sebsrt

I’ve been digging into HTTP Trailers and found some new smuggling techniques: sebsrt.xyz/blog/trailing-…

And this makes sense given how many CTFs are held per year. However, the ideal CTF challenge, in my opinion, should follow this formula: "The author conducted a mini-research project and instead of publishing it, turned it into a challenge."

@EvanKlein338226 Ty, code review only

@s3bsrt Solid writeup! Deserialization vulns in JS frameworks are often overlooked. Did you find this through code review or fuzzing?

Just published the writeup on qwik's deserialization RCE: sebsrt.xyz/blog/a-qwik-rc…

@f0ur0four Gg!

Thank you for organizing the ctf and putting together such high quality challenges!

I found an interesting RCE due to unsafe deserialization in qwik js framework. I'll post the writeup analysis github.com/QwikDev/qwik/s…

@Blackstone0123 Yes basically, with a kID that makes it return an undefined signing key. This is the poc github.com/sebastianosrt/…

@s3bsrt So edit the token, alg to none, and sub to victim Google account id lead to account takeover on any website using Google Auth, right?

See you in Japan!

@siunam321 Thank you mate!

Go check out my friend @s3bsrt research on HTTP request smuggling! Super cool stuff in there 🔥🔥🔥

@deadvolvo Let us know if you find something cool😁

Added some of @s3bsrt logic to my fuzzing tool. Let's see if we find anything cool. 😁

@deadvolvo Thank you!

@s3bsrt This is really cool, and similar to some techniques I've written about before but you are using a slightly different method for getting those trailing headers to be accepted during "normalization." Really interested man, great work s3b. 🔥

I’ve been digging into HTTP Trailers and found some new smuggling techniques: sebsrt.xyz/blog/trailing-…

Hello! We’ve just launched a new wargame site called damn vulnerable web! It consists only of web challenges, primarily designed for intermediate to advanced players rather than beginners. We hope this wargame helps more people gain deeper and broader knowledge in web hacking :) For now, we’re planning to accept only 300 users initially for open beta testing and capacity checks. Starting from this tweet, we’ll gradually increase the number of allowed sign-ups each week. Your interest and support will be a huge help to our future activities We’ll do our best to deliver even better work going forward. Thank you! Wargame site: wargame.rewritelab.org Join our Discord: discord.gg/wYAm2n4M4J

@zhero___ @inzo____ 🔥🔥

Happy to publish our first research of the year on the SvelteKit framework, downloaded over 800,000 times per week, which led to CVE-2025-67647 (w/@inzo____): Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit zhero-web-sec.github.io/research-and-t… Enjoy the read

@zhero___ @inzo____ @astrodotbuild 🔥

release of our new paper (w/ @inzo____) which resulted in CVE-2025-64525: Astro framework and standards weaponization from path-based middleware protection bypass to potential SSRF & XSS + full bypass of CVE-2025-61925 on @astrodotbuild zhero-web-sec.github.io/research-and-t…

@tepelchen501 very cool challenge!

誰か解いて〜〜〜〜 Infobahn CTF 2025: 2025.infobahnc.tf

TR.MRG HTTP Request Smuggling? author writeup for Trailing Danger - m0lecon 2026 teaser CTF 👉github.com/sebastianosrt/… I'll share more about trailer fields parsing vulnerabilities soon.

The watchTowr Labs team is back, providing our full analysis of the Oracle E-Business Suite Pre-Auth RCE exploit chain (CVE-2025-61882). Enjoy with us (or cry, your choice..) labs.watchtowr.com/well-well-well…

@J0R1AN 🔥

Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!

@intigriti ';alert()// htmlspecialchar escapes ' only when ENT_QUOTES is set

Can you pop an alert? 😎