PortSwigger Research @PortSwiggerRes
Web security research from the team at @PortSwigger portswigger.net/research Joined September 2019-
Tweets886
-
Followers87K
-
Following7
-
Likes67
Since having @albinowax research tools embedded in #BurpSuite, I keep finding race condition issues in the payment systems. I was doing this stuff before (since 2010 at least) but was not always successful. The single packet attack is 👌 - Turbo Intruder can also elevate it!
Since having @albinowax research tools embedded in #BurpSuite, I keep finding race condition issues in the payment systems. I was doing this stuff before (since 2010 at least) but was not always successful. The single packet attack is 👌 - Turbo Intruder can also elevate it! https://t.co/QljmWiFM38
We've just published "Making desync attacks easy with TRACE" by new PortSwigger Research member @tincho_508! portswigger.net/research/trace…
We've had another quality contribution to our XSS cheat sheet from @h4nsmach1ne. This one uses onformdata and requires interaction. portswigger.net/web-security/c…
The onloadstart event no longer works with image tags, but @h4nsmach1ne discovered video tags work instead! We've updated the our XSS cheat sheet to reflect this: portswigger.net/web-security/c…
Join @garethheyes as he unveils the secrets of Blind CSS Exfiltration, an innovative blind attack technique designed to extract data from web pages through CSS. Watch the talk now: youtube.com/watch?v=3WjDnn…
The easiest way to find a max-impact desync vulnerability in 2024: 1. Create a novel desync technique 2. Add it to a tool like HTTP Request Smuggler 3. Scan a bunch of systems and see what sticks. The only tricky step is #1 and there's a new tool to help with this 1/2
This new BApp adds a convenient way to banish noisy requests from Burp Suite. x.com/bapp_store/sta…
This new BApp adds a convenient way to banish noisy requests from Burp Suite. x.com/bapp_store/sta…
One day remaining to cast your vote for the top ten web hacking techniques of 2023! Vote here: portswigger.net/polls/top-10-w…
Hiding malicious Java in source code strings portswigger.net/research/hidin…
Voting is now live for the Top ten web hacking techniques of 2023! Make a brew, browse the nominations, and cast a vote for your personal top ten here: portswigger.net/polls/top-10-w…
Indirect prompt injection is so crazy I think it might become the new blind XSS. Here’s the attack in a nutshell, illustrated by @WebSecAcademy
Five days remaining to submit nominations for the Top ten web hacking techniques of 2023! portswigger.net/research/top-1…
🔔 New topic alert: Web LLM attacks 🔔 Stay ahead in application security - dive into the world of LLMs to discover their weaknesses and understand how to exploit them. Read our latest learning materials and try your hand at the new interactive labs. portswigger.net/web-security/l…
We've updated this post with another ~50 nominations! Many thanks, keep them coming! x.com/portswiggerres…
We've updated this post with another ~50 nominations! Many thanks, keep them coming! x.com/portswiggerres…
In the spirit of excessive automation, I've added AI-assisted summaries for every nomination for the Top 10 web hacking techniques of 2023. Take a look and let me know what you think - helpful or pointless? portswigger.net/research/top-1…
Nominations are now open for the top 10 new web hacking techniques of 2023! Check out the nominations so far, and make your own here -> portswigger.net/research/top-1…
Find that one weird endpoint, with Bambdas (by @albinowax & @garethheyes) -> portswigger.net/research/findi…
You've heard of blind XSS - but what if there's CSP? Introducing blind CSS injection! portswigger.net/research/blind…
Intigriti @intigriti
155K Followers 644 Following Global Bug Bounty & VDP Platform. 🌐: https://t.co/fgCupJckrW ▶️: https://t.co/lRfCzZBgb7 👾: https://t.co/Inf7N9VQIlBen Sadeghipour @NahamSec
