A DOMPurify-allowed style tag chained with a Google Ads sandbox reflection turned a harmless HTMLi into an OAuth-token leak. $9,700 in bounties, full exploit code.

A parser disagreement between SMTP servers and MySQL casts puny-coded characters back to ASCII — turning a forgot-password flow into a 0-click account takeover.

My new research
Escalation of Self-XSS to XSS using modern browser capabilities.
https://t.co/aYKhHAeCcq

I’m a web guy, so I usually don’t work on non-web applications since my mind doesn’t do binary. With the help of my friend for reverse engineering, I managed to uncover some CVEs. It was very challenging for me, hope you like it:

https://t.co/xRRCoO8JFP

If a CSPT bug can't be exploited on the same origin, you can pivot it to another one. Cloudflare Image Transform can act as a cross‑origin gadget to reach more sensitive endpoints on different origins - you can read more about it here ;)

https://t.co/jOQOkpdHVJ

Hey everyone! I’ve been building rep+, a lightweight HTTP Repeater inside Chrome DevTools. No proxy setup or certificates. Just open DevTools and start poking requests. It also has built-in AI for explanations and attack ideas. I’ll share one rep+ feature…

While playing a challenge by @salvatoreabello, I found a pretty interesting way to exploit Dangling Markup with a strict CSP.
All you need is an <iframe>, <object> or <embed> set to about:blank, with a dangling name= attribute. This vulnerable page should…

This is the most reliable public detection (at this time) to indicate whether a machine is actually exploitable to CVE-2025-55182 / React2Shell without invoking the RCE and limited FP's.

it triggers an internal error and validates the vulnerable version…

A character-strip filter on a login redirect, chained with the Google Identity Services SDK, escalated to a fully-automatic account takeover.

The ultimate reading list for bug bounty hunters. Discover curated articles and resources, track your progress, and stay ahead in cybersecurity.

For the past year, I've been using a private wordlist generated from actual bug bounty reports.

I grabbed disclosed report texts by simply appending .json to the report URLs (as shown below) and fed them into fallparams to mine parameters from the included…

بریم با امیرعلی صحبت کنیم ببینیم چطوری با دوستاش ۹۰۰۰ دلار بانتی زدن، خودم راضی بودم از گفت‌گو، اگه شما هم با این سبک اوکی هستین بیشترش کنم، دمتون گرم

Two CSRF scenarios that bypass content-type-based defenses; a FastAPI quirk where a missing Content-Type means JSON, and a Chromium-only safelist entry that skipped CORS preflights and powered an Apollo Server XS-Leak (since patched).