Kévin Gervot (Mizu)
@mizu.re
About me?
| Website: https://mizu.re
| Tool: https://github.com/kevin-mizu/domloggerpp
| Teams: @rhackgondins, @FlatNetworkOrg, @ECSC_TeamFrance
| From: https://twitter.com/kevin_mizu
| Website: https://mizu.re
| Tool: https://github.com/kevin-mizu/domloggerpp
| Teams: @rhackgondins, @FlatNetworkOrg, @ECSC_TeamFrance
| From: https://twitter.com/kevin_mizu
Pinned
Kévin Gervot (Mizu)
@mizu.re
· Feb 10
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
A quick update has been made to DOMLogger++ to add / update a few things. It's not a big deal, but it should allow interesting stuff to be done :)
It should be available on the stores in the coming hours.
It should be available on the stores in the coming hours.
October 24, 2025 at 1:59 PM
A quick update has been made to DOMLogger++ to add / update a few things. It's not a big deal, but it should allow interesting stuff to be done :)
It should be available on the stores in the coming hours.
It should be available on the stores in the coming hours.
Reposted by Kévin Gervot (Mizu)
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Exploiting Web Worker XSS with Blobs
Ways to turn XSS in a Web Worker into full XSS, covering known tricks and a new generic exploit using Blob URLs with the Drag and Drop API
lab.ctbb.show
September 19, 2025 at 2:28 PM
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
For the @ASIS_CTF, I created a challenge based on an interesting (novel?) DOM Clobbering technique! 🚩
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
September 8, 2025 at 3:10 PM
For the @ASIS_CTF, I created a challenge based on an interesting (novel?) DOM Clobbering technique! 🚩
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
In short, in non-strict mode, HTMLCollection items are not writable. This blocks property assignment, allowing unexpected values to be created 😄
👉 mizu.re/post/under-t...
Reposted by Kévin Gervot (Mizu)
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Cookie Chaos: How to bypass __Host and __Secure cookie prefixes
Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve
portswigger.net
September 3, 2025 at 2:54 PM
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Small teaser for Caido users :)
2/2
2/2
September 3, 2025 at 2:34 PM
Small teaser for Caido users :)
2/2
2/2
DOMLogger++ v1.0.9 is now out and available! 🎉
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
September 3, 2025 at 2:34 PM
DOMLogger++ v1.0.9 is now out and available! 🎉
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
This update fixes a lot of issues, including the historical DevTools bug on Chromium 🔥
It also brings full Caido session handling, which is going to be useful in the near future! 👀
👉 github.com/kevin-mizu/d...
1/2
I was keeping this one for myself for a while, but after several discussions at DefCon I thought it would be nice to share it now :)
Btw! If you wonder how could this be abused, I recommend you looking at: mizu.re/post/explori... 😉
3/3
Btw! If you wonder how could this be abused, I recommend you looking at: mizu.re/post/explori... 😉
3/3
Exploring the DOMPurify library: Hunting for Misconfigurations (2/2). Tags:Article - Article - Web - mXSS
Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)
mizu.re
August 25, 2025 at 4:17 PM
I was keeping this one for myself for a while, but after several discussions at DefCon I thought it would be nice to share it now :)
Btw! If you wonder how could this be abused, I recommend you looking at: mizu.re/post/explori... 😉
3/3
Btw! If you wonder how could this be abused, I recommend you looking at: mizu.re/post/explori... 😉
3/3
For example, using this configuration, it is possible to retrieve the @masatokinugawa.bsky.social CVEs in TinyMCE.
👉 subdomain1.portswigger-labs.net/xss/xss.php?...
2/3
👉 subdomain1.portswigger-labs.net/xss/xss.php?...
2/3
August 25, 2025 at 4:17 PM
For example, using this configuration, it is possible to retrieve the @masatokinugawa.bsky.social CVEs in TinyMCE.
👉 subdomain1.portswigger-labs.net/xss/xss.php?...
2/3
👉 subdomain1.portswigger-labs.net/xss/xss.php?...
2/3
I've released a DOMLogger++ config that helps detect any replacements occurring in a DOMPurify output by inserting and tracking a canary value at runtime.
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
August 25, 2025 at 4:17 PM
I've released a DOMLogger++ config that helps detect any replacements occurring in a DOMPurify output by inserting and tracking a canary value at runtime.
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
I think it highlights how useful DOMLogger++ can be for tracking JS execution :D
👉 github.com/kevin-mizu/d...
1/3
Reposted by Kévin Gervot (Mizu)
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
HTTP/1.1 Must Die
Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now
http1mustdie.com
August 6, 2025 at 11:43 PM
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
This is still v1, there's lots to improve and many gadgets to add.
If you'd like to contribute or have any feedback, please don't hesitate to reach out 😁
4/4
If you'd like to contribute or have any feedback, please don't hesitate to reach out 😁
4/4
July 24, 2025 at 3:31 PM
This is still v1, there's lots to improve and many gadgets to add.
If you'd like to contribute or have any feedback, please don't hesitate to reach out 😁
4/4
If you'd like to contribute or have any feedback, please don't hesitate to reach out 😁
4/4
Each library page includes:
* Affected versions
* A short description
* Root cause of the gadget
* Related links
* Credit to the discoverer
* And even a preview button to play with the gadget live!
