Tue, 10 Dec 2024 16:07:15 GMT <![CDATA[]]> https://portswigger.net/research https://portswigger.net/research/rss/icon https://portswigger.net/research <![CDATA[en-gb]]> bypassing-wafs-with-the-phantom-version-cookie Wed, 04 Dec 2024 15:03:35 GMT <![CDATA[HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known ]]> https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet Tue, 29 Oct 2024 13:59:13 GMT <![CDATA[The strength of our URL Validation Bypass Cheat Sheet lies in the contributions from the web security community, and today’s update is no exception. We are excited to introduce a new and improved IP a]]> https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet concealing-payloads-in-url-credentials Wed, 23 Oct 2024 12:59:05 GMT <![CDATA[Last year Johan Carlsson discovered you could conceal payloads inside the credentials part of the URL . This was fascinating to me especially because the payload is not actually visible in the URL in ]]> https://portswigger.net/research/concealing-payloads-in-url-credentials introducing-the-url-validation-bypass-cheat-sheet Tue, 03 Sep 2024 14:52:12 GMT <![CDATA[URL validation bypasses are the root cause of numerous vulnerabilities including many instances of SSRF, CORS misconfiguration, and open redirection. These work by using ambiguous URLs to trigger URL ]]> https://portswigger.net/research/introducing-the-url-validation-bypass-cheat-sheet gotta-cache-em-all Thu, 08 Aug 2024 22:27:46 GMT <![CDATA[Through the years, we have seen many attacks exploiting web caches to hijack sensitive information or store malicious payloads. However, as CDNs became more popular, new discrepancies between propriet]]> https://portswigger.net/research/gotta-cache-em-all splitting-the-email-atom Wed, 07 Aug 2024 21:32:47 GMT <![CDATA[Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an ]]> https://portswigger.net/research/splitting-the-email-atom listen-to-the-whispers-web-timing-attacks-that-actually-work Wed, 07 Aug 2024 18:10:21 GMT <![CDATA[Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets ]]> https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work fickle-pdfs-exploiting-browser-rendering-discrepancies Tue, 09 Jul 2024 12:51:22 GMT <![CDATA[Imagine the CEO of a random company receives an email containing a PDF invoice file. In Safari and MacOS Preview, the total price displayed is £399. After approval, the invoice is sent to the accounti]]> https://portswigger.net/research/fickle-pdfs-exploiting-browser-rendering-discrepancies a-hacking-hat-trick-previewing-three-portswigger-research-publications-coming-to-def-con-amp-black-hat-usa Tue, 02 Jul 2024 12:57:08 GMT <![CDATA[We're delighted to announce three major research releases from PortSwigger Research will be published at both Black Hat USA and DEF CON 32. In this post, we'll offer a quick teaser of each talk, info ]]> https://portswigger.net/research/a-hacking-hat-trick-previewing-three-portswigger-research-publications-coming-to-def-con-amp-black-hat-usa new-exotic-events-in-the-xss-cheat-sheet Tue, 11 Jun 2024 14:58:29 GMT <![CDATA[The power of our XSS cheat sheet is we get fantastic contributions from the web security community and this update is no exception. We had valuable contributions from Mozilla to remove events that no ]]> https://portswigger.net/research/new-exotic-events-in-the-xss-cheat-sheet adjusting-your-http-perspective-with-bambdas Wed, 29 May 2024 13:31:49 GMT <![CDATA[When you open a HTTP request or response, what do you instinctively look for? Suspicious parameter names? CORS headers? Some clue as to the request's origin or underlying purpose? A single HTTP messag]]> https://portswigger.net/research/adjusting-your-http-perspective-with-bambdas introducing-signsaboteur-forge-signed-web-tokens-with-ease Wed, 22 May 2024 12:37:00 GMT <![CDATA[Signed web tokens are widely used for stateless authentication and authorization throughout the web. The most popular format is JSON Web Tokens (JWT) which we've already covered in depth, but beyond t]]> https://portswigger.net/research/introducing-signsaboteur-forge-signed-web-tokens-with-ease trace-desync-attack Tue, 19 Mar 2024 14:00:00 GMT <![CDATA[Have you ever found an HTTP desync vulnerability that seemed impossible to exploit due to its complicated constraints? In this blogpost we will explore a new exploitation technique that can be used to]]> https://portswigger.net/research/trace-desync-attack using-form-hijacking-to-bypass-csp Tue, 05 Mar 2024 14:55:00 GMT <![CDATA[In