Tag: POC [10]

Hasbro | MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponents (Nov 26, 2025)
TextMeshPro markup injection leads to whited out screen.
Exploiting Cooke Based Self-XSS (Jul 16, 2025)
A mildly interesting self-xss with some additional security content & best practices worth reviewing.
Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)
Resolving an undocumented AWS Codebuild error and describing GitHub App integration security considerations.
[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
Exploring the M365 Power Platform as a means of privilege escalation and flexing control over a phishing victim's SharePoint, OneDrive, Outlook, and Microsoft Teams data.
[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)
Bypassing the spoof geolocation feature in browser extensions to disclose the physical location of a user. I share two high severity bugs. Bug 1 is a generic payload that works across multiple extensions, and bug 2 is an ExpressVPN specific payload that has been patched. This post is a case study with the Location Guard & ExpressVPN extensions, my bug bounty experience, and a few takeaways that may prove insightful for others.
Optimizing Multi-Destination Routes with Google Maps and a Chrome Extension (Nov 07, 2022)
Finding the best route between multiple destinations in Google Maps or other tools can be frustrating. I have created a bespoke Chromium browser extension to help calculate a relatively optimal multi-destination travel route. Usage: Install the extension, navigate to https://maps.google.com, and use the tool.
Image Slicing with Python (Jan 25, 2022)
Slicing and manipulating images with a Python GUI program using the Pillow and tkinter GUI packages.
Scanning and Hooking Dynamic, Client-Side Data in Modern Web Applications (Nov 22, 2021)
Scanning the DOM for interesting data + hooking getters/setters. Demonstrating POC w/ a PowerApps example.
Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)
Trying to recreate the x32dbg/x64dbg stacktrace and dereferencing features in WinDbg Preview by leveraging its JavaScript API. Additionally, playing with Time Travel Debugging (TTD) and inspecting memory on the heap. POC included.
Hacking Electron Apps: Joplin (Oct 12, 2021)
Adding custom functionality to the Joplin note-taking app by injecting arbitrary JavaScript into source code. POC included.

All Tags

Web (10) Hacking (10) POC (10) JavaScript (7) BugReports (5) reverse-engineering (4) Cloud (4) BugBounty (4) Debugging (3) Browser (3) Development (2) Electronjs (2) Joplin (2) TypeScript (2) SharePoint (2) Chromium (2) Game-Hacking (2) Tutorial (2) Security (2) XSS (2) PowerApps (2) Microsoft (2) Power-Platform (2) Privilege-Escalation (2) Browser-Extension (2) Credential-Dumping (2) Microsoft-Edge (1) Electron.js (1) Race-Condition (1) Unity (1) Blender (1) Payment-Gateway (1) Paypal (1) Dynamic-Testing (1) PowerShell (1) WinDbg (1) WinDbg-Preview (1) x32dbg (1) x64dbg (1) mona.py (1) pykd (1) Android (1) Frida (1) BurpSuite (1) .apk (1) Java (1) linux (1) il2cpp (1) adb (1) mobile (1) Wordpress (1) Email (1) Oracle (1) VPS (1) GraphQL (1) HackerOne (1) Pentesting (1) Python (1) CTF (1) Image-Manipulation (1) M365-Services (1) Phishing (1) Google-Maps (1) Optimization (1) CodeQL (1) BugCrowd (1) ExpressVPN (1) Power-Automate (1) M365 (1) Outlook (1) OneDrive (1) Microsoft-Teams (1) AWS (1) CodeBuild (1) Azure-DevOps (1) CICD (1) GitHub (1) TextMeshPro (1) Injection (1) C# (1)