(5/5) For Client-Side Race Conditions based on network requests, you can slow down time by holding up the Connection Pool. Then slowly release them one by one, performing any actions you need in between with 100% consistency.
October 17, 2025 at 8:43 AM
(5/5) For Client-Side Race Conditions based on network requests, you can slow down time by holding up the Connection Pool. Then slowly release them one by one, performing any actions you need in between with 100% consistency.
(4/5) Form input history is restored on history.back() even if the HTML changed in the meantime.
For inputs without a form, that means you can hijack it into your own form with a form= attribute as an exception. From there you could submit your form to leak it.
For inputs without a form, that means you can hijack it into your own form with a form= attribute as an exception. From there you could submit your form to leak it.
October 17, 2025 at 8:43 AM
(4/5) Form input history is restored on history.back() even if the HTML changed in the meantime.
For inputs without a form, that means you can hijack it into your own form with a form= attribute as an exception. From there you could submit your form to leak it.
For inputs without a form, that means you can hijack it into your own form with a form= attribute as an exception. From there you could submit your form to leak it.
(3/5) Script gadgets inside an <iframe srcdoc> that require URL parameters can be set using a <meta http-equiv="refresh"> redirect to about:srcdoc. It reloads the document with the new URL while keeping its content.
October 17, 2025 at 8:43 AM
(3/5) Script gadgets inside an <iframe srcdoc> that require URL parameters can be set using a <meta http-equiv="refresh"> redirect to about:srcdoc. It reloads the document with the new URL while keeping its content.
(2/5) With a strict CSP, .click() gadgets can be very useful for things like:
* Opening the attacker's website with <a target="_blank">
* Submitting a form for CSRF
* Performing actions on the site to trigger other behavior
* Opening the attacker's website with <a target="_blank">
* Submitting a form for CSRF
* Performing actions on the site to trigger other behavior
October 17, 2025 at 8:43 AM
(2/5) With a strict CSP, .click() gadgets can be very useful for things like:
* Opening the attacker's website with <a target="_blank">
* Submitting a form for CSRF
* Performing actions on the site to trigger other behavior
* Opening the attacker's website with <a target="_blank">
* Submitting a form for CSRF
* Performing actions on the site to trigger other behavior
AMAZING technique by @salvatoreabello, I've been inspired by the connection pool exploits he comes up with.
Check out this crazy impact labeled as "working as intended":
blog.babelo.xyz/posts/cross-...
Check out this crazy impact labeled as "working as intended":
blog.babelo.xyz/posts/cross-...
September 18, 2025 at 9:14 PM
AMAZING technique by @salvatoreabello, I've been inspired by the connection pool exploits he comes up with.
Check out this crazy impact labeled as "working as intended":
blog.babelo.xyz/posts/cross-...
Check out this crazy impact labeled as "working as intended":
blog.babelo.xyz/posts/cross-...
Forgot to add what we leak, this is the result:
September 16, 2025 at 10:42 AM
Forgot to add what we leak, this is the result:
On our attacker's page, we load this in an iframe and can then access [0] to get a reference to our injected object. To read its name, we can set its location to *our* about:blank and then read the .name window property (set by the attribute)!
![<iframe id="iframe" src="https://target.tld/dangling-object"></iframe>
<script>
iframe.onload = () => {
const object = iframe.contentWindow[0];
object.location = "about:blank"; // Navigate to our same-origin
const interval = setInterval(() => {
object.origin; // When it becomes same-origin
clearInterval(interval);
alert(object.name); // Leak its name (kept after navigation)
})
}
</script>](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:3ffrnqiish5sra3vcmrjox72/bafkreih6xpe7qtncthrcpirpiu3smiyhsixw56kh6vrjkf6p6jtewsjydm@jpeg)
September 16, 2025 at 8:08 AM
On our attacker's page, we load this in an iframe and can then access [0] to get a reference to our injected object. To read its name, we can set its location to *our* about:blank and then read the .name window property (set by the attribute)!
While playing a challenge by Salvatore Abello, I found a pretty interesting way to exploit Dangling Markup with a strict CSP.
All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.
All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.
September 16, 2025 at 8:08 AM
While playing a challenge by Salvatore Abello, I found a pretty interesting way to exploit Dangling Markup with a strict CSP.