this post we'll show you how to bypass CSP by using an often overlooked technique that can enable password theft in a seemingly secure configuration. What is form hijacking? Form hijacking isn't re]]> https://portswigger.net/research/using-form-hijacking-to-bypass-csp top-10-web-hacking-techniques-of-2023 Mon, 19 Feb 2024 14:31:12 GMT <![CDATA[Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2023 hiding-payloads-in-java-source-code-strings Tue, 23 Jan 2024 15:00:00 GMT <![CDATA[In this post we'll show you how Java handles unicode escapes in source code strings in a way you might find surprising - and how you can abuse them to conceal payloads. We recently released a powerful]]> https://portswigger.net/research/hiding-payloads-in-java-source-code-strings top-10-web-hacking-techniques-of-2023-nominations-open Tue, 09 Jan 2024 14:33:50 GMT <![CDATA[Update: The results are in! Check out the final top ten here or scroll down to view all nominations Over the last year, numerous security researchers have shared their discoveries with the community t]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open finding-that-one-weird-endpoint-with-bambdas Tue, 12 Dec 2023 14:11:17 GMT <![CDATA[Security research involves a lot of failure. It's a perpetual balancing act between taking small steps with a predictable but boring outcome, and trying out wild concepts that are so crazy they might ]]> https://portswigger.net/research/finding-that-one-weird-endpoint-with-bambdas blind-css-exfiltration Tue, 05 Dec 2023 15:37:20 GMT <![CDATA[This is a gif of the exfiltration process (We've increased the speed so you're not waiting around for 1 minute). Read on to discover how this works... CSS Cafe presentation I presented this technique ]]> https://portswigger.net/research/blind-css-exfiltration the-single-packet-attack-making-remote-race-conditions-local Wed, 18 Oct 2023 12:54:01 GMT <![CDATA[The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an]]> https://portswigger.net/research/the-single-packet-attack-making-remote-race-conditions-local how-to-build-custom-scanners-for-web-security-research-automation Tue, 03 Oct 2023 13:34:47 GMT <![CDATA[In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web security. As a worked example, I'l]]> https://portswigger.net/research/how-to-build-custom-scanners-for-web-security-research-automation smashing-the-state-machine Wed, 09 Aug 2023 18:00:00 GMT <![CDATA[For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding]]> https://portswigger.net/research/smashing-the-state-machine exploiting-xss-in-hidden-inputs-and-meta-tags Tue, 11 Jul 2023 13:00:00 GMT <![CDATA[In this post we are going to show how you can (ab)use the new HTML popup functionality in Chrome to exploit XSS in meta tags and hidden inputs. It all started when I noticed the new popover behaviour ]]> https://portswigger.net/research/exploiting-xss-in-hidden-inputs-and-meta-tags how-i-choose-a-security-research-topic Wed, 14 Jun 2023 13:09:35 GMT <![CDATA[How do you choose what topic to research? That’s the single most common question I get asked, probably because selecting a topic is such a daunting prospect. In this post, I’ll take a personal look at]]> https://portswigger.net/research/how-i-choose-a-security-research-topic bypassing-csp-via-dom-clobbering Mon, 05 Jun 2023 14:00:00 GMT <![CDATA[You might have found HTML injection, but unfortunately identified that the site is protected with CSP. All is not lost, it might be possible to bypass CSP using DOM clobbering, which you can now detec]]> https://portswigger.net/research/bypassing-csp-via-dom-clobbering ambushed-by-angularjs-a-hidden-csp-bypass-in-piwik-pro Fri, 28 Apr 2023 12:00:00 GMT <![CDATA[Any individual website component can undermine the security of the entire site, and analytics platforms are no exception. With this in mind, we decided to do a quick audit of Piwik PRO to make sure it]]> https://portswigger.net/research/ambushed-by-angularjs-a-hidden-csp-bypass-in-piwik-pro the-curl-quirk-that-exposed-burp-suite-amp-google-chrome Tue, 28 Mar 2023 13:13:51 GMT <![CDATA[In this post, we'll explore a little-known feature in curl that led to a local-file disclosure vulnerability in both Burp Suite Pro, and Google Chrome. We patched Burp Suite a while back, but suspect ]]> https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome exploiting-prototype-pollution-in-node-without-the-filesystem Thu, 23 Mar 2023 15:00:00 GMT <![CDATA[In this post, we'll introduce a new exploitation