@LogicalHunter profile picture
Borna Nematzadeh @LogicalHunter

Security Researcher

Joined November 2020
  • Tweets 237
  • Following 217
  • Followers 3,087
16 Photos and videos
Pinned Tweet
Borna Nematzadeh@LogicalHunter
30 Oct 2024
I've published my new research, "Exploiting Number Parsers in JavaScript". In this article, I’ve discussed the number parsers in JavaScript and the different attack scenarios you might encounter. logicalhunter.me/exploiting-…

Exploiting Number Parsers in JavaScript

Summary This research will explore the following topics: An overview of number parsers in JavaScript There are two general ways to parse numbers in JavaScript: using the Number Constructor and its...

logicalhunter.me
6
21
121
7,898
Borna Nematzadeh retweeted
skull
@brutecat
Jun 11
Hacking Google with A.I. for $500,000 brutecat.com/r/hacking-googl…

Hacking Google with A.I. for $500,000

What happens when you unleash an AI across all of Google's infrastructure? 1,500 APIs, 3,600 keys, and $500,000 in bounties later, here's what I found.

brutecat.com
59
500
2,457
321,230
Borna Nematzadeh retweeted
Awesome Google VRP Writeups@gvrp_writeups
24 Aug 2025
New Google VRP writeup "XSS in Google IDX Workstation" for a bounty of $22,500 by @sudhanshur705: sudistark.github.io/2025/07/…

XSS in Google IDX Workstation

Technical breakdown of an XSS vulnerability in Google IDX Workstation.

sudistark.github.io
24
126
6,042
Borna Nematzadeh retweeted
Jakub Domeracki@j_domeracki
20 Aug 2025
Replying to @GoogleVRP
@GoogleVRP disclosed my most impactful client-side report to date: bughunters.google.com/report… TL;DR An attacker could've gained access to Gemini Code Assist Tools (GitLab, GitHub etc.) configured by the victim

postMessage targetOrigin bypass opens room for OAuth authorization code stealing scenarios | Google...

Found a security vulnerability? Discover our forms for reporting security issues to Google: for the standard VRP, Google Play, and Play Data Abuse.

bughunters.google.com
3
33
127
5,695
Borna Nematzadeh retweeted
Leandro Barragan@lean0x2f
13 Aug 2025
"AI Agents for Offsec with Zero False Positives" by @moyix, a journey on how we managed to get 0 FPs with XBOW. You can find the slides for his BH talk here: cdn.prod.website-files.com/6…
1
57
247
24,392
Borna Nematzadeh retweeted
Stephen Sims
@Steph3nSims
28 Mar 2025
An Introduction to using Artificial Intelligence (AI) for Vulnerability Research x.com/i/broadcasts/1mnxegPyz…

Stephen Sims

An Introduction to using Artificial Intelligence (AI) for Vulnerability Research
8
225
742
58,614
Borna Nematzadeh retweeted
Google VRP (Google Bug Hunters)
@GoogleVRP
4 Feb 2025
❌ Eliminating almost all exploitable web vulnerabilities? This blog post covers how the Google security team implemented a high-assurance web framework to achieve this goal for its services, and what this framework's most important characteristics are. bughunters.google.com/blog/6…

Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework

Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

bughunters.google.com
4
45
174
15,193
Borna Nematzadeh retweeted
2OURC3@2ourc3
27 Jan 2025
Write-up of my v8 bug: Critical type confusion in V8's Turboshaft compiler allowed stale pointers to bypass GC, leading to exploitable memory corruption. Full details PoC: bushido-sec.com/index.php/20…

2
59
241
16,119
It's an honor that my research, Exploiting Number Parsers in JS, has been nominated for the Top Ten Web Hacking Techniques of 2024. I discussed how discrepancies in JS number parsers could be used to carry out DoS attacks. If you find it interesting, please vote for it!
James Kettle
@albinowax
15 Jan 2025
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10…
3
4
52
4,091
Borna Nematzadeh retweeted
Sonar Research
@Sonar_Research
9 Dec 2024
🧵 [1/4] Here is our DOMPurify 3.2.1 bypass, using a namespace confusion technique where each element is initially in a “correct” namespace. When it was allowed, the ‘is’ attribute was not handled correctly, making the attribute content’s regex check obsolete. #mXSS #XSS
2
40
146
17,263
Borna Nematzadeh retweeted
cdzeno@cdzeno
18 Nov 2024
Just discovered 10 memory corruption vulnerabilities in the popular Mongoose Web Server (11k stars on GitHub) by fuzzing its embedded TLS stack protocol with @aflplusplus. More technical details here: nozominetworks.com/blog/hunt…
44
220
12,701
There is no prize to perfection, only an end to pursuit
1
14
899
Borna Nematzadeh retweeted
NDevTK@ndevtk
18 Nov 2024
Released a new extension :) - console.info for postMessages from all_frames. - detects the scope of sent messages. - origins that are insecure, will be prefixed with UNSAFE. - detects if a website does not check .origin - MessageChannel API chrome.google.com/webstore/d…

postLogger - Chrome Web Store

Extension to log postMessage()

chromewebstore.google.com
3
25
123
8,439
Awesome research!🔥
Kévin GERVOT (Mizu)@kevin_mizu
15 Nov 2024
I'm thrilled to finally share my research on HTML parsing and DOMPurify at @GreHack 2024 📜 The research article is available here: mizu.re/post/exploring-the-d… The slides are available here: slides.com/kevin-mizu/grehac… 1/3
1
13
988
Borna Nematzadeh retweeted
m4ll0k@m4ll0k
15 Nov 2024
I created a small tool to automatically set breakpoints in Chrome using the CDP (Chrome DevTools Protocol). It’s still in beta, but I’m actively working on a complete version.. github.com/m4ll0k/autobreakp…
0:47
4
26
152
12,166
Borna Nematzadeh retweeted
Matan Berson@MtnBer
2 Nov 2024
Here's a code snippet that as far as I can tell pretty much solves prototype pollution. It's based on github.com/tc39/proposal-sym…, and after running it you can access an object's prototype with object[Symbol.instanceProto], and object["__proto__"] will be undefined.
4
4
86
8,357
Borna Nematzadeh retweeted
dmnk.bsky.social@domenuk
1 Nov 2024
Project Zero blog: LLMs find 0days now! 👀 And: our fuzzer setup did *not* reproduce it! googleprojectzero.blogspot.c…
9
150
604
62,240
I have updated the list of custom filters for Logger . The new additions include: . New API Style (gRPC-Web) . Improved previous filters . Exposed API keys custom filters . New filters for API vulnerabilities github.com/bnematzadeh/Logge…

GitHub - bnematzadeh/LoggerPlusPlus-API-Filters: A comprehensive list of custom filters for...

A comprehensive list of custom filters for Logger to identify various vulnerabilities in different API styles - bnematzadeh/LoggerPlusPlus-API-Filters

github.com
3
8
67
3,910
Borna Nematzadeh retweeted
Orange Tsai 🍊
@orange_8361
9 Aug 2024
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confu… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code from 1996

38
649
1,890
232,552
Borna Nematzadeh retweeted
Anirudh Anand@a0xnirudh
2 Apr 2024
#TypeScript Remote Procedure Call (tRPC) Security Research: Hunting for Vulnerabilities in Modern APIs, a nice read from @LogicalHunter: medium.com/@LogicalHunter/tr… Vulnerable tRPC playground: github.com/bnematzadeh/trpc-…
11
40
3,242
Load more