All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.
All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should be iframable.
September 13, 2025 at 6:10 AM
We first duplicate our page, then navigate the first tab to the target. From our 2nd tab, the iframe can now access `top.opener` to send a message to the target. Quickly after, the parent removes the iframe and the `event.source` becomes `null`.
September 13, 2025 at 6:10 AM
We first duplicate our page, then navigate the first tab to the target. From our 2nd tab, the iframe can now access `top.opener` to send a message to the target. Quickly after, the parent removes the iframe and the `event.source` becomes `null`.
@omidxrz.bsky.social shared this nice postMessage() challenge some time ago.
I'm a bit late, but worth trying if you haven't already :D
Otherwise, my solution is below, it's a really fun technique that makes me re-evaluate all the .source checks I've seen before...
I'm a bit late, but worth trying if you haven't already :D
Otherwise, my solution is below, it's a really fun technique that makes me re-evaluate all the .source checks I've seen before...
September 13, 2025 at 6:10 AM
@omidxrz.bsky.social shared this nice postMessage() challenge some time ago.
I'm a bit late, but worth trying if you haven't already :D
Otherwise, my solution is below, it's a really fun technique that makes me re-evaluate all the .source checks I've seen before...
I'm a bit late, but worth trying if you haven't already :D
Otherwise, my solution is below, it's a really fun technique that makes me re-evaluate all the .source checks I've seen before...
Just found an interesting way to bypass some nonce-based CSPs and made a small XSS challenge with an exploitable scenario. See if you can find it before I tell!
Source JS:
gist.github.com/JorianWoltje...
URL:
greeting-chall.jorianwoltjer.com
Found a solution? Please DM to avoid spoilers, thanks!
Source JS:
gist.github.com/JorianWoltje...
URL:
greeting-chall.jorianwoltjer.com
Found a solution? Please DM to avoid spoilers, thanks!
June 30, 2025 at 6:34 AM
Just found an interesting way to bypass some nonce-based CSPs and made a small XSS challenge with an exploitable scenario. See if you can find it before I tell!
Source JS:
gist.github.com/JorianWoltje...
URL:
greeting-chall.jorianwoltjer.com
Found a solution? Please DM to avoid spoilers, thanks!
Source JS:
gist.github.com/JorianWoltje...
URL:
greeting-chall.jorianwoltjer.com
Found a solution? Please DM to avoid spoilers, thanks!
Small tip for the JavaScript reverse engineers out there, Chrome has a `debug()` function which triggers a breakpoint whenever its first argument is called. It even works on built-in methods, no more wrapping stuff in proxies :D
debug(DOMParser.prototype.parseFromString)
debug(DOMParser.prototype.parseFromString)
June 13, 2025 at 9:55 AM
Small tip for the JavaScript reverse engineers out there, Chrome has a `debug()` function which triggers a breakpoint whenever its first argument is called. It even works on built-in methods, no more wrapping stuff in proxies :D
debug(DOMParser.prototype.parseFromString)
debug(DOMParser.prototype.parseFromString)
It uses the "Tagged Templates" syntax like t`...` and automatically escapes any interpreted variables, as well as supporting nesting/arrays.
Here's an example showing its usage:
Here's an example showing its usage:
June 2, 2025 at 12:26 PM
It uses the "Tagged Templates" syntax like t`...` and automatically escapes any interpreted variables, as well as supporting nesting/arrays.
Here's an example showing its usage:
Here's an example showing its usage:
This includes a fun trick with User Activation. It can be used to detect when actions like shortcuts and clicks happen inside cross-origin iframes:
May 21, 2025 at 12:20 PM
This includes a fun trick with User Activation. It can be used to detect when actions like shortcuts and clicks happen inside cross-origin iframes:
While collecting some HTML-Injection techniques, I thought of an interesting way to abuse existing <form>s when XSS isn't an option.
You can inject <input>s with form= pointing to the form's id= to add params, and make a <button> with form= and formaction= to change its action.
You can inject <input>s with form= pointing to the form's id= to add params, and make a <button> with form= and formaction= to change its action.
May 9, 2025 at 6:57 AM
While collecting some HTML-Injection techniques, I thought of an interesting way to abuse existing <form>s when XSS isn't an option.