197K Followers 1K Following Cofounder @hackinghub_io, Advisor @Trick3st @CaidoIO. I hack companies and make content about it. Bug Bounty Village & #NahamCon organizer. ex @hacker0x01🇮🇷John Hammond @_JohnHammond
239K Followers 2K Following Hacker. Cybersecurity Researcher @HuntressLabs || https://t.co/qUeDM3lSClThe XSS Rat - Uncle R.. @theXSSrat
128K Followers 888 Following Alone we survive, together we prosper. Are you with me? https://t.co/AfnDsVhqqAJason Haddix @Jhaddix
146K Followers 7K Following CEO, CISO, Trainer, Hacker, and Speaker. @arcanuminfosec 18 years hacking + sec leadership. ex:BuddoBot-Ubisoft-Bugcrowd-Fortify-HP-Redspin-Citrix.Katie Paxton-Fear @InsiderPhD
82K Followers 2K Following Dr, apparently. Creator @traceableai, Lecturer & Hacker. #BugBounty hunter & #infosec YouTuber. APIs & Interlinked OffSec, PhD in AI+Sec @hacknotcrime. she/herSTÖK ✌️ @stokfredrik
126K Followers 1K Following Hi.. im that hacker / creative that your friends told you about. Creative Director & Hacks all the things at @truesechakluke @hakluke
88K Followers 2K Following Hacker, bounties, entrepreneur. I help cybersecurity companies produce amazing content for their blogs and socials. Founder of: @haksecio and @hacker_contentAlh4zr3d @Alh4zr3d
19K Followers 283 Following Legal Criminal | Twitch cult leader | InfosecPrep founder | Lovecraft scholar | Soros mercenary | Spiritual cargo shorts wearer | Cthulhu fhtagnInfoSec Community @InfoSecComm
38K Followers 637 Following Largest InfoSec publication with 30k+ followers and 1M+ monthly views. 3rd edition of @IWcon_ happening in December 2023!Rana Khalil 🇵🇸 @rana__khalil
51K Followers 869 Following AppSec Team Lead | OSCP | CEO & Instructor of @ranakhalilacadMd Ismail Šojal @0x0SojalSec
22K Followers 4K Following Cyber_Security_Researchers || 0SINT || Digital Forensics System Analysis / incident Response II Pwn || GH0ST_3xP10iT || 0ld Accounts Suspended @0xSojalSec ||Harsh Bothra @harshbothra_
42K Followers 661 Following Freelance Pentester & Consultant • Cobalt Core Lead & Pentester • Author • Speaker • Blogger • SecurityExplained • Project Bheem • Learn365 • Views are personalTib3rius @0xTib3rius
57K Followers 444 Following Web App (mostly) Hacker | OnlyFeet Member | Cybersecurity Educator | AutoRecon Dev | Ex-Brit | Links: https://t.co/04RRExvxXj (he/him) 🇺🇸Hussein Daher @HusseiN98D
43K Followers 151 Following Entrepreneur, Hacker 🇱🇧🇨🇮 @WebImmunify 27th/270000 BugCrowd Hacking Platformshubs @infosec_au
50K Followers 2K Following Co-founder, security researcher. Building an attack surface management platform, @assetnoteJames Kettle @albinowax
70K Followers 83 Following Director of Research at PortSwigger Burp Suite Check out my website for published research, other social platforms & contact detailsJulien | MrTuxracer �.. @MrTuxracer
30K Followers 417 Following Freelancer | Full-time #BugBounty | @Hacker0x01 H1-Elite & $1,500,000 Hacker | ❤️ IDA Prorayan ibrahim @RAslyh
1 Followers 102 Followingamine beddougui @ABeddougui
0 Followers 8 FollowingAditya Mishra @genesisxed
2 Followers 51 Followingshantanu sawantbhosal.. @shantan93308960
0 Followers 27 Followingcall me HARi @bug1BR4VO
0 Followers 9 FollowingMick Nzue (Compte ét.. @MickNzue72825
1 Followers 45 Followinguni_sec @sec_uni17925
0 Followers 43 FollowingIvan Horvat @ihorvat7
0 Followers 16 Followingbombomhunter @bonibomhunter
0 Followers 130 Following Researcher not LPG 🧯| @Defcon Speaker | Bug Bounty HunterFlim D0g @flimd0ge
12 Followers 16 FollowingDeen @itxDeeni
3K Followers 3K Following Backend/ API Engineer | Technical Writer 👨💻 ⚡️Typescript 🐍Python ☕️Java 🐙Git 🐧Linux ⚓️Scrum ☁️AWS 🐳Docker 🌟GitHub 🏆Agile 📊SEO 🤖AIsexuirty @sexuirty
1 Followers 83 FollowingSaoss @0xSaoss
