[ edit ]


These are some things


Return true to Win A series of JavaScript challenges.

Alert 1 to win A series of XSS challenges: here's some unsafe code; exploit it! Shortest code wins.

Regex golf A series of regex-writing challenges (now also on SPOJ)

Zip Quine A ZIP file that contains itself. Best paid code I ever wrote.

Testing tools

Chargen Generate test pages from the URL.

DNS On-the-fly DNS

Some bugs

Flash XSS Traps Adobe forgot to escape backslashes, so every Flash file that passes strings to JavaScript had XSS.

Stealing Tokens With Harmony The Proxy feature in ES6 opened a new XSSI vector.

ServiceWorker is a problem if you have a 'user content' domain. It could be used to steal files from Dropbox.


2016-11-17: Return True is back. Moving the rest over now.

Complaints to @steike.