detail less & sass suddenly came to my mind when researching about of css injection attacks. you know, both are css pre-processor so i think they don’t support any client-based operation. it is a mistake… i saw less.js when visiting http://lesscss.org/ page. less.js provides interpreting javascript code with backtick char in less code. so dom-based xss vulnerability arises at this point. i published it on twitter as the new attack vector for less.

in one private program at bugcrowd, i came across three different open redirect bug methods. first this is an effortless open redirect vulnerability as follows and i reported it to the company. > https://companyx.com/redirect?url=http://mert.ninja then they marked as “triaged” and “unresolved” the bug. after a while, they marked it as…

twitter sent an e-mail to you when someone followed you when someone favorited your tweets etc. you can unsubscribe the twitter notifications by clicking the “unsubscribe” button in the footer of the mail. then it will redirect you to the following link: https://twitter.com/i/u?t=1&cn=bWVzc2FnZQ%3D%3D&sig=647192e86e28fb6691db2502c5ef6cf3xxx&iid=f6529edf-322d-xxx-b99a-067876dfe799&uid=1134885524&nid=22+26