Drag and Pwnd: Leverage ASCII characters to exploit VS Code
Control characters like SOH, STX, EOT and ETX were never meant to run your code – but in the world of modern terminal emulators, they…
Category: PortSwigger
Repeater Strike: manual testing, amplified
Manual testing doesn’t have to be repetitive. In this post, we’re introducing Repeater Strike – a new AI-powered Burp Suite extension designed to automate the…
Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling
Sometimes people think they’ve found HTTP request smuggling, when they’re actually just observing HTTP keep-alive or pipelining. This is usually a false positive, but sometimes…
Inline Style Exfiltration: leaking data with chained CSS conditionals
I discovered how to use CSS to steal attribute data without selectors and stylesheet imports! This means you can now exploit CSS injection via style…
Cookie Chaos: How to bypass __Host and __Secure cookie prefixes
Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses…
WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine
Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot,…
Introducing HTTP Anomaly Rank
If you’ve ever used Burp Intruder or Turbo Intruder, you’ll be familiar with the ritual of manually digging through thousands of responses by repeatedly sorting…
Top 10 web hacking techniques of 2025
Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web…
We’re going teetotal: It’s goodbye to The Daily Swig
PortSwigger today announces that The Daily Swig is closing down Over the past five-and-a-half years, The Daily Swig has provided an independent and high-quality perspective…
Bug Bounty Radar // The latest bug bounty programs for March 2023
New web targets for the discerning hacker Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month.…
Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses
Charlie Osborne 28 February 2023 at 14:15 UTC Updated: 28 February 2023 at 14:51 UTC Armed with personal data fragments, a researcher could also access…
Password managers: A rough guide to enterprise secret platforms
The second part of our password manager series looks at business-grade tech to handle API tokens, login credentials, and more Modern enterprises run dozens (and…