Automating DOM XSS Discovery

📅 Nov 4, 2021 · ☕ 9 min read

How to automate DOM XSS discovery using semgrep and a single Python script.

---

Mitigation schmitigation: Control HttpOnly cookies through XSS

📅 Aug 16, 2021 · ☕ 4 min read

How HttpOnly can be beaten with XSS

---

Fuzz the Unfuzzable

📅 Aug 10, 2021 · ☕ 7 min read

4 useful ways to fuzz stuff that many people would consider 'unfuzzable'.

---

Cheatsheet: XSS that works in 2021

📅 Feb 7, 2021 · ☕ 5 min read

XSS Cheatsheet for 2021 and onwards.

---

Escape Static Website Dependency Hell with Hugo

📅 Jan 31, 2021 · ☕ 8 min read

Static website dependency hell and how Hugo can help you escape from it.

---

Breaking Python 3 eval protections

📅 Jan 16, 2021 · ☕ 7 min read

How Python 3's eval works and how to abuse it from an attacker perspective to evade its protections.

---

100% evasion - Write a crypter in any language to bypass AV

📅 Feb 6, 2020 · ☕ 13 min read

Design & Implementation of a crypter in any language, using Xencrypt (Powershell) as an underlying example.

---

Actual XSS in 2020

📅 Feb 1, 2020 · ☕ 6 min read

XSS Cheatsheet for 2020.

---

Tradecraft - This is why your tools and exploits get detected by EDR

📅 Jan 11, 2020 · ☕ 5 min read

Common reasons why payloads get picked up by EDRs.

---

Minitip - Stored XSS through SVG

📅 Jan 9, 2020 · ☕ 1 min read

How to find persistent XSS through SVG files.

---