terjanq (@terjanq) / X

terjanq

1,927 posts

terjanq

@terjanq

security enthusiast that loves hunting for bugs in the wild. co-founder and player of @justCatTheFish. infosec at @google. opinions are mine.

Switzerland

Joined January 2019

Pinned
terjanq
@terjanq
Sep 18, 2025
We published a blogpost about SafeContentFrame - a library for rendering untrusted content inside an iframe. The library is a big party of what I've been up to in the few last years! Check out the blog and take a slice of my birthday cake 🎂! bughunters.google.com/blog/671552987…
18K
terjanq
@terjanq
Jul 9, 2020
I created a repository to keep track of cool XSS payloads github.com/terjanq/Tiny-X… Check this out! #xss @XssPayloads #bugbountytips
terjanq
@terjanq
May 7, 2020
My last tweet unexpectedly has brought a lot of attention and discussion. Here is the shortest payload for a tiny reverse shell written in 19 bytes using only non-alphanumeric characters. Hex values inside ⛶ indicate raw bytes. #php #phphacks #ctf #infosec #bugbountytips
terjanq
@terjanq
May 4, 2020
Cool trick to execute any PHP code with non-alphanumeric characters only. #ctf #bugbountytip #infosec #php #phphacks
terjanq
@terjanq
Jul 22, 2020
I recently discovered a fancy way to execute arbitrary XSS without parenthesses. As far as I am concerned this is a novel technique 😁 terjanq.me/xss.php?js=onh… #javascript #bugbountytips #xss
terjanq
@terjanq
Jun 25, 2025
Google CTF will start in less than 48h from now. Make sure not to miss the great challenges we've prepared this year!! Can't describe how exicted I am for it 😶
38K
terjanq
@terjanq
Feb 27, 2021
The best hackers are former web developers.
terjanq
@terjanq
Apr 25, 2021
Here comes my writeup to the hardest so far XSS challenge from @intigriti. I included 4 possible attempts though there many other possible solutions. Can't wait to read the writeups from all other participants, those who solved and those who didn't!
Easter XSS challenge by terjanq
From easterxss.terjanq.me
terjanq
@terjanq
Feb 1, 2020
I just got a fancy idea to create strings in #javascript without using dangerous characters 😃 Inspired by @garethheyes challenge from @WebSecAcademy. #bugbountytips #xss
terjanq
@terjanq
Aug 9, 2020
The idea behind my latest XSS challenge was to bypass a strict CSP to execute arbitrary XSS without using parentheses. I explained the solution in detail, with mini-research alongside, in this article medium.com/@terjanq/arbit…. Check it out!😃 #javascript #xss #bugbountytips
terjanq
@terjanq
Sep 26, 2020
This is a collection of my infosec tweets featuring lessons learned, highlighting my research, and showcasing my solutions to various challenges from CTFs and others. In short, My Infosec Journey! ⚡️👾 #infosec #bugbountytips #ctf #writeups #javascript x.com/i/moments/1309…
terjanq
@terjanq
Mar 19, 2019
A brand new #XSSearch technique that allows exfiltrating content-type header from cross-origin requests. #XSLeaks
Cross-Site Content and Status Types Leakage
From terjanq.medium.com
terjanq
@terjanq
Jun 27, 2021
I've been really busy recently working on my challenge for the upcoming GoogleCTF but managed to draft a mini-article about problem-solving skills. Hope it answers one of the most common questions I receive and which is: How do you solve them so quickly?🙃
How to solve an XSS challenge from Intigriti in under 60 minutes
From terjanq.medium.com
terjanq
@terjanq
Oct 5, 2019
I learned this week how I can perform an error-based #xssearch without using any #javascript! It takes advantage of *alternative text* when an object cannot be rendered and then styling it with a *custom font*. My full payload to the chall: gist.github.com/terjanq/33bbb8… #xsleaks