PinnedDaniel SantosFrom SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypassFor those who are only interested in the final payload here you go (I won’t judge). For the ones interested in why it works, please bear…8 min read·Nov 11, 2020----
Daniel SantosLeaking Microsoft Defender’s exclusions using a timing oracleAround January 2022, the fact that unprivileged users were able to enumerate Microsoft Defender’s exclusion rules gained notoriety. A…3 min read·Feb 11, 2024----
Daniel SantosCapturing the flag with ChatGPT: solving DiceCTF 2023 rev/time-travelI was recently invited to play the latest edition of DiceCTF. It was a last-minute invite, so I just played the last two hours of the…3 min read·Feb 7, 2023----
Daniel SantosBypassing Defender’s self-protect mechanismI recently started working as a Red Team lead, and figuring out ways to bypass antivirus engines became a regular thing. I am a huge fan of…4 min read·Feb 17, 2022----
Daniel SantosinTechiepediaThe tale of CVE-2021–34479 (VSCode XSS)This April, I finally decided to take some time to study the Electron framework and the security considerations around it. After learning…5 min read·Nov 17, 2021--1--1
Daniel SantosinTechiepediaHow I found my first Chrome bug (CVE-2021–21210)On October 31, 2020, @SamyKamkar published his research on NAT Slipstreaming. According to his own words, NAT Slipstreaming —5 min read·Jun 28, 2021----
Daniel SantosCracking Rolling Code Locks the lazy wayI took some of my Christmas break time to solve as many challenges as I could in HackerOne’s CTF. Out of the remaining challenges I still…7 min read·Jan 1, 2021--1--1
Daniel SantosWacky XSS challenge write-upOn November 4th BugPoc published a new challenge on their official Twitter account. The challenge objective was simple, find an XSS…9 min read·Nov 11, 2020----