Category: PortSwigger

Fickle PDFs: exploiting browser rendering discrepancies
09
Mar
2026

Fickle PDFs: exploiting browser rendering discrepancies

Imagine the CEO of a random company receives an email containing a PDF invoice file. In Safari and MacOS Preview,…

Share: X : Fickle PDFs: exploiting browser rendering discrepanciesFacebook : Fickle PDFs: exploiting browser rendering discrepanciesLinkedin : Fickle PDFs: exploiting browser rendering discrepanciesReddit : Fickle PDFs: exploiting browser rendering discrepanciesTelegram : Fickle PDFs: exploiting browser rendering discrepanciesWhatsApp : Fickle PDFs: exploiting browser rendering discrepanciesEmail : Fickle PDFs: exploiting browser rendering discrepancies
Introducing the URL validation bypass cheat sheet
09
Mar
2026

Introducing the URL validation bypass cheat sheet

URL validation bypasses are the root cause of numerous vulnerabilities including many instances of SSRF, CORS misconfiguration, and open redirection….

Share: X : Introducing the URL validation bypass cheat sheetFacebook : Introducing the URL validation bypass cheat sheetLinkedin : Introducing the URL validation bypass cheat sheetReddit : Introducing the URL validation bypass cheat sheetTelegram : Introducing the URL validation bypass cheat sheetWhatsApp : Introducing the URL validation bypass cheat sheetEmail : Introducing the URL validation bypass cheat sheet
Concealing payloads in URL credentials
09
Mar
2026

Concealing payloads in URL credentials

Last year Johan Carlsson discovered you could conceal payloads inside the credentials part of the URL . This was fascinating…

Share: X : Concealing payloads in URL credentialsFacebook : Concealing payloads in URL credentialsLinkedin : Concealing payloads in URL credentialsReddit : Concealing payloads in URL credentialsTelegram : Concealing payloads in URL credentialsWhatsApp : Concealing payloads in URL credentialsEmail : Concealing payloads in URL credentials
New crazy payloads in the URL Validation Bypass Cheat Sheet
09
Mar
2026

New crazy payloads in the URL Validation Bypass Cheat Sheet

The strength of our URL Validation Bypass Cheat Sheet lies in the contributions from the web security community, and today’s…

Share: X : New crazy payloads in the URL Validation Bypass Cheat SheetFacebook : New crazy payloads in the URL Validation Bypass Cheat SheetLinkedin : New crazy payloads in the URL Validation Bypass Cheat SheetReddit : New crazy payloads in the URL Validation Bypass Cheat SheetTelegram : New crazy payloads in the URL Validation Bypass Cheat SheetWhatsApp : New crazy payloads in the URL Validation Bypass Cheat SheetEmail : New crazy payloads in the URL Validation Bypass Cheat Sheet
Bypassing WAFs with the phantom $Version cookie
09
Mar
2026

Bypassing WAFs with the phantom $Version cookie

HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In…

Share: X : Bypassing WAFs with the phantom $Version cookieFacebook : Bypassing WAFs with the phantom $Version cookieLinkedin : Bypassing WAFs with the phantom $Version cookieReddit : Bypassing WAFs with the phantom $Version cookieTelegram : Bypassing WAFs with the phantom $Version cookieWhatsApp : Bypassing WAFs with the phantom $Version cookieEmail : Bypassing WAFs with the phantom $Version cookie
Stealing HttpOnly cookies with the cookie sandwich technique
09
Mar
2026

Stealing HttpOnly cookies with the cookie sandwich technique

In this post, I will introduce the “cookie sandwich” technique which lets you bypass the HttpOnly flag on certain servers….