0 Followers 25 Following 🇺🇸 English and 🇧🇷 Portuguese Security Enthusiast and Computer Science Student, my aim is to develop multiple projects and teach science :) Keep Learning !M. Dehghani @userdehghani
2 Followers 199 FollowingKerem Mert Gürsoy @fearinc__
0 Followers 35 FollowingMuskan Singh @MuskanSingh8860
0 Followers 11 FollowingAlastair McArthur @Alastair_iz_I
36 Followers 29 Following VOINZ. Computer and Information Sciences. Games. Music. Art. Software. Business. Hip Hop. Psychology. Tech. Philosophy. Linguistics. 🎮🎯🎨📚☕️💻🌐🎼🌿Electronicsseeker @libertarian108
6 Followers 912 FollowingNaga @Naga61534
19 Followers 85 FollowingPacific NW Computers @PacificNWComput
913 Followers 1K Following Mac, PC & Linux Repair/Support! Security Services, Network Design & Support, Data Recovery, Remote/On-Site Support Services; Business & Residential Clients!Jon Pienkowski @JonPienkowski
134 Followers 413 Following Metal-head, engineer/producer, small business owner, hiker, foodie and drummer! I love tech, the outdoors, cooking, people/cultures & music! http://kingguillotiSelfHelpJunkie @Self_HelpJunkie
1K Followers 5K Following To all future trolls: YES I’m American… NO I didn’t vote for Trump… NO I’m not a Democrat. I believe in… personal FREEDOM… FREE markets… FREE exchange of ideasPeter Kacmarik @pkacmarik
35 Followers 108 FollowingSam Z @_Zen1x
32 Followers 182 Following Cybersecurity Student. Previous President of University of New Haven’s hacking team. My opinions and views are my own.Joshua Paul @paul21661_paul
0 Followers 13 Followingd4m4d4 @d4m4d44
1 Followers 53 Following | programmer | hacker |full stack web developer | hackthebox | tryhackmeTharindu MadusankaKGV.. @madusankakgva
25 Followers 256 FollowingRake 🦇🔊 @0xRake
180 Followers 2K FollowingEmilinho @emilinhone
119 Followers 1K Following Matemáticas Aplicadas y Computación, Apasionado por el #FreeSoftware | #Cibersecurity | #Cycling incursionando en #MachineLearning | #NLP | #DeepLearning | #AIChencho @Chencho28010405
12 Followers 117 FollowingZahraa @Zahraa12527951
0 Followers 19 FollowingR4nd0M4n @R4ndo_M4n
4 Followers 126 FollowingJoan Alen @JAlenoghena390
42 Followers 187 Following Aspiring Cyber Security Expert|| Cohort 3.2 Alumni & Graduate|| ISC2 CandidateAdrian Asowa @ad_asowa
0 Followers 43 FollowingObags @obags_o
70 Followers 345 Following Security Researcher ll Computer Engineer ll Developer ll Tech lover⚙️Aashish Sonwal @AashishSonwal
1 Followers 43 Followingpushkar nagela @pushkarnagela
49 Followers 333 Followinga.a @AAlshomar44625
2 Followers 55 FollowingSibyl Code Master �.. @SibylCodeMaster
6 Followers 99 Following Sibyl System Will Be Real Soon!💻 Software Engineer || Full-Stack Web Developer (MERN Stack)James Kettle @albinowax
70K Followers 83 Following Director of Research at PortSwigger Burp Suite Check out my website for published research, other social platforms & contact detailsWeb Security Academy @WebSecAcademy
108K Followers 5 Following Free web security training from @PortSwiggerGareth Heyes \u2028 @garethheyes
32K Followers 1K Following JavaScript for hackers: Learn to think like a hacker. https://t.co/e0aNEbEDk5Burp Suite @Burp_Suite
118K Followers 13 Following Burp Suite is the leading software for web security testing.Dafydd Stuttard @DafyddStuttard
6K Followers 74 Following Founder and Chief Swig at @PortSwigger. Creator of @Burp_Suite and @WebSecAcademy. Author of The Web Application Hacker's Handbook.PortSwigger @PortSwigger
89K Followers 22 Following We are a leading provider of software and learning on web security. We make @Burp_Suite and @WebSecAcademy.Met with @albinowax at @nullcon ! Got a chance to have a quick chat with him about @PortSwiggerRes and #LLM security #nullcon
As usual from @PortSwiggerRes and @albinowax, it's not just the theory but the accompanying resources which support the practice - nice job!
