Kévin Gervot (Mizu)
@mizu.re
About me?
| Website: https://mizu.re
| Tool: https://github.com/kevin-mizu/domloggerpp
| Teams: @rhackgondins, @FlatNetworkOrg, @ECSC_TeamFrance
| From: https://twitter.com/kevin_mizu
| Website: https://mizu.re
| Tool: https://github.com/kevin-mizu/domloggerpp
| Teams: @rhackgondins, @FlatNetworkOrg, @ECSC_TeamFrance
| From: https://twitter.com/kevin_mizu
Pinned
Kévin Gervot (Mizu)
@mizu.re
· Feb 10
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
A quick update has been made to DOMLogger++ to add / update a few things. It's not a big deal, but it should allow interesting stuff to be done :)
It should be available on the stores in the coming hours.
It should be available on the stores in the coming hours.
October 24, 2025 at 1:59 PM
A quick update has been made to DOMLogger++ to add / update a few things. It's not a big deal, but it should allow interesting stuff to be done :)
It should be available on the stores in the coming hours.
It should be available on the stores in the coming hours.
Reposted by Kévin Gervot (Mizu)
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Exploiting Web Worker XSS with Blobs
Ways to turn XSS in a Web Worker into full XSS, covering known tricks and a new generic exploit using Blob URLs with the Drag and Drop API
lab.ctbb.show
September 19, 2025 at 2:28 PM
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
For the @ASIS_CTF, I created a challenge based on an interesting (novel?) DOM Clobbering technique! 🚩
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
September 8, 2025 at 3:10 PM
For the @ASIS_CTF, I created a challenge based on an interesting (novel?) DOM Clobbering technique! 🚩
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
Reposted by Kévin Gervot (Mizu)
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Cookie Chaos: How to bypass __Host and __Secure cookie prefixes
Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve
portswigger.net
September 3, 2025 at 2:54 PM
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
DOMLogger++ v1.0.9 is now out and available! 🎉
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
September 3, 2025 at 2:34 PM
DOMLogger++ v1.0.9 is now out and available! 🎉
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
I've released a DOMLogger++ config that helps detect any replacements occurring in a DOMPurify output by inserting and tracking a canary value at runtime.
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
August 25, 2025 at 4:17 PM
I've released a DOMLogger++ config that helps detect any replacements occurring in a DOMPurify output by inserting and tracking a canary value at runtime.
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
Reposted by Kévin Gervot (Mizu)
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
HTTP/1.1 Must Die
Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now
http1mustdie.com
August 6, 2025 at 11:43 PM
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
July 24, 2025 at 3:31 PM
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
Reposted by Kévin Gervot (Mizu)
Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...
Finding Freedom, One Bug at a Time: My Journey from Pentester to Full-Time Hunter
After seven years in pentesting, I transitioned full-time into bug bounty hunting, leveraging deep experience and continuous learning. This article shares key moments and insights from that journey.
gelu.chat
July 4, 2025 at 3:09 PM
Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...
I've released my CTF bot template! :D
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
May 22, 2025 at 6:03 PM
I've released my CTF bot template! :D
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
Reposted by Kévin Gervot (Mizu)
Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall
joaxcar.com/blog/2025/05...
joaxcar.com/blog/2025/05...
Confetti: Solution to my Intigriti May 2025 XSS Challenge - Johan Carlsson
joaxcar.com
May 20, 2025 at 3:59 PM
Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall
joaxcar.com/blog/2025/05...
joaxcar.com/blog/2025/05...
Reposted by Kévin Gervot (Mizu)
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
May 14, 2025 at 1:31 PM
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
Reposted by Kévin Gervot (Mizu)
Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the comments👇
Think again, read our latest blog post!
Link in the comments👇
April 30, 2025 at 12:44 PM
Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the comments👇
Think again, read our latest blog post!
Link in the comments👇
The #FCSC2025 ended yesterday, and my write-ups are now available here 👇
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
April 28, 2025 at 4:47 PM
The #FCSC2025 ended yesterday, and my write-ups are now available here 👇
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
Reposted by Kévin Gervot (Mizu)
Firefox treats multipart/x-mixed-replace like HTML. Chrome doesn’t.
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
Making the Unexploitable Exploitable with X-Mixed-Replace on Firefox - The Spanner
In this post, we’ll look at an interesting difference in how Firefox and Chrome handle the multipart/x-mixed-replace content type. While Chrome treats it as an image, Firefox renders it as HTML - some...
thespanner.co.uk
April 25, 2025 at 9:50 PM
Firefox treats multipart/x-mixed-replace like HTML. Chrome doesn’t.
