Gal Weizman majorLift It can be achived just by moving the position of the string :)
I created the PoC:
gist.github.com/masatokinugawa…

I am currently looking for a remote, US-based, webapp-focused pentesting position. Though I'm not in a hurry, I understand how long interview processes can be.

If you're looking for a candidate with over 12 years experience in the industry, plus the ability to effectively

🚀 Shazzer update
- Like vectors
- Fast & thorough mode fuzzing
- My likes section

shazzer.co.uk

We just pushed a collection of Server-Side Prototype Pollution gadgets to GitHub: 25 in Node.js, 57 in Deno standard libraries, and 55 in NPM packages github.com/KTH-LangSec/se… Follow the repo for upcoming Node.js updates. Enjoy digging into this on your Friday! More in🧵👇

I've created a web application for people to try out complex session management and Macros in Burp Suite.
github.com/Hipapheralkus/…
It comes with a recording of live video explanations and how-to youtube.com/watch?v=mM3LR9…
Mastering Burp Suite Pro PortSwigger

I've improved the duplicate algorithm in Shazzer to highlight the results even if only one browser differs.

shazzer.co.uk/vectors/662012…

Fixed all the mobile layout issues on Shazzer.

Two new DOM sinks to add to any sink list:

setHTMLUnsafe
parseHTMLUnsafe

the first one might start to replace some instances of innerHTML. After Chrome 124 it works in all browsers

On my lunch today I improve the search in Shazzer to allow you to filter by vector type e.g.

query type:HTML

CC Nicolas Grégoire Soroush Dalili @[email protected] on mastodon @[email protected] Corey Arthur

I know you don't like surveys but if you want to see Hackvertor in native Burp please fill it in!

usabi.li/do/a5a9593efa0…

Shazzer now collapses fuzz results when they are the same. Thanks to Thomas Orlita for the feature request.

shazzer.co.uk/vectors/661c01…

I absolutely love NextJS and Vercel. I can make an app in a matter of days and deploy it, they even have a preview environment and it all works via Github branches and deploys on push 🤯 they have solved everything I used to hate about app development.I wish I used this years ago

I've built a brand new version of my fuzzing tool Shazzer🚀

shazzer.co.uk

- Easy fuzz browser behaviour
- Find bugs
- Share the results with the world

Shazzer will now highlight the differences in behaviour between browsers. If one does something different it will be highlighted in red.

shazzer.co.uk/vectors/661643…

New version of Shazzer just dropped 🚀
This release fixes a number of bugs and allows you to fuzz another browser instantly by copying fuzz URL using the button

I just finished all the DOM-based labs on Web Security Academy. 🏴‍☠️

This is my favorite topic with the best labs so far. 💯

Tip:
If you want to understand and solve DOM clobbering without hints, use leanpub.com/javascriptforh… from Gareth Heyes \u2028

I am pushing myself to learn more in public this year and am excited to share my first ever writeup about a vulnerability I found in a verification system used by Worldcoin.

I'll also share a script for finding similar bugs #bugbountytips

1/n

medium.com/@gonzo-hacks/t…

Further Shazzer changes
- Added the ability to run code after the fuzz
- Added $[j] placeholder to get the second loop iteration
- Click to view data now shows all the values
- Allowed use of placeholders in HTML fuzz types

There appears to be some arbitrary limit of scripts when rendered in Chrome. It's the only plausible explanation for the other bug I'm looking into. Users seem to like <script> in the XSS vectors. If I give people the option to exec script after page load that could be better.