alex

FFFF the axios thing is bad, almost all node.js project use it, we use it. didn't want to install some tool with a bunch of deps just to check if our gcloud/docker images are affected, trivy literally got supply chained two weeks ago lmao built me a small tool. stdlib only, just shells out to docker/gcloud cli. if those are compromised we're all cooked anyway. CHECK YOUR IMAGES. github.com/hacktronai/cull

@AmirMSafari Well I learned a lot trying to solve this challenge. But mainly I was reconfirmed that @kinugawamasato is basically living in browsers. Took him 1 hour 11minutes to solve it (assuming he read my message sharing this challenge frame perfect)

Is there any chance for CSRF? 🤔 Test it out live at: pwnbox.xyz

@shhnjk Hm does that work with img and alt text as well 🤔Would be funny especially when you have full control of the remote image

Pro tip: You can hide an indirect prompt inside markdown link using title. This works in sites like GitHub. `[Text](URL "Title")`

Again just a quick JS PoC (nothing new, just some PoC to try it): JS Array length of 4294967295, and push vs [][length]=value behavior. Push fails, assignment works but length value isn't increased anymore. Don't really see how this can be abused. insert-script.com/examples/javas…

Your chance to be part of a historic event for cryptography education in the Levant is still open! The CFP for Cedarcrypt, the most ambitious and exciting cryptography event in the Levant region in recent memory, has a deadline of April 10 and we still have room in the program. If you've been meaning to submit a talk, workshop, or research presentation, now's the time. We want hands-on workshops, lectures on both foundational and real-world topics, and research talks including work in progress. Topics range from post-quantum crypto and ZK proofs to secure implementation and protocol verification. We're also still actively seeking sponsors. Sponsorship funds student stipends directly — it's how we make the event accessible to grad students and early-career researchers worldwide. If your organization is in this space, let's talk. Accepted speakers get travel support, free registration, and accommodation help. July 13–16, Paphos, Cyprus. Join us in making a real difference in how real-world cryptography is taught in the Levant! Come meet and engage with excited new students! cedarcrypt.org

@rebane2001 The only solutions I can think of: Overwrite the prototypes - Number or Object use document.all as the one exception. Afaik no symbols are utilized sadly for this operator.

js trivia challenge! you can write anything on line one, how are you getting the flag? i originally wanted to make this into a ctf chall, but it's a bit too "win by knowing 1 obscure trick" to be good

We take a closer look at the 2nd exploit, and sit down with @_manfp to learn about his research process. youtube.com/watch?v=NT1VCm…

@garethheyes Given how much you always implement in your lunch time - do you eat with one hand and program with the other? :-D

Last night I added GZip and Deflate compression to Hackvertor. I also improved the autodecoder to detect it. Yesterday on my lunch I added autocompletion for HackPad and fixed a bunch of bugs. hackvertor.co.uk/urls/31

@zhero___ First AmirMSafari publishes an interesting parsing quirk of qs - you are going to (hopefully) publish a report about a new cross-site data exfiltration technique. I like the start of the year .-D

spent hours exploring different approaches to improve the exploit and the result is quite promising; report updated I take this opportunity to wish ramadan mubaarak to my fellow believers, enjoy it fully!

@LiveOverflow hahaha thats just awesome xD

Why lol 😂

Thanks for participating in this challenge! I analyzed the qs parser source code and wrote about the inconsistency between the backend and frontend query parsers, along with two possible solutions. Hope you enjoy it! blog.voorivex.team/when-two-parse…

Chrome auto decodes all url-encoded, non-special characters in the URL for the user. This can be annoying when you're trying to sneak a payload in that looks a little weird. You can bypass this by adding %ff anywhere in the URL.

Come be part of Cedarcrypt, our historic new initiative to grow cryptography research, development and representation in the Levant region! For too long, the global cryptography community has concentrated its major events in a handful of locations, leaving entire regions underrepresented in the conversations that shape our digital future. Cedarcrypt is here to change that. This July 13-16, 2026, we're bringing together researchers, practitioners, and students at the American University of Beirut - Mediterraneo campus in Paphos, Cyprus, for four days of intensive learning, knowledge sharing, and community building. From secure messaging protocols to post-quantum cryptography, from zero-knowledge proofs to formal verification, Cedarcrypt aims to cover the full spectrum of applied cryptography. Cedarcrypt is about planting a flag and telling the world that real cryptography work can and does emerge from our region. Cedarcrypt aims to create a space where the next generation of cryptographers from the Levant and beyond can learn from established experts, present their own research, and forge connections that will shape their careers. We need you to make this happen. We're seeking workshop leaders to teach hands-on skills, lecturers to share foundational and cutting-edge knowledge, and researchers to present their latest work. Whether you're a seasoned professor or an early-career researcher with fresh ideas, there's a place for you at Cedarcrypt. This is the first edition of what we intend to become an annual tradition. Come be part of our history! Help us build something that will inspire and empower cryptographers for years to come. Our call for proposals is open: submit your workshop or talk, or simply learn more about Cedarcrypt at cedarcrypt.org!

@samm0uda uh nice! :-)

A very nice write-up coming up today, stay tuned!

Happy to publish our first research of the year on the SvelteKit framework, downloaded over 800,000 times per week, which led to CVE-2025-67647 (w/@inzo____): Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit zhero-web-sec.github.io/research-and-t… Enjoy the read

Leaking FXAuth Token leading to account takeover ($65,000) ysamm.com/uncategorized/… Instagram account takeover via Facebook Pixel script abuse ($32,500) ysamm.com/uncategorized/… Multiple XS-leaks disclosing Facebook users in third-party websites ($8,400) ysamm.com/uncategorized/…

Quick browser documentation PoCs (nothing new, just some PoCs to try it): Postmessage with null origin and null source- insert-script.com/examples/ifram… Authorization header and redirects - relevant for client side path traversal insert-script.com/examples/redir…

New research just dropped on the Critical Research Lab! Big thanks to @0xn3va, come read it at: lab.ctbb.show/research/langs…

We've published a new blog post by RyotaK @ryotkak He discovered 8 methods to bypass safety mechanisms in Claude Code, leading to arbitrary command execution. We recommend updating to v1.0.93 or later to fix this vulnerability (CVE-2025-66032). flatt.tech/research/posts…

@nitzukai Maybe the G502 X LIGHTSPEED? The G502 series still has some unecessary buttons (at least you can remove the big one at the left side) but I never press them accidentally^^

how does this have 1k comments

why is the mouse industry so fucked up? why can't I find a mouse that: - does not look like a RGB gaming rig - doesn't have a ton of buttons on it - is wireless - has a good build quality which doesn't have a scroll wheel that dies within 2 months - is not MX Master