We've just published 'Smashing the state machine: the true potential of web race conditions' by @albinowax! Dive in to arm yourself with novel techniques & tooling, and help reshape this attack class: portswigger.net/research/smash…
Amazing research
We've just published 'Smashing the state machine: the true potential of web race conditions' by @albinowax! Dive in to arm yourself with novel techniques & tooling, and help reshape this attack class: portswigger.net/research/smash…
You can't possibly keep track of every single XSS vector. That's why @PortSwiggerRes has constructed an XSS cheat sheet which has all the vectors you'll ever need: #burpchallenge portswigger.net/web-security/c…
XSS isn't just about cookies; you don't need a cookie if you can steal a user's password. Using JavaScript, you can utilise the browser's autofill functionality to fill in and steal the victim's password conveniently. #burpchallenge
We'll be covering XSS for the next three weeks, which gives you all plenty of opportunity to complete the apprentice and practitioner-level labs. This is a huge topic, with plenty of labs for complete beginners and seasoned pros alike. #burpchallenge portswigger.net/web-security/a…
@PortSwiggerRes @Burp_Suite @paulmutton Indeed, Fiddler's cUrl Exporter does seem to have this issue (it uses the --d argument)
@PortSwiggerRes @WebSecAcademy @ptswarm A small addition: with Spring Framework 6.0 (end-2022), a trailing slash doesn't match by default, but in previous versions you can use it for access bypass. If only "/admin" is blocked try to use"/admin/". It affects more versions, but "/" is often filtered.
I reported a vuln to a bb prog like this back in June last year but now I wonder if I should have just explored it further after rather than moving on to do other things 🫣
Apache <2.4.56 is vulnerable to request splitting in mod_rewrite and mod_proxy #CVE-2023-25690 httpd.apache.org/security/vulne… We'd hazard a guess exploitation looks somewhat similar to this writeup: portswigger.net/research/makin…
We've launched a new topic and labs to accompany "Server-Side Prototype Pollution: Blackbox detection without the DoS" from @PortSwiggerRes' @garethheyes portswigger.net/web-security/p…
@PortSwiggerRes @Burp_Suite Auto-highlighting is super useful, but I do it with Logger++, which can also search in bodies and isn't limited to requests. Furthermore, features like import/export of colorizing rules and regex matching are imo a must-have.
@PortSwiggerRes DOM Invader is fantastic, I found an XSS where untrusted input was getting written to the DOM via JavaScript, I couldn't figure out why it wasn't executing, using DOM Invader it was a breeze to find out that the sink was innerHTML which doesn't parse script tags in HTML5
Voting is now live! Cast your vote on the top 10 web hacking techniques of 2022 here: portswigger.net/polls/top-10-w…
Two of our publications made it to this awesome list 🤩 • Disclosing passwords with Django's dictsort feature: sonarsource.com/blog/disclosin… • Smuggling responses with a Memcache injection in Zimbra to leak cleartext credentials: sonarsource.com/blog/zimbra-ma…
Voting is now live! Cast your vote on the top 10 web hacking techniques of 2022 here: portswigger.net/polls/top-10-w…
Just learned that my research on CSRF has been nominated for @PortSwiggerRes Top 10 Web Hacking Techniques! Feeling incredibly honored. portswigger.net/research/top-1…
It's possible to hijack getElementById() without scripts or events.... <div id="x">try harder</div> <p>my existing text</p> <!-- Your HTML here --> <script> alert(document.getElementById('x').innerText) </script> This post explains how: x.com/portswiggerres…
Hijacking service workers via DOM Clobbering portswigger.net/research/hijac…
With learning materials and labs based on original @PortSwiggerRes discoveries, this new topic will walk you through the high-level process for finding prototype pollution vulnerabilities both manually and using DOM Invader. portswigger.net/web-security/p…