I’ve had requests to create a Hackvertor API to allow you to embed it on your own sites, so I’ve created one. It uses postMessage to communicate and you can set the width, height, top, left and callback for your output. The code looks like this:- Hackvertor.write({top:’0px’,left:’300px’,width:’700px’,height:’400px’, callback:function(str) { document.getElementById(‘output’).value=str; }}); This will write a [...]

You might remember my XSS Rays bookmarklet I developed a while ago, I got nagged by a few of you to fix some things in it. Well it was crappy because it was bookmarklet based so I didn’t bother. Instead I decided to create a Chrome extension and revamp the features. So here it is [...]

Something like two years ago I think, I discovered IE had a additional HTML attribute called “CHARSET” quite convenient as it’s defined in HTML5. This enabled me to bypass a few things using UTF-7. The MSDN documentation was updated to account for this hidden attribute which is pretty cool, so I found something hidden which [...]

I was experimenting with some HTML vectors to break the various HTML parsers in the browsers, I wanted to continue till I found a cool one for Firefox because I like to bully the memory hogging browser as I use it a lot. I found some weird rendering in Firefox, Chrome and Opera. It started [...]

I set a cool Hackvertor challenge on slackers. The idea was to call the function defined in window. There is a perfectly legitimate way of doing this as I discovered the method when I was testing it, instead of fixing it I created the challenge. Stefano Di Paola of course figured it out, nice work [...]

I woke up yesterday morning and had a sudden flash of inspiration to stop all social network worms. I dunno why I wasn’t even researching them, I’ve no idea how my mind works it’s funny like that. Anyway sometimes I have bad ideas and sometimes they’re good. I like to discuss them all because that’s [...]

It’s been a while for a Hackvertor update, you might have noticed that the old one hasn’t changed in a while. This is because I’ve finally moved it over to the new one with a bunch of new features. I’ll give you a run down of the new tags and features I’ve added. I still [...]

After using JavaScript for a while one of the worst parts I found was the String.replace function. When I realized it’s behaviour I thought to myself someone is going to use this wrong. The function itself is excellent, I use it all the time as you could probably tell with my code. It is far [...]

One of the impossible problems of the web is how do you protect against site that has a persistent XSS hole yet requires JavaScript to function. I thought about this for a while and worked out you could create a XSS zone where you expect user input. Declaring a zone is tricky because if you [...]

I set myself a fun challenge to create a vector that would execute in many contexts. The idea being that it should work regardless where it’s placed. For example:- “xss” ‘xss’ <tag alt=”xss”> As an added challenge I tried to execute only the one payload and where possible to use a single eval. I had [...]