You can inject <input>s with form= pointing to the form's id= to add params, and make a <button> with form= and formaction= to change its action.
You can inject <input>s with form= pointing to the form's id= to add params, and make a <button> with form= and formaction= to change its action.
@renwax23.bsky.social made an interesting challenge (x.com/RenwaX23/sta...).
Instead of right-click and open in new tab, I found you can also use drag-and-drop into a popup window to achieve the same effect! With CSS you can make it convincing like clickjacking:
gist.github.com/JorianWoltje...
Instead of right-click and open in new tab, I found you can also use drag-and-drop into a popup window to achieve the same effect! With CSS you can make it convincing like clickjacking:
gist.github.com/JorianWoltje...
March 6, 2025 at 8:03 PM
@renwax23.bsky.social made an interesting challenge (x.com/RenwaX23/sta...).
Instead of right-click and open in new tab, I found you can also use drag-and-drop into a popup window to achieve the same effect! With CSS you can make it convincing like clickjacking:
gist.github.com/JorianWoltje...
Instead of right-click and open in new tab, I found you can also use drag-and-drop into a popup window to achieve the same effect! With CSS you can make it convincing like clickjacking:
gist.github.com/JorianWoltje...
Here's a way to exploit `eval(name)` on Firefox without user interaction:
March 3, 2025 at 7:04 PM
Here's a way to exploit `eval(name)` on Firefox without user interaction:
In the final payload, we just write "\n{}*{color:red}" as a comment on any blog post, then refer to it in `request.path` with `>;rel=stylesheet;` injected. This will cause the injected comment to be executed as CSS on the response page!
February 11, 2025 at 9:49 PM
In the final payload, we just write "\n{}*{color:red}" as a comment on any blog post, then refer to it in `request.path` with `>;rel=stylesheet;` injected. This will cause the injected comment to be executed as CSS on the response page!
The website had a comment feature on blog posts, which we can inject CSS code into. The parser is very lax and any broken statements can be closed with just a \n and {}. Then we can write arbitrary CSS to leak content on the response page using regular CSS Injection techniques.
February 11, 2025 at 9:49 PM
The website had a comment feature on blog posts, which we can inject CSS code into. The parser is very lax and any broken statements can be closed with just a \n and {}. Then we can write arbitrary CSS to leak content on the response page using regular CSS Injection techniques.
I recently found a pretty interesting attack on a friend's website where the `Link:` response header was automatically set to the requested path:
February 11, 2025 at 9:49 PM
I recently found a pretty interesting attack on a friend's website where the `Link:` response header was automatically set to the requested path:
I made an XSS challenge for Intigriti this month, good luck and have fun!
x.com/intigriti/st...
x.com/intigriti/st...
December 11, 2024 at 3:04 PM
I made an XSS challenge for Intigriti this month, good luck and have fun!
x.com/intigriti/st...
x.com/intigriti/st...
Apparently, navigating to a javascript: URL returning a string will write it as HTML to the DOM. This allows for an interesting XSS payload:
x.com/icesfont2/st...
x.com/icesfont2/st...
December 5, 2024 at 11:52 AM
Apparently, navigating to a javascript: URL returning a string will write it as HTML to the DOM. This allows for an interesting XSS payload:
x.com/icesfont2/st...
x.com/icesfont2/st...
My challenge has been out for about a week with only one half-intended solution, so here's my solution!
November 27, 2024 at 4:02 PM
My challenge has been out for about a week with only one half-intended solution, so here's my solution!
I've been closely following the awesome Mutation XSS research that's been coming out, and have found some tricks of my own.
Below is a challenge from me to you. This code removes comments, dangerous text nodes and all attributes. Bypass the filter to achieve XSS. Good luck!
Below is a challenge from me to you. This code removes comments, dangerous text nodes and all attributes. Bypass the filter to achieve XSS. Good luck!
November 20, 2024 at 12:29 PM
I've been closely following the awesome Mutation XSS research that's been coming out, and have found some tricks of my own.
Below is a challenge from me to you. This code removes comments, dangerous text nodes and all attributes. Bypass the filter to achieve XSS. Good luck!
Below is a challenge from me to you. This code removes comments, dangerous text nodes and all attributes. Bypass the filter to achieve XSS. Good luck!