Sign in with Twitter

Username:

Luan Herrera @lbherrera_ Florianópolis, Santa Catarina

I like browsers, some more than others.

321 Following   1,052 Followers   265 Tweets

Joined Twitter 2/26/13


Still a bit sad that script gadgets didn't make the cut last year (https://t.co/lFRGpWYGEI) but glad that #XSLeakshttps://t.co/0LIsrHg9mp
Retweeted by Luan Herrera
2/18
2020
Top 10 new web hacking techniques of 2019 https://t.co/ZJno29OVIo
Retweeted by Luan Herrera
2/17
2020
New blog post! We've published a technique by @SecurityMB to leak data via CSS injection in Firefox with a single i… https://t.co/ze2PN3kYUk
Retweeted by Luan Herrera
2/12
2020
Here's my write-up for #h1415’s CTF challenge! https://t.co/VQf8PDIUg5this past weekend, @lbherrera_ and I just got the first place in the Bug Bounty of @MercadoLivre #BugBounty https://t.co/18DLEtdtuO
Retweeted by Luan Herrera
2/3
2020
@ngalongc, @EdOverflow, and I are starting a new security blog. In our first write-up, we will discuss the impact… https://t.co/bU8Dmghf70
Retweeted by Luan Herrera
1/31
2020
2019 has been a record-breaking year on lots of fronts - thanks to you all! Keep up your awesome discoveries. https://t.co/TWQkdDlGJG
Retweeted by Luan Herrera @terjanq @Google @sirdarckcat I'm glad you decided to play Pwn2Win CTF in 2018 and didn't manage to solve my challe… https://t.co/oVQ1vaRUYh
1/30
2020
Read what the @googleChrome and other @GoogleVRP​s have been up to in 2019! https://t.co/SSta7ByJt1 https://t.co/7NaXq01Ywa
Retweeted by Luan Herrera
1/28
2020
I started writing solutions to my challenges on #justctf quite a time ago but haven't had enough time to finish it.… https://t.co/eP8Y774dag
Retweeted by Luan Herrera
1/23
2020
What a great way to start the year! We've managed to finish at 8th place @1ns0mn1h4ck Teaser 2020. https://t.co/LMN6OIwVqu
Retweeted by Luan Herrera
1/19
2020
@PwnFunction Cool challenge and really nice platform! https://t.co/7or24tXXDM
1/11
2020
@xdavidhu @terjanq @sirdarckcat IIRC priority isn't used to determine the severity and there are 4 severities (Low,… https://t.co/bsZCYvwrirYo hackers! I've built a small website that has some #XSS challenges. 🔗 https://t.co/EP3HnJBCvm The main challen… https://t.co/c14eVnrD36
Retweeted by Luan Herrera
1/10
2020
For the sake of exercising, I looked up some web challenges in a #tetctf and noticed a cool SQLi one "Secure Syste… https://t.co/mBIDV9IOOv
Retweeted by Luan Herrera
1/7
2020
I made a small CSRF challenge https://t.co/6yizLAVCnr Goal: Change username to "pwned" Rules: 1.Only Chrome 2.Us… https://t.co/rKIhE90MhR
Retweeted by Luan Herrera
1/5
2020
@stereotype32 I tested this during the CTF and it didn't work, last index id returned empty iirc :/
1/1
2019
O texto mais esperado do ano, que ninguém sabia que seria escrito (nem nós mesmos, lol), já está no ar! Não parece,… https://t.co/HhbxiG4v9T
Retweeted by Luan Herrera @sirdarckcat @JPG1nc @sasi2103 @GoogleVRP Didn't this stop working on Chrome when https://t.co/APLmZJPVXz landed? Or am I missing something?
12/30
2019
@PwnFunction Cool challenge! :)[NEW] #XSS Challenge (last challenge for the year) 👉🏻 https://t.co/e8wxNc1CC9 DM me if you solved it 🙂 Have fun! * Solution(s) on 1st.
Retweeted by Luan HerreraTop 16 in a DEF CON Prequals event! Good way to end the year! Thanks @hxpctf, great CTF :) #36C3 https://t.co/Y4c6YjW6mh
Retweeted by Luan Herrera
12/29
2019
My "simple" XSS challenge is over! Once again congratz to @shafigullin @SecurityMB @BenHayak @element14_23 and… https://t.co/at8Dc9mRIa
Retweeted by Luan Herrera
12/27
2019
