Fri, 06 Feb 2026 10:17:47 GMT <![CDATA[]]> https://portswigger.net/research https://portswigger.net/research/rss/icon https://portswigger.net/research <![CDATA[en-gb]]> top-10-web-hacking-techniques-of-2025 Thu, 05 Feb 2026 15:28:08 GMT <![CDATA[Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2025 top-10-web-hacking-techniques-of-2025-nominations-open Tue, 06 Jan 2026 15:31:28 GMT <![CDATA[Update: nominations are now closed, and voting is live! Cast your vote here Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentati]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open the-fragile-lock Wed, 10 Dec 2025 12:32:00 GMT <![CDATA[TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi]]> https://portswigger.net/research/the-fragile-lock introducing-http-anomaly-rank Tue, 11 Nov 2025 14:41:53 GMT <![CDATA[HTTP Anomaly Rank If you've ever used Burp Intruder or Turbo Intruder, you'll be familiar with the ritual of manually digging through thousands of responses by repeatedly sorting the table via length,]]> https://portswigger.net/research/introducing-http-anomaly-rank websocket-turbo-intruder-unearthing-the-websocket-goldmine Wed, 17 Sep 2025 12:40:06 GMT <![CDATA[Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi]]> https://portswigger.net/research/websocket-turbo-intruder-unearthing-the-websocket-goldmine cookie-chaos-how-to-bypass-host-and-secure-cookie-prefixes Wed, 03 Sep 2025 14:46:23 GMT <![CDATA[Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve]]> https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure-cookie-prefixes inline-style-exfiltration Tue, 26 Aug 2025 12:54:03 GMT <![CDATA[I discovered how to use CSS to steal attribute data without selectors and stylesheet imports! This means you can now exploit CSS injection via style attributes! Learn how below: Someone asked if you c]]> https://portswigger.net/research/inline-style-exfiltration how-to-distinguish-http-pipelining-from-request-smuggling Tue, 19 Aug 2025 14:30:44 GMT <![CDATA[Sometimes people think they've found HTTP request smuggling, when they're actually just observing HTTP keep-alive or pipelining. This is usually a false positive, but sometimes there's actually a real]]> https://portswigger.net/research/how-to-distinguish-http-pipelining-from-request-smuggling http1-must-die Wed, 06 Aug 2025 22:20:00 GMT <![CDATA[Abstract Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This p]]> https://portswigger.net/research/http1-must-die repeater-strike-manual-testing-amplified Tue, 15 Jul 2025 13:46:37 GMT <![CDATA[Manual testing doesn't have to be repetitive. In this post, we're introducing Repeater Strike - a new AI-powered Burp Suite extension designed to automate the hunt for IDOR and similar vulnerabilities]]> https://portswigger.net/research/repeater-strike-manual-testing-amplified drag-and-pwnd-leverage-ascii-characters-to-exploit-vs-code Wed, 30 Apr 2025 12:37:11 GMT <![CDATA[Control characters like SOH, STX, EOT and ETX were never meant to run your code - but in the world of modern terminal emulators, they sometimes do. In this post, I'll dive into the forgotten mechanics]]> https://portswigger.net/research/drag-and-pwnd-leverage-ascii-characters-to-exploit-vs-code document-my-pentest Wed, 23 Apr 2025 13:17:24 GMT <![CDATA[Tired of repeating yourself? Automate your web security audit trail. In this post I'll introduce a new Burp AI extension that takes the boring bits out of your pen test. Web security testing can be a ]]> https://portswigger.net/research/document-my-pentest saml-roulette-the-hacker-always-wins Tue, 18 Mar 2025 14:55:43 GMT <![CDATA[Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library]]> https://portswigger.net/research/saml-roulette-the-hacker-always-wins shadow-repeater-ai-enhanced-manual-testing Thu, 20 Feb 2025 13:20:19 GMT <![CDATA[Have you ever wondered how many vulnerabilities you've missed by a hair's breadth, due to a single flawed choice? We've just released Shadow Repeater, which enhances your manual testing