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
This year again, with @bi.tk, we've made the Web challenges 🚩
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
April 18, 2025 at 4:35 PM
This year again, with @bi.tk, we've made the Web challenges 🚩
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
Reposted by Kévin Gervot (Mizu)
🔥 My Black Hat talk is now live! 🎥
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...
Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
YouTube video by Black Hat
www.youtube.com
March 20, 2025 at 12:41 PM
🔥 My Black Hat talk is now live! 🎥
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...
Reposted by Kévin Gervot (Mizu)
You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.
portswigger.net/research/sam...
portswigger.net/research/sam...
SAML roulette: the hacker always wins
Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library
portswigger.net
March 18, 2025 at 2:57 PM
You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.
portswigger.net/research/sam...
portswigger.net/research/sam...
For this challenge, it was necessary to abuse a discrepancy between the DOM and the rendered page in Firefox's cache handling 💽
👉 bugzilla.mozilla.org/show_bug.cgi...
This allows to shift iframe rendering from one to another leading to a sandbox bypass 🔥
👉 mizu.re/post/an-18-y...
👉 bugzilla.mozilla.org/show_bug.cgi...
This allows to shift iframe rendering from one to another leading to a sandbox bypass 🔥
👉 mizu.re/post/an-18-y...
March 2, 2025 at 5:14 PM
For this challenge, it was necessary to abuse a discrepancy between the DOM and the rendered page in Firefox's cache handling 💽
👉 bugzilla.mozilla.org/show_bug.cgi...
This allows to shift iframe rendering from one to another leading to a sandbox bypass 🔥
👉 mizu.re/post/an-18-y...
👉 bugzilla.mozilla.org/show_bug.cgi...
This allows to shift iframe rendering from one to another leading to a sandbox bypass 🔥
👉 mizu.re/post/an-18-y...
With @gelu.chat, we created a challenge for the @pwnmectf inspired by a bug he found in bug bounty a year ago! 🚀
If you have some time this weekend, give it a try! 👀
👉 pwnme.phreaks.fr
If you have some time this weekend, give it a try! 👀
👉 pwnme.phreaks.fr
February 28, 2025 at 9:23 PM
With @gelu.chat, we created a challenge for the @pwnmectf inspired by a bug he found in bug bounty a year ago! 🚀
If you have some time this weekend, give it a try! 👀
👉 pwnme.phreaks.fr
If you have some time this weekend, give it a try! 👀
👉 pwnme.phreaks.fr
DOMLogger++ v1.0.8 is now out and available! 🎉
This update includes several UX improvements, such as syntax highlighting and new shortcuts. Major changes have been made to custom types and several annoying bugs have been fixed 🚀
👉 github.com/kevin-mizu/d...
This update includes several UX improvements, such as syntax highlighting and new shortcuts. Major changes have been made to custom types and several annoying bugs have been fixed 🚀
👉 github.com/kevin-mizu/d...
February 27, 2025 at 4:35 PM
DOMLogger++ v1.0.8 is now out and available! 🎉
This update includes several UX improvements, such as syntax highlighting and new shortcuts. Major changes have been made to custom types and several annoying bugs have been fixed 🚀
👉 github.com/kevin-mizu/d...
This update includes several UX improvements, such as syntax highlighting and new shortcuts. Major changes have been made to custom types and several annoying bugs have been fixed 🚀
👉 github.com/kevin-mizu/d...
The solution to this challenge is available here: mizu.re/post/explori... :)
February 10, 2025 at 11:21 PM
The solution to this challenge is available here: mizu.re/post/explori... :)
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
February 10, 2025 at 5:57 PM
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
Thanks to the recent @portswiggerres.bsky.social top 10, I finally found the motivation to finish writing the 2nd article about DOMPurify security! 😁
Before releasing it, I would like to share a small challenge 🚩
Challenge link 👇
challenges.mizu.re/xss_04.html
1/2
Before releasing it, I would like to share a small challenge 🚩
Challenge link 👇
challenges.mizu.re/xss_04.html
1/2
February 7, 2025 at 4:34 PM
Thanks to the recent @portswiggerres.bsky.social top 10, I finally found the motivation to finish writing the 2nd article about DOMPurify security! 😁
Before releasing it, I would like to share a small challenge 🚩
Challenge link 👇
challenges.mizu.re/xss_04.html
1/2
Before releasing it, I would like to share a small challenge 🚩
Challenge link 👇
challenges.mizu.re/xss_04.html
1/2
Reposted by Kévin Gervot (Mizu)
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 4, 2025 at 3:02 PM
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...