Retr0's Threat Research

XSS has been around forever, but Mutation XSS (MXSS) makes it even trickier to stop even with all the defenses! In this video, we’ll break down why server-side sanitizers keep failing when it comes to handling browser quirks and parsing inconsistencies. From…

Sanitizing HTML is harder than it seems with MXSS! In the last video, we talked about the challenges of server-side sanitization, and now we’re diving into why client-side sanitization is just as difficult. We'll break down the issues, including the round…

بسم الله الرحمن الرحيم

Hello Guy’s, I’m rood bug bounty hunter and this first English writeup for me

Execute invisible JavaScript by abusing Hangul filler characters.

An Introductory Guide for finding Bugs with JavaScript Static Analysis

As a software engineer, you must be familiar with information security. In your work projects, you may have gone through security audits, including static code scanning, vulnerability scanning, or penetration testing. You may have even done more comprehensive…

The absence of charset information seems to be a minor issue for a web application. This blog post explains why this is a false assumption and highlights the critical security implications.

A case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). This incident is a prime example of how threat actors chain zer…

After a long day of trying and failing to find vulnerabilities on the Verizon Media bug bounty program I decided to call it quits and do some chores. I needed to buy gifts for a friends birthday and went online to order a Starbucks gift card.

Share your videos with friends, family, and the world

A misconfiguration in an organizations' setup of their live chat system allowed unauthenticated access to user chat histories with customer support agents.