3/4
* Affected versions
* A short description
* Root cause of the gadget
* Related links
* Credit to the discoverer
* And even a preview button to play with the gadget live!
3/4
July 24, 2025 at 3:31 PM
Each library page includes:
* Affected versions
* A short description
* Root cause of the gadget
* Related links
* Credit to the discoverer
* And even a preview button to play with the gadget live!
3/4
* Affected versions
* A short description
* Root cause of the gadget
* Related links
* Credit to the discoverer
* And even a preview button to play with the gadget live!
3/4
The wiki lets you filter gadgets by browser, tags, attributes, CSP, and timing, making it as easy as possible to find interesting vectors (at least I hope so!) 🔎
2/4
2/4
July 24, 2025 at 3:31 PM
The wiki lets you filter gadgets by browser, tags, attributes, CSP, and timing, making it as easy as possible to find interesting vectors (at least I hope so!) 🔎
2/4
2/4
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
July 24, 2025 at 3:31 PM
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
Reposted by Kévin Gervot (Mizu)
Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...
Finding Freedom, One Bug at a Time: My Journey from Pentester to Full-Time Hunter
After seven years in pentesting, I transitioned full-time into bug bounty hunting, leveraging deep experience and continuous learning. This article shares key moments and insights from that journey.
gelu.chat
July 4, 2025 at 3:09 PM
Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...
I've released my CTF bot template! :D
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
May 22, 2025 at 6:03 PM
I've released my CTF bot template! :D
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
It's not a big deal, but it comes with a heavily hardened Docker setup. The bot also sends a lot of debugging information over the TCP socket (console logs, navigation), which makes remote debugging much easier! 🔎
👉 github.com/kevin-mizu/b...
Reposted by Kévin Gervot (Mizu)
Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall
joaxcar.com/blog/2025/05...
joaxcar.com/blog/2025/05...
Confetti: Solution to my Intigriti May 2025 XSS Challenge - Johan Carlsson
joaxcar.com
May 20, 2025 at 3:59 PM
Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall
joaxcar.com/blog/2025/05...
joaxcar.com/blog/2025/05...
Reposted by Kévin Gervot (Mizu)
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
May 14, 2025 at 1:31 PM
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
Reposted by Kévin Gervot (Mizu)
Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the comments👇
Think again, read our latest blog post!
Link in the comments👇
April 30, 2025 at 12:44 PM
Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the comments👇
Think again, read our latest blog post!
Link in the comments👇
All the other challenge write-ups (not just web) are available in the #writeup channel of the CTF Discord server:
discord.gg/rwZY6hh8z8
Thanks again to @ECSC_TeamFrance for the opportunity! 💙
2/2
discord.gg/rwZY6hh8z8
Thanks again to @ECSC_TeamFrance for the opportunity! 💙
2/2
Join the FCSC & Hackropole Discord Server!
Check out the FCSC & Hackropole community on Discord - hang out with 6259 other members and enjoy free voice and text chat.
discord.gg
April 28, 2025 at 4:47 PM
All the other challenge write-ups (not just web) are available in the #writeup channel of the CTF Discord server:
discord.gg/rwZY6hh8z8
Thanks again to @ECSC_TeamFrance for the opportunity! 💙
2/2
discord.gg/rwZY6hh8z8
Thanks again to @ECSC_TeamFrance for the opportunity! 💙
2/2
The #FCSC2025 ended yesterday, and my write-ups are now available here 👇
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
April 28, 2025 at 4:47 PM
The #FCSC2025 ended yesterday, and my write-ups are now available here 👇
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
mizu.re/post/fcsc-2025…
Btw, like every year, all the challenges have also been added to hackropole.fr! 🚩
1/2
Reposted by Kévin Gervot (Mizu)
Firefox treats multipart/x-mixed-replace like HTML. Chrome doesn’t.
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
Making the Unexploitable Exploitable with X-Mixed-Replace on Firefox - The Spanner
In this post, we’ll look at an interesting difference in how Firefox and Chrome handle the multipart/x-mixed-replace content type. While Chrome treats it as an image, Firefox renders it as HTML - some...
thespanner.co.uk
April 25, 2025 at 9:50 PM
Firefox treats multipart/x-mixed-replace like HTML. Chrome doesn’t.
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
This year again, with @bi.tk, we've made the Web challenges 🚩
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
April 18, 2025 at 4:35 PM
This year again, with @bi.tk, we've made the Web challenges 🚩
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁
Btw, even if you're not doing Web challenges, there are 100+ challenges in various categories, you should find something you like!
Reposted by Kévin Gervot (Mizu)
🔥 My Black Hat talk is now live! 🎥
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...
Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
YouTube video by Black Hat
www.youtube.com
March 20, 2025 at 12:41 PM
🔥 My Black Hat talk is now live! 🎥
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...
Watch how email parsing quirks turned into RCE in Joomla and critical access control bypasses across major platforms. See how these subtle flaws led to serious exploits!
www.youtube.com/watch?v=Uky4...