RSS Parrot

SVG Filters - Clickjacking 2.0

https://lyra.horse/blog/2025/12/svg-clickjacking/

Published: December 4, 2025 14:00

Clickjacking is a classic attack that consists of covering up an iframe of some other website in an attempt to trick the user into unintentionally interacting with it. It works great if you need to trick someone into pressing a button or two, but for…

You no longer need JavaScript

https://lyra.horse/blog/2025/08/you-dont-need-js/

Published: August 28, 2025 20:40

So much of the web these days is ruined by the bloat that is modern JavaScript frameworks. React apps that take several seconds to load. NextJS sites that throw random hydration errors. The node_modules folder that takes up gigabytes on your hard drive.…

Using YouTube to steal your files

https://lyra.horse/blog/2024/09/using-youtube-to-steal-your-files/

Published: September 19, 2024 07:30

In my security research I often come across weird quirks and behaviours that aren’t particularly useful beyond a neat party trick. It’s always a good idea to keep track of them though, perhaps one day they’ll be just the missing piece you need. …

Exploiting V8 at openECSC

https://lyra.horse/blog/2024/05/exploiting-v8-at-openecsc/

Published: May 26, 2024 00:00

Despite having 7 Chrome CVEs, I’ve never actually fully exploited a memory corruption in its V8 JavaScript engine before. Baby array.xor, a challenge at this year’s openECSC CTF, was my first time going from a V8 bug to popping a /bin/sh shell. Most V8…

Stealing your Telegram account in 10 seconds flat

https://lyra.horse/blog/2024/05/stealing-your-telegram-account-in-10-seconds-flat/

Published: May 1, 2024 21:00

Say you handed me your phone, what’s the worst I could do in 10 seconds? Web.telegram.orgedited 23:51 Click that link and your browser will be logged into telegram without passwords23:52 The other day I received an interesting message with a link to…