Gareth Heyes 

@[email protected]
2.7K Followers
239 Following
707 Posts
javascript:/*--></title></style></textarea></script></xmp><svg/onload='-/"/-/onmouseover=1/-/[*/[]/-alert(1)//'>

https://garethheyes.co.uk/#latestBook

https://leanpub.com/javascriptforhackers/
My web sitehttps://garethheyes.co.uk/
PortSwigger Researchhttps://portswigger.net/research
Githubhttps://github.com/hackvertor/
My bloghttp://www.thespanner.co.uk/
JavaScript for hackershttps://leanpub.com/javascriptforhackers/
Show threadGareth Heyes 4d ago
Link:
https://shazzer.co.uk/
Shazzer - Shared online fuzzing

An app to enable to fuzz all sorts of browser behaviour. Share your fuzz results with the world and discover new bugs!

Gareth Heyes 4d ago
If you haven't tried Shazzer yet you should give it a go. You can easily find browser behaviour and get it tested by other users or your team. It supports private vectors too and you can assign them to your team. You can even have your own private fuzzing network. 🔥🔥🔥
Gareth Heyes Apr 9
Shazzer & Hackvertor OAuth was broken because of a Github change. Hopefully I've fixed the issues now.
Gareth Heyes Apr 3

Hehe WTF.

https://shazzer.co.uk/vectors/69d009776d238ed31d31e687

Entities after protocol-relative URL - Shazzer

Tests which entities are allowed after a protocol-relative URL

Gareth Heyes Apr 2

I improved the collection view in Shazzer. You can now expand the results below the vector.

https://shazzer.co.uk/collections/69cebd940e3146875ac3465c

Entities in protocol relative URLs - Collection - Shazzer

An app to enable to fuzz all sorts of browser behaviour. Share your fuzz results with the world and discover new bugs!

Gareth Heyes Mar 30

Shazzer had an interesting bug. I write to a blob URL thats sandboxed but because its a blob URL it breaks relative URLs which means vectors with them would return false negatives. The fix was: use a base tag to change the domain. This fixes vectors like:

https://shazzer.co.uk/vectors/69c81542145f0a28b7d202be

relative & protocol relative url starting with a slash and not immediately having a slash after it. - Shazzer

test

Gareth Heyes Mar 28
Frederik Braun �Mar 27
@gaz Have you seen this? You must see this :) https://front-end.social/@html5test/116301798349200500 first response also contains link to how he built it
Niels Leenheer (@[email protected])

Attached: 1 image CSS is DOOMed! I've build DOOM in CSS and every wall, floor, barrel, and imp is a div, positioned in 3D space using CSS transforms. https://cssdoom.wtf Try it out! But... not every browser can handle it. This is taking the browser to its limit. Chrome has some issues. Safari too. Bugs will be filed.

Front-End Social
Gareth Heyes Mar 8
Been doing a lot of statistical analysis in my free time on yet another side project. It's quite fun and far less challenging than my other side projects.
Gareth Heyes Mar 4

You can now create collections of vectors on Shazzer. You can select up to 10 vectors and view the results of each by clicking a button. If anyone has any ideas to display the results in a better way let me know.

https://shazzer.co.uk/

Shazzer - Shared online fuzzing

An app to enable to fuzz all sorts of browser behaviour. Share your fuzz results with the world and discover new bugs!

Gareth Heyes Feb 26

Last night I added GZip and Deflate compression to Hackvertor. I also improved the autodecoder to detect it. Yesterday on my lunch I added autocompletion for HackPad and fixed a bunch of bugs.

https://hackvertor.co.uk/urls/31

Hackvertor - Cutting edge conversion

An app to make conversion tags to help with web security research