A quick update has been made to DOMLogger++ to add / update a few things. It's not a big deal, but it should allow interesting stuff to be done :)

It should be available on the stores in the coming hours.

For the @ASIS_CTF, I created a challenge based on an interesting (novel?) DOM Clobbering technique! 🚩

In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄

👉 mizu.re/post/under-t...

Small teaser for Caido users :)

2/2

DOMLogger++ v1.0.9 is now out and available! 🎉

This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥

It also brings full Caido session handling, which is going to be useful in the near future! 👀

👉 github.com/kevin-mizu/d...

1/2

For example, using this configuration, it is possible to retrieve the @masatokinugawa.bsky.social CVEs in TinyMCE.

👉 subdomain1.portswigger-labs.net/xss/xss.php?...

2/3

I've released a DOMLogger++ config that helps detect any replacements occurring in a DOMPurify output by inserting and tracking a canary value at runtime.

I think it highlights how useful DOMLogger++ can be for tracking JS execution :D

👉 github.com/kevin-mizu/d...

1/3

Each library page includes:

* Affected versions
* A short description
* Root cause of the gadget
* Related links
* Credit to the discoverer
* And even a preview button to play with the gadget live!

3/4

The wiki lets you filter gadgets by browser, tags, attributes, CSP, and timing, making it as easy as possible to find interesting vectors (at least I hope so!) 🔎

2/4

I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥

The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇

gmsgadget.com

1/4

I've released my CTF bot template! :D

It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎

👉 github.com/kevin-mizu/b...

The #FCSC2025 ended yesterday, and my write-ups are now available here 👇

mizu.re/post/fcsc-2025…

Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩

1/2

This year again, with @bi.tk, we've made the Web challenges 🚩

The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁

Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!

For this challenge, it was necessary to abuse a discrepancy between the DOM and the rendered page in Firefox's cache handling 💽

👉 bugzilla.mozilla.org/show_bug.cgi...

This allows to shift iframe rendering from one to another leading to a sandbox bypass 🔥

👉 mizu.re/post/an-18-y...

With @gelu.chat, we created a challenge for the @pwnmectf inspired by a bug he found in bug bounty a year ago! 🚀

If you have some time this weekend, give it a try! 👀

👉 pwnme.phreaks.fr

DOMLogger++ v1.0.8 is now out and available! 🎉

This update includes several UX improvements, such as syntax highlighting and new shortcuts. Major changes have been made to custom types and several annoying bugs have been fixed 🚀

👉 github.com/kevin-mizu/d...

The solution to this challenge is available here: mizu.re/post/explori... :)

Thanks to the recent @portswiggerres.bsky.social top 10, I finally found the motivation to finish writing the 2nd article about DOMPurify security! 😁

Before releasing it, I would like to share a small challenge 🚩

Challenge link 👇
challenges.mizu.re/xss_04.html

1/2