with AI-powere]]> https://portswigger.net/research/shadow-repeater-ai-enhanced-manual-testing top-10-web-hacking-techniques-of-2024 Tue, 04 Feb 2025 15:01:48 GMT <![CDATA[Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2024 bypassing-character-blocklists-with-unicode-overflows Tue, 28 Jan 2025 13:58:28 GMT <![CDATA[Unicode codepoint truncation - also called a Unicode overflow attack - happens when a server tries to store a Unicode character in a single byte. Because the maximum value of a byte is 255, an overflo]]> https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows stealing-httponly-cookies-with-the-cookie-sandwich-technique Wed, 22 Jan 2025 14:45:11 GMT <![CDATA[In this post, I will introduce the "cookie sandwich" technique which lets you bypass the HttpOnly flag on certain servers. This research follows on from Bypassing WAFs with the phantom $Version cookie]]> https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique top-10-web-hacking-techniques-of-2024-nominations-open Wed, 08 Jan 2025 14:07:27 GMT <![CDATA[Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open bypassing-wafs-with-the-phantom-version-cookie Wed, 04 Dec 2024 15:03:35 GMT <![CDATA[HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known ]]> https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet Tue, 29 Oct 2024 13:59:13 GMT <![CDATA[The strength of our URL Validation Bypass Cheat Sheet lies in the contributions from the web security community, and today’s update is no exception. We are excited to introduce a new and improved IP a]]> https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet concealing-payloads-in-url-credentials Wed, 23 Oct 2024 12:59:05 GMT <![CDATA[Last year Johan Carlsson discovered you could conceal payloads inside the credentials part of the URL . This was fascinating to me especially because the payload is not actually visible in the URL in ]]> https://portswigger.net/research/concealing-payloads-in-url-credentials introducing-the-url-validation-bypass-cheat-sheet Tue, 03 Sep 2024 14:52:12 GMT <![CDATA[URL validation bypasses are the root cause of numerous vulnerabilities including many instances of SSRF, CORS misconfiguration, and open redirection. These work by using ambiguous URLs to trigger URL ]]> https://portswigger.net/research/introducing-the-url-validation-bypass-cheat-sheet gotta-cache-em-all Thu, 08 Aug 2024 22:27:46 GMT <![CDATA[Through the years, we have seen many attacks exploiting web caches to hijack sensitive information or store malicious payloads. However, as CDNs became more popular, new discrepancies between propriet]]> https://portswigger.net/research/gotta-cache-em-all splitting-the-email-atom Wed, 07 Aug 2024 21:32:47 GMT <![CDATA[Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an ]]> https://portswigger.net/research/splitting-the-email-atom listen-to-the-whispers-web-timing-attacks-that-actually-work Wed, 07 Aug 2024 18:10:21 GMT <![CDATA[Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets ]]> https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work fickle-pdfs-exploiting-browser-rendering-discrepancies Tue, 09 Jul 2024 12:51:22 GMT <![CDATA[Imagine the CEO of a random company receives an email containing a PDF invoice file. In Safari and MacOS Preview, the total price displayed is £399. After approval, the invoice is sent to the accounti]]> https://portswigger.net/research/fickle-pdfs-exploiting-browser-rendering-discrepancies a-hacking-hat-trick-previewing-three-portswigger-research-publications-coming-to-def-con-amp-black-hat-usa Tue, 02 Jul 2024 12:57:08 GMT <![CDATA[We're delighted to announce three major research releases from PortSwigger Research will be published at both Black Hat USA and DEF CON 32. In this post, we'll offer a quick teaser of each talk, info ]]> https://portswigger.net/research/a-hacking-hat-trick-previewing-three-portswigger-research-publications-coming-to-def-con-amp-black-hat-usa new-exotic-events-in-the-xss-cheat-sheet Tue, 11 Jun 2024 