Everything you care about in one place

Follow feeds: blogs, news, RSS and more. An effortless way to read and digest content of your choice.

Get Feeder


The Spanner

Get the latest updates from The Spanner directly as they happen.

Follow now 136 followers

Latest posts

Last updated almost 6 years ago

Rewriting relative urls with the base tag in Safari

almost 6 years ago

I tweeted this a while ago but Twitter sucks when it comes...

Bypassing DOMPurify with mXSS

almost 6 years ago

I noticed DOMPurify would let you use the title tag when injecting...

New IE mutation vector

about 9 years ago

I was messing around with a filter that didn’t correctly filter attribute...

How I smashed MentalJS

about 9 years ago

I’m proud to introduce a guest blogger on The Spanner. Jann Horn...

MentalJS DOM bypass

over 9 years ago

Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used...

Another XSS auditor bypass

over 9 years ago

This bug is similar to the last one I posted but executes...

XSS Auditor bypass

over 9 years ago

XSS Auditor is getting pretty good at least in the tests I...

Bypassing the IE XSS filter

over 9 years ago

Mario noticed that the new version of the IE filter blocks anchors...

Unbreakable filter

over 9 years ago

I was bored so I thought I’d take a look at Ashar’s...

MentalJS bypasses

about 10 years ago

I managed to find time to fix a couple of MentalJS bypasses...


about 10 years ago

Mutation XSS was coined by me and Mario Heiderich to describe an...

Java Serialization

about 10 years ago

In this post I will explore Java serialized applets and how they...