Archives for the ‘Uncategorized’ Category

Bypassing DOMPurify with mXSS

I noticed DOMPurify would let you use the title tag when injecting a self closing SVG. Normally it blocks title outside of SVG however using the self closing trick you could bypass that restriction. <svg/><title> Injecting the title tag is important because it mutates, as I’ve tweeted about in the past. In order for the […]


Relative VS Absolute RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name […]

Jump off a bridge specification

RFC Editor USC/ISI Jan 2011 Official Jump off a bridge protocol standards Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Table of contents 1. Overview 2. Jump 3. Die 1. Overview This memo contains a […]

Three-Strikes and you’re DOSd

You may have heard about the Three-Strikes law proposal that has been suggested as a way to end copyright infringement. If you think about it for a minute, it could be the ultimate way to create a DOS attack. Web pages could abuse this system to ban you from the internet by using iframes or […]

I’m having a baby girl

I’m sorry but I’m so proud and so drunk that I had to tell the world!

Safari needs fixing!

I’ve informed Apple of a serious Safari problem a few months ago and still they haven’t fixed it. I have decided to release a demo of how Safari will allow cross domain javascript access. I think this is a major issue and I am releasing it here with the hope that Apple will get off […]