See No Eval: Runtime Dynamic Code Execution in Objective-C

There is a turing-complete querying language embeded in Objective-C hidden in plain sight.

X Site eScape (Part II): Look Up a Shell in the Dictionary

A funny bug chain turing inter-process XSS to native code execution for sandbox escape.

X Site eScape (Part III): CVE-2020-9860, A Copycat

Copycat.

X Site eScape (Part I): Exploitation of An Old CoreFoundation Sandbox Bug

Triggering inter-process XSS for fun and profit.

Revisiting An Old MediaRemote Bug (CVE-2018-4340)

Useless bugs are just being given up too early.

Two macOS Persistence Tricks Abusing Plugins

Similar to DLL sideloading, legit plugins on macOS could be abused to load executable code on startup.