technique for Server-Side Prototype Pollution. If you've detected SSPP (maybe using one of our black-box techniques), the next step towards RCE is to f]]> https://portswigger.net/research/exploiting-prototype-pollution-in-node-without-the-filesystem server-side-prototype-pollution Wed, 15 Feb 2023 16:30:00 GMT <![CDATA[Server-side prototype pollution is hard to detect black-box without causing a DoS. In this post, we introduce a range of safe detection techniques, which we've also implemented in an open source Burp ]]> https://portswigger.net/research/server-side-prototype-pollution top-10-web-hacking-techniques-of-2022 Wed, 08 Feb 2023 14:20:30 GMT <![CDATA[Welcome to the Top 10 Web Hacking Techniques of 2022, the 16th edition of our annual community-powered effort to identify the most important and innovative web security research published in the last ]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2022 top-10-web-hacking-techniques-of-2022-nominations-open Wed, 04 Jan 2023 13:52:52 GMT <![CDATA[Update: Voting is now closed, and the panel vote is in progress.  Nominations are now open for the top 10 new web hacking techniques of 2022! Every year, security researchers share their latest f]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2022-nominations-open hijacking-service-workers-via-dom-clobbering Tue, 29 Nov 2022 14:00:02 GMT <![CDATA[In this post, we'll briefly review how service worker hijacking works, then introduce a variant that can be triggered via DOM clobbering thanks to a quirk in document.getElementById(). Understanding s]]> https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering stealing-passwords-from-infosec-mastodon-without-bypassing-csp Tue, 15 Nov 2022 14:00:03 GMT <![CDATA[The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose]]> https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp detecting-web-message-misconfigurations-for-cross-domain-credential-theft Wed, 09 Nov 2022 14:13:00 GMT <![CDATA[We released a new version of Burp recently on the Early Adopter channel that updates DOM Invader to help find cross-domain secrets. In this post we are going to show you how to use DOM Invader to dete]]> https://portswigger.net/research/detecting-web-message-misconfigurations-for-cross-domain-credential-theft safari-is-hot-linking-images-to-semi-random-websites Mon, 31 Oct 2022 14:58:00 GMT <![CDATA[Every image is potentially a URL on Safari, thanks to over-enthusiastic OCR (Optical Character Recognition). This means you can link any image to an external website - and Safari might already be send]]> https://portswigger.net/research/safari-is-hot-linking-images-to-semi-random-websites http-3-connection-contamination Wed, 19 Oct 2022 13:28:09 GMT <![CDATA[I recently documented a dangerous reverse-proxy behaviour called first-request routing, which enables host-header attacks on back-end systems. In this post, I'll show how first-request routing also en]]> https://portswigger.net/research/http-3-connection-contamination our-favourite-community-contributions-to-the-xss-cheat-sheet Mon, 03 Oct 2022 14:28:12 GMT <![CDATA[Since we launched the ever popular XSS cheat sheet, we've had some fantastic contributions from the XSS community. In this post, we thought we'd take the opportunity to highlight the seven best commun]]> https://portswigger.net/research/our-favourite-community-contributions-to-the-xss-cheat-sheet making-http-header-injection-critical-via-response-queue-poisoning Thu, 22 Sep 2022 14:00:00 GMT <![CDATA[HTTP header injection is often under-estimated and misclassified as a moderate severity flaw equivalent to XSS or worse, Open Redirection. In this post, I'll share a simple technique I used to take a ]]> https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning the-seventh-way-to-call-a-javascript-function-without-parentheses Mon, 12 Sep 2022 13:00:00 GMT <![CDATA[I thought I knew all the ways to call functions without parentheses: alert`1337` throw onerror=alert,1337 Function`x${'alert\x281337\x29'}x``` 'alert\x281337\x29'instanceof{[Symbol['hasInstance']]:eva]]> https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses how-to-turn-security-research-into-profit Tue, 06 Sep 2022 12:55:00 GMT <![CDATA[Have you ever seen a promising hacking technique, only to try it out and struggle to find any vulnerable systems or non-duplicate findings? In this post, I'll take a concise look at the most effective]]> https://portswigger.net/research/how-to-turn-security-research-into-profit