Ever wondered what makes a CTF challenge good? I've asked myself that many times. I wrote this to help me answer th… https://t.co/9Bvbeu5mym
Retweeted by Luan Herrera
12/25
2019
Writeup on how I made $40,000 breaking the new Chromium Edge using essentially two XSS flaws. https://t.co/VZ3QGbxDF5
Retweeted by Luan Herrera
12/24
2019
Each of my published challenges has been solved at least once! I am so happy because I hate unsolved challenges on… https://t.co/AnQll7lksF
Retweeted by Luan Herrera
12/22
2019
Know open source projects which could use monetary help to improve security? Nominate them! https://t.co/Zz3F7IOYJK
Retweeted by Luan Herrera
12/19
2019
@shhnjk https://t.co/bpqIblKpxN
12/13
2019
Hey! We are organizing justCTF just before the end of the year. https://t.co/j6t0LXALtg Are you ready to compete… https://t.co/tQEiACel2E
Retweeted by Luan Herrera
12/6
2019
A while ago, @lbherrera_ and I created a client-side-yodas list. This is a list of people pursuing research towards… https://t.co/FgNpMtBBpI
Retweeted by Luan Herrera
12/3
2019
CTF players, bug hunters and students descended onto London to play, hack and learn. Congrats to @pastenctf for win… https://t.co/a5IfoRUx1e
Retweeted by Luan Herrera
11/21
2019
Here’s probably my favorite XSS of this year :) This is why we love legacy browser features like DOM Clobbering ;) https://t.co/p2RgPqmjns
Retweeted by Luan Herrera
11/18
2019
[pt-br only, sorry] Quer conhecer os bastidores do @Pwn2Win 2019? Veja nosso post completo no @ctfbr:… https://t.co/6Wt8mmL8AN
Retweeted by Luan HerreraI published yet another #xssearch article about Cache Probing Attack! Today I discovered that the report has been… https://t.co/whRTdJ9Xjh
Retweeted by Luan Herrera
11/13
2019
#Pwn2Win 2019 is over - turns out you can selectively block subresources if you have HTML injection by using link p… https://t.co/s5FNdgRa7J#Pwn2Win 2019 is over! The most exciting ending so far! Congratz @OpenToAllCTF, @balsnctf and #CL34R! https://t.co/SWERpW2nFU
Retweeted by Luan Herrera @bookgin_tw @Pwn2Win I will publish the write-up for calc as soon as the CTF ends, unfortunately, for Message Keepe… https://t.co/WCZncjKNNl
11/10
2019
Me and @dfaranha made some hard EC and RSA challenges for @Pwn2Win. Can you solve them? https://t.co/ixHaG5CtP2
Retweeted by Luan Herrera @c4pt41nnn hack harder
11/9
2019
I made two web challenges (Calc & Message Keeper) for @Pwn2Win 2019 - If you have some free time, take a look - https://t.co/ztIwyXlGEr :)Chegou o grande dia! Todos preparados para o @Pwn2Win #CTF 2019? :) https://t.co/PO7gSEBzK3
Retweeted by Luan Herrera
11/8
2019
BREAKING NEWS: The winner of #Pwn2Win 2019 will be invited to the next edition of Pro CTF (the previous edition of… https://t.co/RUWsAJYAIg
Retweeted by Luan HerreraHi! I've created my very first "simple" XSS challenge https://t.co/d2KU09ElcJ. I crafted it as a result of my rece… https://t.co/AElOpEhz6d
Retweeted by Luan Herrera
10/25
2019
@fluxfingers Thanks for the chall! It was really challenging but extremely enjoyable =)First Blood on Do You Even XSS? by @lbherrera_ !!! Amazing job 🥳 https://t.co/vYN3YTt9yz
Retweeted by Luan Herrera
10/23
2019
Registration for @Pwn2Win #CTF 2019 is now open! Are you ready for another Epic Edition? Help us spread the word! https://t.co/uBfdbfS9iD
Retweeted by Luan Herrera
10/18
2019
You aren’t familiar with memory corruption or IPC, but still interest in testing Site Isolation? Check out my WinDb… https://t.co/7MpXqNRbJt
Retweeted by Luan Herrera
10/17
2019
