No parenteses allowed? location.hash is here

I come across a web application in a bounty private program that reflected my var – xss – with the following code: [code lang=”js”] var _s_tab = xss; var _s_params = ""; var _s_autoScroll = true; setTimeout("try { s_callAjax(‘search’, ”); } catch(ex) { setTimeout(\"s_callAjax(‘search’, ”);\", 2000);}", 50); [/code] So what I tried next was to… Continue reading No parenteses allowed? location.hash is here

Tiny XSS vector

I needed a small XSS vector that could fit in a 10 char limit variable in a limit 10 char on a private client to show him that limiting chars on a variable is not secure… [code lang=”js”]central.push({ ‘var1’: ‘INJECT_HERE’ });[/code] So after some attempts I was unable to find one so I called for… Continue reading Tiny XSS vector

Exploits start against flaw

[News] Exploits start against flaw that could hamstring huge swaths of Internet – — bugcrowd (@Bugcrowd) August 3, 2015

Categorized as News Tagged

I’m number 1 on

Just checked the Hall of Fame of and I’m now number 1 in the rank. Not bad for a portuguese guy that started in March. Next objective… 1000 points! Let’s go! Reflected Filename Download

Who is Salesforce help desk software offers small businesses an all-in-one customer service software solution that will help keep customers happy and loyal. can be set up in just hours, and provides multi-channel support, including phone, email, self-help pages, and social media. Not only will this innovative help desk software let your… Continue reading Reflected Filename Download

Mixpanel gave me a cool Tshirt

When I help companies to fix security issues I do not ask anything in return. I come across a security issue on Mixpanel when auditing private client on and I send to Mixpanel a little security advisory describing a Reflected Filename Download vulnerability with a couple of screenshots. Mixpanel security team fixed the vulnerability… Continue reading Mixpanel gave me a cool Tshirt

It wasn’t me…

Some people say that it’s the price of fame but I don’t think it’s the case. Someone is using my name and reputation to contact site owners and sell their security services. Apparently it’s a guy from Pakistan with the Paypal – [email protected]