Matan Berson

Just released my blog post "Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs"! It's about a very impactful and technically interesting client-side bug I found in a major NFT site. matanber.com/blog/4-char-cs…

In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more. amazon.com/dp/B0BRD9B3GS

@H4R3L Ngl I cooked with this one

@MtnBer made me a new profile pic :)

This is genius

@j_zere Nice bug! It’s always fun to read about creative chains like this

Just published my first blog post "Cache Deception + CSPT: Turning Non Impactful Findings into Account Takeover" You can read the full write-up here: zere.es/posts/cache-de…

@sudhanshur705 @kl_sree @sivaneshashok Congrats on the bug and thanks for the kind words in the post🙂

Last year I found a XSS bug in Google IDX here's a detail writeup about it. Hope you will enjoy it's kinda lengthy :p Shoutouts to @MtnBer for finding the original bug in Gitlab and @kl_sree @sivaneshashok for the required chains to complete the exploit. sudistark.github.io/2025/07/02/idx…

I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4

Just found an interesting way to bypass some nonce-based CSPs and made a small XSS challenge with an exploitable scenario. See if you can find it before I tell! Source JS: gist.github.com/JorianWoltjer/… URL: greeting-chall.jorianwoltjer.com Found a solution? Please DM to avoid spoilers, thanks!

@rebane2001 @ProtonMail Yep, I got $600 for a 1-click session takeover which is weird considering their whole brand is being privacy-focused. At least the security team was nice to work with

the @ProtonMail bug bounty rewards are incredibly low!? if you're a greyhat with a data leak bug you're NOT gonna take the $200 from proton when you could make literally 100x that selling it to someone with questionable ethics that hates journalists

[2/2] Meaning that if you have a file write and can't control the extension and the extension doesn't correlate to any Content-Type (let's say .abc), you can add .html to the file name (filename.html.abc) and httpd will serve it as text/html

The vector: <svg><title><![CDATA[--></title><img src onerror=alert(1)>]]>

@deryilz @PwnFunction It is! I read your writeup when I was working on this bug, it was very helpful

@PwnFunction @MtnBer very cool! i remember reading the bug report for this when it came out. maybe a little similar to 0x44.xyz/blog/cve-2023-… ?

New video! XSS like you’ve never seen before youtube.com/watch?v=RLyhPG… Huge thanks to @MtnBer

@itz_mg_ @PwnFunction Haha thanks Mukul!

@PwnFunction @MtnBer my goat @MtnBer

@ITSecurityguard @PwnFunction @PwnFunction The people have spoken

@PwnFunction @MtnBer that was awesome!

I’m in a pwnfunction video! Check it out, it’s very well made and the vulnerability chain is quite unique youtube.com/watch?v=RLyhPG…

The legendary @joaxcar made a really interesting XSS challenge this month for Intigriti. My solution involved winning a race condition with 100 <iframe>s to utilize a DOM Clobbering gadget after bypassing a RegEx. Check out the writeup below: jorianwoltjer.com/blog/p/hacking…

Got back last week from Tokyo🇯🇵 where I caught @renbou & @Slonser's talk with @kumavis_ Being part of the web/browser/JavaScript security niche from the perspective of crypto wallets specifically, felt like a talk to not miss Here's what I learned 🧵 x.com/neploxaudit/st…

@J0R1AN @xdeludnard @XssPayloads Ahh I see, I didn’t know firefox cleared the name. That’s a neat bypass then

@xdeludnard @MtnBer @XssPayloads ^^ Exactly right, if you test your naive approach it won't work on Firefox. The method I (and 0x999) shared both don't require interaction, the popup blocker doesn't block these because it overwrites the current window.

A cross-origin payload that exploits eval(name) for FF by @J0R1AN window.open("example.com/?xss=eval(name)", "alert(origin)");