Our guy, @SecurityMB, had a presentation at OWASP Poland Day about exploiting prototype pollution to RCE on the exa… https://t.co/LJj3yMifd2
Retweeted by Luan HerreraSlides of my presentation at #OWASPPolandDay on web-based side-channel leaks that can be abused to perform XS-Leaks… https://t.co/2R1YMYP6tq
Retweeted by Luan Herrera
10/16
2019
Firefox CSP bypass leaves users open to XSS exploits (HT @garethheyes) https://t.co/wQYA5adUPu
Retweeted by Luan HerreraI have pushed all my HITCON CTF 2019 Quals *Web Challenge* writeups into GitHub! https://t.co/gQ4sVioDGr
Retweeted by Luan Herrera
10/14
2019
Found a full-blown CSP bypass on the current version of Firefox (69). Not working on the beta version. PoC:… https://t.co/n2NfYpjFRo
Retweeted by Luan Herrera
10/12
2019
@kinugawamasato On a somewhat related note, it was possible to open 3 tabs using your bug :) https://t.co/HytEx5JF8t
10/11
2019
XS-Leak: Leaking IDs on cross domain elements https://t.co/YlwksgZi7T by @garethheyes
Retweeted by Luan Herrera
10/8
2019
I learned this week how I can perform an error-based #xssearch without using any #javascript! It takes advantage… https://t.co/b9LF570rqJ
Retweeted by Luan HerreraWriteup for the x-oracle-v0, x-oracle-v1, and x-oracle-v2 tasks in nn9ed: https://t.co/NVzniIlkB0 v0: blind xss v1… https://t.co/65r5Xorrtl
Retweeted by Luan Herrera
10/5
2019
O @Pwn2Win 2019 terá uma premiação específica para times acadêmicos brasileiros. Queremos estimular a participação… https://t.co/h5Bxe8qSUa
Retweeted by Luan Herrera
10/2
2019
Respeitável público, está no ar o CFP da Alligator 2019 - Le Cirque Edition: https://t.co/MuA4GXSTuB
Retweeted by Luan Herrera
9/27
2019
Here are my slides from XSS magic tricks https://t.co/094fotH8ok
Retweeted by Luan HerreraWe are proud to launch our brand new interactive XSS cheatsheet featuring novel vectors from @garethheyes https://t.co/3RVPXq3puY
Retweeted by Luan HerreraHey! I recently crafted a surprising payload when solving XSS Challenge on Twitter and wrote a whole article abou… https://t.co/C38XQuJq9r
Retweeted by Luan Herrera
9/26
2019
Nonce-based CSP + Service Worker = CSP bypass? https://t.co/Xjxw0wwtfs
Retweeted by Luan Herrera @shhnjk Really nice challenge! https://t.co/FkS8DbO1Ba
9/18
2019
I haven't published any writeups in a while. Here is my latest #writeup to an awesome #buyify challenge from… https://t.co/LZAgqrYt1A
Retweeted by Luan Herrera
9/16
2019
Cloudflare WAF bypass: open("https://host/?xss=%3Ca/href=javascript:1%26%26%26%23x6e;ame%3Eclick me%3C/a%3E","<svg… https://t.co/gwLTj9Mbqe
Retweeted by Luan Herrera
9/10
2019
Get ready for the @Pwn2win CTF! Do you enjoy the illustration of this year's story? https://t.co/9HSCggZCYp
Retweeted by Luan Herrera
9/2
2019
Can you think out of the 📦? Solve our XSS challenge and WIN a @burp_suite license and private invites! 🤩More info:… https://t.co/zScG95nyJM
Retweeted by Luan Herrera @intigriti @Burp_Suite Nice challenge!
8/28
2019
The best hacks are the hacks you find after you tried 'everything'. Desperation is the best source of creativity. If you persist.
Retweeted by Luan Herrera
8/19
2019
If CSP policy points to a dir and you use %2f to encode "/", it is still considered to be inside the dir. All brows… https://t.co/neLed420Gv
Retweeted by Luan Herrera
8/18
2019
In multiple recent disclosure discussions on Twitter, I had said I will write a longer blog post about my views. I… https://t.co/xPDwEOQJd7
Retweeted by Luan Herrera
8/17
2019
another Cloudflare bypass: <iframe/src=javascript:%2520with(document)with(body)innerHTML="<svg/onload"%2B"=alert\x… https://t.co/Z3sWe6wRDq
