18 Nov 2022
Snow JS ❄️ is finally in MetaMask 🦊! With Snow, we now have full visibility into all same origin child realms within the MetaMask browser extension,
which will be later used to protect those realms against misuse of any potential malicious entities.
Read more about the motivation behind the Snow-MetaMask integration 🎉
28 Oct 2022
Couldn’t find a proper explanation on what realms are in JS so decided to come up with one myself. So, what is a realm in JS?
I recommend you give this a read - this is a concept you should be familiar with to consider yourself someone who’s above average in understanding JS!
03 Aug 2022
Excited to join MetaMask to work on high level js security initiatives such as LavaMoat.
As part of me joining the organization I am bringing with me 3 cutting edge libraries I invented and worked on for the past year, to help fight against
the problem of unwanted code execution in the browser.
Read more about Securely 🔒, Snow ❄️ and Across ↔ to learn more about this effort!
21 Nov 2021
My talk at OWASP App Sec conference of 2020 just got published on Youtube!
In this talk I present the WhatsApp vulnerability
I exposed in the past and what is the lesson to learn for
messaging apps in general when it comes to security
05 Sep 2021
Introducing the official Awesome Javascript Anti Debugging
which is the number one repo for resources regarding both old and new generation anti debugging techniques in the browser!
01 Sep 2021
Following the first part of Javascript Anti Debugging,
introducing the second part where I show how abusing the scope pane of Chromium’s devtools can allow an attacker tell which on their functions were
debugged and take action when they do!
02 Sep 2020
Covered by Forbes
I expose a Full CSP Bypass in Chromium based browsers.
In this article
I talk about the impacts of such vulnerability and how well CSP really serves us.
09 May 2020
Javascript Anti Debugging (Part 1)
got accepted to the Israeli In-Dev conference in Hebrew - check it out!
30 Apr 2020
Javascript Anti Debugging (Part 1) got published
on the Israeli Magazine “Digital Whisper” in Hebrew - check it out!
05 Mar 2020
Technical details including exploit PoC and videos are uploaded to Github, check it out!
15 Feb 2020
The discovery of CVE-2019-18426 blows up internationally due to its unique severity,
including full coverage by Forbes Magazine!
14 Feb 2020
After a long research, managed to expose a chain of critical flaws in WhatsApp Web App the ultimately could have allowed an attcker to read from
the victim’s file system with a zero click exploit! Here’s the full research journy
18 Dec 2019
Check out my new finding of a next level javascript anti debugging technique.
I demonstrate how I abuse SourceMappingURL feature, which is cross browsers supported, to detect opening of a devtools and do much more then that.
19 Aug 2019
Check out my next post
on how to list every event possible in the browser and a graphical represantation
I made to compare events support between different browsers
16 Feb 2019
Check out my first post where I share some cool insights regarding end of life events in the browser and a cool javascript trick to easily debug them both
02 Feb 2019
Gonna post some cool stuff here hopefully :)