Hi There & Welcome to My Corner of the Web!
I'm Nam Le, a security engineer & web developer in Viet Nam. I'm happy to share my knowledge on my blog. Follow me on Twitter/X.
Writing
Discovering DOM-Based XSS on DeepSeek.com via postMessage Exploitation
While testing https://chat.deepseek.com, I found a DOM XSS vulnerability in the postMessage handler. The function lacked origin validation, allowing arbitrary HTML injection. Using a payload like <script>alert(origin)</script>, I demonstrated the exploit. This highlights critical security risks when message origins aren't properly validated.
Read Post
How I found DOM XSS via postMessage on Bing.com - Microsoft Bug Bounty
The website Bing.com has message event listeners. I found a feature that listens for postMessage with two arguments to update the User header bar with the user's points badge. The following are the steps I took to find the DOM XSS.
Read Post