14:58:29 GMT <![CDATA[The power of our XSS cheat sheet is we get fantastic contributions from the web security community and this update is no exception. We had valuable contributions from Mozilla to remove events that no ]]> https://portswigger.net/research/new-exotic-events-in-the-xss-cheat-sheet adjusting-your-http-perspective-with-bambdas Wed, 29 May 2024 13:31:49 GMT <![CDATA[When you open a HTTP request or response, what do you instinctively look for? Suspicious parameter names? CORS headers? Some clue as to the request's origin or underlying purpose? A single HTTP messag]]> https://portswigger.net/research/adjusting-your-http-perspective-with-bambdas introducing-signsaboteur-forge-signed-web-tokens-with-ease Wed, 22 May 2024 12:37:00 GMT <![CDATA[Signed web tokens are widely used for stateless authentication and authorization throughout the web. The most popular format is JSON Web Tokens (JWT) which we've already covered in depth, but beyond t]]> https://portswigger.net/research/introducing-signsaboteur-forge-signed-web-tokens-with-ease trace-desync-attack Tue, 19 Mar 2024 14:00:00 GMT <![CDATA[Have you ever found an HTTP desync vulnerability that seemed impossible to exploit due to its complicated constraints? In this blogpost we will explore a new exploitation technique that can be used to]]> https://portswigger.net/research/trace-desync-attack using-form-hijacking-to-bypass-csp Tue, 05 Mar 2024 14:55:00 GMT <![CDATA[In this post we'll show you how to bypass CSP by using an often overlooked technique that can enable password theft in a seemingly secure configuration. What is form hijacking? Form hijacking isn't re]]> https://portswigger.net/research/using-form-hijacking-to-bypass-csp top-10-web-hacking-techniques-of-2023 Mon, 19 Feb 2024 14:31:12 GMT <![CDATA[Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2023 hiding-payloads-in-java-source-code-strings Tue, 23 Jan 2024 15:00:00 GMT <![CDATA[In this post we'll show you how Java handles unicode escapes in source code strings in a way you might find surprising - and how you can abuse them to conceal payloads. We recently released a powerful]]> https://portswigger.net/research/hiding-payloads-in-java-source-code-strings top-10-web-hacking-techniques-of-2023-nominations-open Tue, 09 Jan 2024 14:33:50 GMT <![CDATA[Update: The results are in! Check out the final top ten here or scroll down to view all nominations Over the last year, numerous security researchers have shared their discoveries with the community t]]> https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open finding-that-one-weird-endpoint-with-bambdas Tue, 12 Dec 2023 14:11:17 GMT <![CDATA[Security research involves a lot of failure. It's a perpetual balancing act between taking small steps with a predictable but boring outcome, and trying out wild concepts that are so crazy they might ]]> https://portswigger.net/research/finding-that-one-weird-endpoint-with-bambdas blind-css-exfiltration Tue, 05 Dec 2023 15:37:20 GMT <![CDATA[This is a gif of the exfiltration process (We've increased the speed so you're not waiting around for 1 minute). Read on to discover how this works... CSS Cafe presentation I presented this technique ]]> https://portswigger.net/research/blind-css-exfiltration the-single-packet-attack-making-remote-race-conditions-local Wed, 18 Oct 2023 12:54:01 GMT <![CDATA[The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an]]> https://portswigger.net/research/the-single-packet-attack-making-remote-race-conditions-local how-to-build-custom-scanners-for-web-security-research-automation Tue, 03 Oct 2023 13:34:47 GMT <![CDATA[In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web security. As a worked example, I'l]]> https://portswigger.net/research/how-to-build-custom-scanners-for-web-security-research-automation smashing-the-state-machine Wed, 09 Aug 2023 18:00:00 GMT <![CDATA[For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding]]> https://portswigger.net/research/smashing-the-state-machine