Gareth Heyes \u2028 (@garethheyes) on X (original) (raw)

• Pinned
  
  In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more.amazon.com/dp/B0BRD9B3GS
  
• 
• 
  Replying to @RenwaX23
  $1000 is that it? Wtf UXSS?!
• 
  Want to know how I approach research? I've written a new ebook called #javascriptforhackers. Learn about DOM hacking, DOM clobbering, prototype pollution, how to fuzz JavaScript to find new behaviours and much more!
• 
• 
  Everyone knows that the RFCs for email addresses are crazy. This post will show without doubt that you should not be following the RFC.
• 
  Universal MXSS. Works in all browsers and is likely to bypass lots of filters because title is both an SVG and HTML tag. Briefly checked DOM Purify and it looked okay.
  
• 
  
• 
  Apparently if you swear at JavaScript you still get an alert(1): #!@*% alert(1)
  
• 
  Replying to @RenwaX23
  I've watched your work for a while. Don't be disheartened. UXSS is an outstanding achievement especially in a modern browser.
• 
  Next time someone says CSS is not a programming language, tell them to disable JavaScript and visit garethheyes.co.uk then explain that 😀
• 
  I discovered how to use CSS to steal attribute data without selectors and stylesheet imports! This means you can now exploit CSS injection via style attributes! Learn how below:portswigger.net/research/inlin…
  
• 
  Found some cool bugs in Firefox using behavioural fuzzing <!-[0x00]- >
  
  
• test haha

Don't miss what's happening

People on X are the first to know.