Retweeted by Luan Herrera
8/9
2019
https://t.co/nuaMhpWYuI A private talk I did few years ago, about how I turned a self-XSS to a site-wide CSRF on T… https://t.co/aq0OeVvWjw
Retweeted by Luan Herrera
8/5
2019
XSS Cloudflare WAF bypass: <img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert`1`;> #bugBounty #bugbountytip
Retweeted by Luan Herrera
8/4
2019
Treinamento de Web comigo e o mestre @marcioalm. Bora que vai ser irado, teremos uns desafios cabulosos juntamente… https://t.co/nZ4KZWdFBk
Retweeted by Luan Herrera @vladimir_metnew @GoogleVRP From their FAQ: "A: I'm afraid not. We reward based on the rules that were in effect at… https://t.co/PIZGwYpv90
7/30
2019
Call for Sponsors! Ajude-nos a ir pra final do #CyBRICS representar o Brasil na Rússia! Help us to go to #CyBRICShttps://t.co/FZLwYIZpE8
Retweeted by Luan HerreraAs I have to wait to release my LibreOffice finding: https://t.co/CvoMyErQ10 The JavaScript V8 engine has interest… https://t.co/evCGTiv8yN
Retweeted by Luan Herrera
7/26
2019
@sirdarckcat WHAT!!! I’ll keep that in mind. Full disclosure all time for Firefox :D
Retweeted by Luan Herrera
7/24
2019
So ... @eltctfbr has classified to a CTF final on Russia (CyBRICS) , anybody wants to sponsor us ? https://t.co/JzSz2DhWhL
Retweeted by Luan Herrera
7/22
2019
Video ta um pouco aleatório 😅 https://t.co/Eya9RmLitB https://t.co/LAQAiVgtkc
Retweeted by Luan Herrera
7/20
2019
This is a long time coming! Now I know where to spend my next weeks :) https://t.co/b0CN544nxV
7/19
2019
@sirdarckcat @_niklasb https://t.co/RY12yqaz6j and https://t.co/Ch3OPTr68F were fun. @MurmusCTF fetch("https://t.co/cCdxD9AN8g", { method: "post", mode: "no-cors", credentials: "include", headers: { "… https://t.co/yA8oTypSpN
7/10
2019
my slides is published here: https://t.co/k0FRWmaWCh
Retweeted by Luan Herrera
7/7
2019
@intigriti Sun May 29 2033 17:43:32 GMT-0300 - herrera
6/20
2019
Save the date, #Pwn2Win 2019 will take place on October 11, brace yourselves! :) @ctfbr https://t.co/qRhwboPezf
Retweeted by Luan Herrera
6/16
2019
https://t.co/9Tp2RhJcmd 🤔Slackers is on Reddit https://t.co/D1dPaik8Aw let's bring it back!
Retweeted by Luan Herrera
6/14
2019
Fun little bug in Chrome: https://t.co/FPfyOuu33I
6/12
2019
Few days into my research and already found #XSLeaks bugs in Chrome, Firefox, and Edge. Keep them coming!
6/3
2019
@har1sec @sirdarckcat @mikispag @avlidienbrunn @garethheyes Maybe you can leak stuff by making the form submit to i… https://t.co/5i9zXMjrj9
5/24
2019
@intigriti @reefbr /manoeltBlog post: Abusing jQuery for CSS powered timing attacks by @garethheyes https://t.co/PFtOWAEEJ5
Retweeted by Luan Herrera
5/22
2019
I wrote up my XSS without parentheses and semi-colons research https://t.co/NgFIPV1Qxy
Retweeted by Luan HerreraShibuya.XSS techtalk #11 で使うスライドを公開します。 XSS の"後"の世界をのぞいてみよう、というのがテーマです。Enjoy! :-) #shibuyaxss | "Gimme a bit!" - Ex… https://t.co/qGWWBmJlHh
Retweeted by Luan Herrera
5/16
2019
Not bad for our first time playing together on site. @defcon @oooverflow #defconctf #quals https://t.co/zZ1fPQtUig
Retweeted by Luan Herrera
5/13
2019
I blogged about how Chrome switching the XSSAuditor to "filter" mode re-enables old attacks - https://t.co/lVa2mFtLit
Retweeted by Luan Herrera
5/10
2019
So comes out that the Firefox is removing that functionality from supported features: https://t.co/dDwZzP79cJ Also… https://t.co/oC9QkJogvD
Retweeted by Luan Herrera
5/5
2019
What's the safest value for X-XSS-Protection? Repeating a classic poll (that @filedescriptor made some time ago).
Retweeted by Luan Herrera
5/2
2019

0