Category: Blogs

The postMessage API lets different contexts in a browser talk to each other: iframes to parent windows, content scripts to page scripts, extension components to each other. It’s designed to work cross-origin. That’s the whole point of the API. And it’s one of the easiest things to get wrong in a Chrome extension. When you…

On February 12, 2026, I responsibly disclosed an open redirect vulnerability in LimeSurvey, the popular open-source survey platform. The issue was patched and released in version 6.16.11+260303 on March 3, 2026. In application/controllers/EditorLinkController.php, the url GET parameter was passed directly into a redirect without any validation or sanitization. This meant that any unauthenticated user could…

Most people assume that using a VPN makes them anonymous online. Your real IP is hidden, your traffic is encrypted, and websites see the VPN server’s location instead of yours. We’ve already seen that this is not fully the case thanks to browser fingeprinting techniques such as the many that https://amiunique.org or the EFF can…

Last week I was doing some bug bounty hunting and stumbled upon what many websites seem to be having nowadays: an LLM-powered chatbot. I thought it would be really interesting to automate the testing of this chatbot and started looking for some tools, instead of having to manually copy-paste dozens of payloads and waiting for…

Yesterday Joomla published version 3.6.4, an update to patch security issues: Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file. Press enter or click to view image in full size Turns out…