blog/intigri...
Intigriti 0325 CTF Challenge Author's Writeup
Intigriti 0325 XSS / CTF Challenge – Exploit an XSS vulnerability to leak the flag from the bot user. This write-up covers the entire process, from discovery to exploitation, including CSRF, postMessa...
0x999.net
April 2, 2025 at 11:40 AM
Here is my author's writeup for Intigriti's March 0325 CTF challenge, Thanks to everyone who participated & great job by all the solvers! 🔥
0x999.net/blog/intigri...
0x999.net/blog/intigri...
⏰ It's CHALLENGE O'CLOCK!
👉 Find the FLAG before Monday the 30th March
👉 Win €400 in SWAG prizes
👉 We'll release a tip for every 50 likes on this tweet
Thanks @0x999.net for the challenge 👇
challenge-0325.intigriti.io
👉 Find the FLAG before Monday the 30th March
👉 Win €400 in SWAG prizes
👉 We'll release a tip for every 50 likes on this tweet
Thanks @0x999.net for the challenge 👇
challenge-0325.intigriti.io
March Challenge - Intigriti
Find the FLAG and WIN Intigriti swag.
challenge-0325.intigriti.io
March 24, 2025 at 2:14 PM
Reposted by 0x999
The Spanner is back! 🎉 I finally ditched WordPress for a custom blogging system. If you miss the golden era of web hacking, you’ll love revisiting classics like mXSS, DOM Clobbering, and RPO. Plus, plenty of quirky, vintage research gems.
thespanner.co.uk
thespanner.co.uk
The Spanner
A web security blog
thespanner.co.uk
March 23, 2025 at 4:44 PM
The Spanner is back! 🎉 I finally ditched WordPress for a custom blogging system. If you miss the golden era of web hacking, you’ll love revisiting classics like mXSS, DOM Clobbering, and RPO. Plus, plenty of quirky, vintage research gems.
thespanner.co.uk
thespanner.co.uk
Reposted by 0x999
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
February 10, 2025 at 5:57 PM
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
Reposted by 0x999
Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique.
portswigger.net/research/byp...
portswigger.net/research/byp...
January 28, 2025 at 2:01 PM
Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique.
portswigger.net/research/byp...
portswigger.net/research/byp...
My blog post, "Exploring Javascript Events & Bypassing WAFs via Character Normalization" has been nominated for the Top 10 Web Hacking Techniques of 2024!☺️
If you found it useful, I’d greatly appreciate your vote at the link below 👇
portswigger.net/polls/top-10...
If you found it useful, I’d greatly appreciate your vote at the link below 👇
portswigger.net/polls/top-10...
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...
Top 10 web hacking techniques of 2024
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2024.
portswigger.net
January 15, 2025 at 5:41 PM
My blog post, "Exploring Javascript Events & Bypassing WAFs via Character Normalization" has been nominated for the Top 10 Web Hacking Techniques of 2024!☺️
If you found it useful, I’d greatly appreciate your vote at the link below 👇
portswigger.net/polls/top-10...
If you found it useful, I’d greatly appreciate your vote at the link below 👇
portswigger.net/polls/top-10...
Reposted by 0x999
Got sniped into the challenge and ended up doing some cool XSS research :D
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
December 14, 2024 at 1:17 PM
Got sniped into the challenge and ended up doing some cool XSS research :D
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
Very cool technique by @nastystereo.com for POST based CSRF without a content-type header using a Blob object, Interestingly it also seems to work using a Uint8Array
December 2, 2024 at 8:25 PM
Very cool technique by @nastystereo.com for POST based CSRF without a content-type header using a Blob object, Interestingly it also seems to work using a Uint8Array
Reposted by 0x999
To summarize what I have learned about Mutation XSS, my CVE, and the solution to my challenge, I wrote a post going through it all.
If you like regular XSS, this is a whole new world of crazy techniques and many sanitizer bypasses. You too can learn this!
jorianwoltjer.com/blog/p/hacki...
If you like regular XSS, this is a whole new world of crazy techniques and many sanitizer bypasses. You too can learn this!
jorianwoltjer.com/blog/p/hacki...
Post: Mutation XSS: Explained, CVE and Challenge | Jorian Woltjer
Learn how to bypass HTML sanitizers by abusing the intricate parsing rules and mutations. Including my CVE-2024-52595 (lxml_html_clean bypass) and the solution to a hard challenge I shared online
jorianwoltjer.com
November 27, 2024 at 4:01 PM
To summarize what I have learned about Mutation XSS, my CVE, and the solution to my challenge, I wrote a post going through it all.
If you like regular XSS, this is a whole new world of crazy techniques and many sanitizer bypasses. You too can learn this!
jorianwoltjer.com/blog/p/hacki...
If you like regular XSS, this is a whole new world of crazy techniques and many sanitizer bypasses. You too can learn this!
jorianwoltjer.com/blog/p/hacki...
Reposted by 0x999
Here is the "writeup". Hope its clear enough, otherwise ask in comments. Note that there are two paths that will result in XSS. And that the "error path" can be reached in numerous different ways, like alternative 1 and 4.
Alternative 5 hits the "successful path" and can also be used in many ways
Alternative 5 hits the "successful path" and can also be used in many ways
November 19, 2024 at 2:59 PM
Here is the "writeup". Hope its clear enough, otherwise ask in comments. Note that there are two paths that will result in XSS. And that the "error path" can be reached in numerous different ways, like alternative 1 and 4.
Alternative 5 hits the "successful path" and can also be used in many ways
Alternative 5 hits the "successful path" and can also be used in many ways
Just published a new blog post "Exploring Javascript events & Bypassing WAFs via character normalization", check it out: 0x999.net/blog/explori...
0x999's Blog - Exploring Javascript events & Bypassing WAFs via character normalization
0x999.net
November 18, 2024 at 6:07 PM
Just published a new blog post "Exploring Javascript events & Bypassing WAFs via character normalization", check it out: 0x999.net/blog/explori...
Reposted by 0x999
We’re finally live! You can now watch “Listen to the whispers: web timing attacks that actually work” on YouTube: youtube.com/watch?v=zOPj...
YouTube
Share your videos with friends, family, and the world
youtube.com
November 17, 2024 at 11:17 AM
We’re finally live! You can now watch “Listen to the whispers: web timing attacks that actually work” on YouTube: youtube.com/watch?v=zOPj...
Reposted by 0x999
I made a little xss challenge based on an upcoming blogpost, if anyone wants to check it out:
xss.0x999.net
Goal:
1. Alert the flag
2. Execute arbitrary javascript
xss.0x999.net
Goal:
1. Alert the flag
2. Execute arbitrary javascript
XSS Challenge
xss.0x999.net
November 15, 2024 at 9:15 PM
I made a little xss challenge based on an upcoming blogpost, if anyone wants to check it out:
xss.0x999.net
Goal:
1. Alert the flag
2. Execute arbitrary javascript
xss.0x999.net
Goal:
1. Alert the flag
2. Execute arbitrary javascript