Share: X : Stealing HttpOnly cookies with the cookie sandwich techniqueFacebook : Stealing HttpOnly cookies with the cookie sandwich techniqueLinkedin : Stealing HttpOnly cookies with the cookie sandwich techniqueReddit : Stealing HttpOnly cookies with the cookie sandwich techniqueTelegram : Stealing HttpOnly cookies with the cookie sandwich techniqueWhatsApp : Stealing HttpOnly cookies with the cookie sandwich techniqueEmail : Stealing HttpOnly cookies with the cookie sandwich technique
Bypassing character blocklists with unicode overflows
09
Mar
2026

Bypassing character blocklists with unicode overflows

Unicode codepoint truncation – also called a Unicode overflow attack – happens when a server tries to store a Unicode…

Share: X : Bypassing character blocklists with unicode overflowsFacebook : Bypassing character blocklists with unicode overflowsLinkedin : Bypassing character blocklists with unicode overflowsReddit : Bypassing character blocklists with unicode overflowsTelegram : Bypassing character blocklists with unicode overflowsWhatsApp : Bypassing character blocklists with unicode overflowsEmail : Bypassing character blocklists with unicode overflows
Top 10 web hacking techniques of 2024
08
Mar
2026

Top 10 web hacking techniques of 2024

Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify…

Share: X : Top 10 web hacking techniques of 2024Facebook : Top 10 web hacking techniques of 2024Linkedin : Top 10 web hacking techniques of 2024Reddit : Top 10 web hacking techniques of 2024Telegram : Top 10 web hacking techniques of 2024WhatsApp : Top 10 web hacking techniques of 2024Email : Top 10 web hacking techniques of 2024
Shadow Repeater:AI-enhanced manual testing | PortSwigger Research
08
Mar
2026

Shadow Repeater:AI-enhanced manual testing | PortSwigger Research

Have you ever wondered how many vulnerabilities you’ve missed by a hair’s breadth, due to a single flawed choice? We’ve…

Share: X : Shadow Repeater:AI-enhanced manual testing | PortSwigger ResearchFacebook : Shadow Repeater:AI-enhanced manual testing | PortSwigger ResearchLinkedin : Shadow Repeater:AI-enhanced manual testing | PortSwigger ResearchReddit : Shadow Repeater:AI-enhanced manual testing | PortSwigger ResearchTelegram : Shadow Repeater:AI-enhanced manual testing | PortSwigger ResearchWhatsApp : Shadow Repeater:AI-enhanced manual testing | PortSwigger ResearchEmail : Shadow Repeater:AI-enhanced manual testing | PortSwigger Research
SAML roulette: the hacker always wins
08
Mar
2026

SAML roulette: the hacker always wins

Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access…

Share: X : SAML roulette: the hacker always winsFacebook : SAML roulette: the hacker always winsLinkedin : SAML roulette: the hacker always winsReddit : SAML roulette: the hacker always winsTelegram : SAML roulette: the hacker always winsWhatsApp : SAML roulette: the hacker always winsEmail : SAML roulette: the hacker always wins
Document My Pentest: you hack, the AI writes it up!
08
Mar
2026

Document My Pentest: you hack, the AI writes it up!

Tired of repeating yourself? Automate your web security audit trail. In this post I’ll introduce a new Burp AI extension…

Share: X : Document My Pentest: you hack, the AI writes it up!Facebook : Document My Pentest: you hack, the AI writes it up!Linkedin : Document My Pentest: you hack, the AI writes it up!Reddit : Document My Pentest: you hack, the AI writes it up!Telegram : Document My Pentest: you hack, the AI writes it up!WhatsApp : Document My Pentest: you hack, the AI writes it up!Email : Document My Pentest: you hack, the AI writes it up!
Drag and Pwnd: Leverage ASCII characters to exploit VS Code
08
Mar
2026

Drag and Pwnd: Leverage ASCII characters to exploit VS Code

Control characters like SOH, STX, EOT and ETX were never meant to run your code – but in the world…

Share: X : Drag and Pwnd: Leverage ASCII characters to exploit VS CodeFacebook : Drag and Pwnd: Leverage ASCII characters to exploit VS CodeLinkedin : Drag and Pwnd: Leverage ASCII characters to exploit VS CodeReddit : Drag and Pwnd: Leverage ASCII characters to exploit VS CodeTelegram : Drag and Pwnd: Leverage ASCII characters to exploit VS CodeWhatsApp : Drag and Pwnd: Leverage ASCII characters to exploit VS CodeEmail : Drag and Pwnd: Leverage ASCII characters to exploit VS Code