Hello, my friends.

This blog post showcases why fundamental code security is essential for an application despite all hardening measures applied in the underlying infrastructure.

We detail several practical client-side attacks that can result from DNS poisoning observed for domains hosted in China. These attacks impact every domain on the Internet that uses a nameserver located in China, and it's estimated that more than 30 million…

Contribute to waf-bypass-maker/waf-community-bypasses development by creating an account on GitHub.

Explore OAuth vulnerabilities: `redirect_uri` manipulations, state parameter misconfigurations, real-world attacks, and prevention tips

1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies - zendesk.md

Retr0's Threat Research

XSS has been around forever, but Mutation XSS (MXSS) makes it even trickier to stop even with all the defenses! In this video, we’ll break down why server-side sanitizers keep failing when it comes to handling browser quirks and parsing inconsistencies. From…

Sanitizing HTML is harder than it seems with MXSS! In the last video, we talked about the challenges of server-side sanitization, and now we’re diving into why client-side sanitization is just as difficult. We'll break down the issues, including the round…

بسم الله الرحمن الرحيم

Hello Guy’s, I’m rood bug bounty hunter and this first English writeup for me

Execute invisible JavaScript by abusing Hangul filler characters.

An Introductory Guide for finding Bugs with JavaScript Static Analysis

As a software engineer, you must be familiar with information security. In your work projects, you may have gone through security audits, including static code scanning, vulnerability scanning, or penetration testing. You may have even done more comprehensive…

The absence of charset information seems to be a minor issue for a web application. This blog post explains why this is a false assumption and highlights the critical security implications.