FD

The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2023! portswigger.net/research/top-1…

Google(Chromium) suddenly decided to pay me for a UI Spoofing bug reported 3 years that had been idle, and from reward potential to no potential to potential. Ok thanks?

The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2022! portswigger.net/research/top-1…

This #privacy audit looks like the first LeaveHomeSafe #pentest ever, way below commercial apps: Broken SSL validation, SD Card Leaks, 2FA Logic bypass, Screenshot leaks, several Face Recognition artifacts, etc. 7asecurity.com/blog/2022/07/l…

We are organising VXCON on 27 August. Please feel free to submit CFP. vxcon.hk

Confirmed! Masato Kinugawa demonstrated a 3-bug chain of injection, misconfiguration and sandbox escape on Microsoft Teams to earn $150K and 15 Master of Pwn points.

New writing about the story of 3 bug bounty reports in which I chain low severity bugs together for higher impact and less known browser tricks. Includes CSS injection, Self-XSS, Drag-Drop XSS, Cookie Bomb, Login-Logout-CSRF, and more... @renwa/the-underrated-bugs-clickjacking-css-injection-drag-drop-xss-cookie-bomb-login-logout-csrf-84307a98fffa" target="_blank" rel="nofollow noopener">medium.com/@renwa/the-und…

After 5 years of work, security.txt is officially an RFC. I am pleased to announce RFC 9116: rfc-editor.org/rfc/rfc9116. I would like to use this opportunity to thank those who made this possible. Thank you. ❤️

We found a way to spoof ENS domains and were awarded a $15k bug bounty by @ensdomains 👇Check out the write-up @hacxyk/how-we-spoofed-ens-domains-52acea2079f6" target="_blank" rel="nofollow noopener">medium.com/@hacxyk/how-we…

@intigriti F

can we get an "f" in the chat for the hacker that just reported a crit 2 seconds after someone else did? 😔 #duped

The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2021! portswigger.net/research/top-1…

New blog post: "What Bypassing Razer's DOM-based XSS Patch Can Teach Us" — edoverflow.com/2022/bypassing….

@garethheyes XSS wordle when?

Apparently if you swear at JavaScript you still get an alert(1): #!@*%
alert(1)

Why do we need NFT on social media??

@luketucker @Hacker0x01 I'll miss you!

Last Friday was my last day at @Hacker0x01. The past 5-years have been the best of my career. I love H1: the mission, my colleagues, and of course the hacker community. Serving as head of community for several years was such a privilege. youtu.be/j_6_qO3SvvQ

@freddyb typeof document.all != "function" && document.all(0)

@terjanq Thanks for the heads up it's back!

hey @filedescriptor your blog blog.innerht.ml seems to be down 😥 Any chance to have it up again? It'd be a bummer to lose such a great resource!

@freddyb @secalert how about top.top self.top parent.top frames.top ...

@garethheyes Also function solve(obj, property){ if(typeof obj != 'function') { obj(property).innerHTML = '<img src=1 onerror="alert(`You win`)">'; } else { alert('You must try harder than that.'); } }

@garethheyes @aynap6 :D

@aynap6 @filedescriptor Haha that’s crazy

<script> function solve(obj, property){ if(typeof obj === 'undefined') { obj[property].innerHTML = '<img src=1 onerror="alert(`You win`)">'; } else { alert('You must try harder than that.'); } } </script> <div id=x></div> Can you solve it?