How to build custom scanners for web security research automation
In this post, I’ll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web…
Category: PortSwigger
The single-packet attack: making remote race-conditions ‘local’
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which…
Blind CSS Exfiltration: exfiltrate unknown web pages
This is a gif of the exfiltration process (We’ve increased the speed so you’re not waiting around for 1 minute). Read on to discover how…
Finding that one weird endpoint, with Bambdas
Security research involves a lot of failure. It’s a perpetual balancing act between taking small steps with a predictable but boring outcome, and trying out…
Top 10 web hacking techniques of 2023 – nominations open
Update: The results are in! Check out the final top ten here or scroll down to view all nominations Over the last year, numerous security…
Hiding payloads in Java source code strings
In this post we’ll show you how Java handles unicode escapes in source code strings in a way you might find surprising – and how…
Top 10 web hacking techniques of 2023
Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web…
Using form hijacking to bypass CSP
In this post we’ll show you how to bypass CSP by using an often overlooked technique that can enable password theft in a seemingly secure…
Making desync attacks easy with TRACE
Have you ever found an HTTP desync vulnerability that seemed impossible to exploit due to its complicated constraints? In this blogpost we will explore a…
Introducing SignSaboteur: forge signed web tokens with ease
Signed web tokens are widely used for stateless authentication and authorization throughout the web. The most popular format is JSON Web Tokens (JWT) which we’ve…
Refining your HTTP perspective, with bambdas
When you open a HTTP request or response, what do you instinctively look for? Suspicious parameter names? CORS headers? Some clue as to the request’s…
onwebkitplaybacktargetavailabilitychanged?! New exotic events in the XSS cheat sheet
The power of our XSS cheat sheet is we get fantastic contributions from the web security community and this update is no exception. We had…