YouTube video by renniepak
Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks
For those who missed it, check out my talk, βWidgets Gone Wild: Exploiting XSS through Flawed postMessage Origin Checks.β
πΊ Watch here: www.youtube.com/watch?v=qgB0...
π₯οΈ Follow along with the slides: 0-a.nl/nahamcon/
24.05.2025 19:33 β π 20 π 8 π¬ 1 π 1
The slides and examples for my talk "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks" at NahamCon can be found here: 0-a.nl/nahamcon/
24.05.2025 09:23 β π 8 π 4 π¬ 1 π 0
Confetti: Solution to my Intigriti May 2025 XSS Challenge - Johan Carlsson
Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall
joaxcar.com/blog/2025/05...
20.05.2025 15:59 β π 19 π 6 π¬ 1 π 0
I'm excited to be speaking at #NahamCon2025 on May 23rd!
I'm going to be talking about a bug class that I believe is very undervalued, and will outline a methodology for how to find and exploit it in the wild.
May the bounties rain down upon you!
Details here: www.nahamcon.com
19.05.2025 13:30 β π 9 π 1 π¬ 0 π 0
I think with the race condition 11 is possible with: open(top.x)?
13.12.2024 15:50 β π 7 π 0 π¬ 1 π 0
This is 13 without the race condition, using your cool build up method @terjanq.me:
www.tomanthony.co.uk/temp/joax1.h...
13.12.2024 15:49 β π 7 π 0 π¬ 1 π 0
Within the rules of no framing / no window context, I think we can get down to 64 with:
fetch`/hack.js`.then(r=>r.text()).then(b=>open('javascript:'+b))
13.12.2024 15:29 β π 8 π 0 π¬ 0 π 0
Or if you are 'cheating' and using the run() function on the page then you can do 16:
run(top[0].name)
12.12.2024 18:51 β π 2 π 0 π¬ 2 π 0
If the real case was truly frameable, then you iframe another page on joaxcar.com, and then iframe this one with this 20 character payload:
location=top[0].name
If it isn't frameable, you can do 23 chars:
location=opener[0].name
12.12.2024 18:42 β π 5 π 0 π¬ 2 π 0
I feel the same. I feel like years of Twitter made me much more cautious about what I shared. Trying to get out of that mindset now.
24.11.2024 08:27 β π 2 π 0 π¬ 0 π 0
I'm not sure that it is! But don't know for sure. I'll see if I can crack it this evening, but otherwise I'll ping your way. (Though you need to follow me so I can DM)
22.11.2024 12:48 β π 0 π 0 π¬ 1 π 0
Making lunch and already found one case partially working in the wild on a big target. Ping me a DM on X (@tomanthonyseo) if you want to collab on it! :)
22.11.2024 12:18 β π 0 π 0 π¬ 1 π 0
This is incredible research!
22.11.2024 10:48 β π 2 π 0 π¬ 1 π 0
YouTube video by DEFCONConference
DEF CON 32 - Splitting the email atom exploiting parsers to bypass access controls - Gareth Heyes
In case you missed it...the DEF CON video of my talk 'Splitting the Email Atom' is finally here! π Watch me demonstrate how to turn an email address into RCE on Joomla, bypass Zero Trust defences, and exploit parser discrepancies for misrouted emails. Donβt miss it:
youtu.be/JERBqoTllaE?...
22.11.2024 07:27 β π 95 π 30 π¬ 2 π 0
Iβm here! :)
21.11.2024 18:10 β π 3 π 0 π¬ 0 π 0
This is basically identical to how I hack! Look for the new thing and then see something that looks interesting. Hopefully get far enough that I have a βleadβ and take it from there.
20.11.2024 11:16 β π 2 π 0 π¬ 0 π 0
Hacker and bug bounty hunter mostly focusing on client-side security.
h1-702 Vigilante, h1-65 Eliminator, AWC23 Best New Hacker
Bishop Fox || GoogleVRP (UK): 5th || HackerOne UK Ambassador || AWC UK Hacking Team
Full time bug bounty hunter. Look for βjoaxcarβ on other platforms
Infosec professional, beverage snob, and fantasy book consumer. Vice President @ Atredis Partners. Forever terrified of Kithicor.
Cynical idealist. Digital marketer. Dungeons & Dragons player. Writes over at ianlurie.com. he/him
SEO. ex-Extra Space, ex-Life Storage. I just joined!
She/they; 100% human tech SEO; author of #RichSnippets; Tabaxi/Rogue; Public Speaker; loving auntie; I go down ππ³ & learn in public. Posts are my own nonsense. Zombie of @jammer_volts on Twitter
Global Digital Marketing Lead π | Host of Top 10 rated "Azeem Digital Asks" podcastπ| International Marketing Conference Speaker π£π| Global Awards Judge π | Heavy Circle Lifter πͺπΎ| Views my own ππΎ
I make things, and break things.
He/him. Zurich based, does stuff with computers, goes diving. Whoop whoop!
Avaβs pa. OG blogger/web designer. Automattician. Author, βDesigning With Web Standards,β βTaking Your Talent to the Web,β more. Founder, @alistapart.com, zeldman.com. Formerly abookapart.com, happycog.com, An Event Apart, SVA MFA IXD faculty, more.
Cyber security and some bits and pieces. London
Hacker / Creative
Mischief & GOOD VIBES ONLY
javascript:/*--></title></style></textarea></script></xmp><svg/onload='-/"/-/onmouseover=1/-/[*/[]/-alert(1)//'>
https://garethheyes.co.uk/#latestBook
CEO, CISO, Trainer, Hacker, and Speaker.
AI + hacking + sec leadership.
ex:BuddoBot-Ubisoft-Bugcrowd-Fortify-HP-Redspin-Citrix.
Dad, hacker, solo founder of haksec.com and hackercontent.com.
