PortSwigger Research 65
- SAML roulette: the hacker always wins
- Shadow Repeater:AI-enhanced manual testing
- Top 10 web hacking techniques of 2024
- Bypassing character blocklists with unicode overflows
- Stealing HttpOnly cookies with the cookie sandwich technique
- Top 10 web hacking techniques of 2024: nominations open
- Bypassing WAFs with the phantom $Version cookie
- New crazy payloads in the URL Validation Bypass Cheat Sheet
- Concealing payloads in URL credentials
- Introducing the URL validation bypass cheat sheet
- Gotta cache 'em all: bending the rules of web cache exploitation
- Splitting the email atom: exploiting parsers to bypass access controls
- Listen to the whispers: web timing attacks that actually work
- Fickle PDFs: exploiting browser rendering discrepancies
- A hacking hat-trick: previewing three PortSwigger Research publications coming to DEF CON & Black Hat USA
- onwebkitplaybacktargetavailabilitychanged?! New exotic events in the XSS cheat sheet
- Refining your HTTP perspective, with bambdas
- Introducing SignSaboteur: forge signed web tokens with ease
- Making desync attacks easy with TRACE
- Using form hijacking to bypass CSP
- Top 10 web hacking techniques of 2023
- Hiding payloads in Java source code strings
- Top 10 web hacking techniques of 2023 - nominations open
- Finding that one weird endpoint, with Bambdas
- Blind CSS Exfiltration: exfiltrate unknown web pages
- The single-packet attack: making remote race-conditions 'local'
- How to build custom scanners for web security research automation
- Smashing the state machine: the true potential of web race conditions
- Exploiting XSS in hidden inputs and meta tags
- How I choose a security research topic
- Bypassing CSP via DOM clobbering
- Ambushed by AngularJS: a hidden CSP bypass in Piwik PRO
- The curl quirk that exposed Burp Suite & Google Chrome
- Exploiting prototype pollution in Node without the filesystem
- Server-side prototype pollution: Black-box detection without the DoS
- Top 10 web hacking techniques of 2022
- Top 10 web hacking techniques of 2022 - nominations open
- Hijacking service workers via DOM Clobbering
- Stealing passwords from infosec Mastodon - without bypassing CSP
- Detecting web message misconfigurations for cross-domain credential theft
- Safari is hot-linking images to semi-random websites
- HTTP/3 connection contamination: an upcoming threat?
- Our favourite community contributions to the XSS cheat sheet
- Making HTTP header injection critical via response queue poisoning
- The seventh way to call a JavaScript function without parentheses
- How to turn security research into profit: a CL.0 case study
- Using Hackability to uncover a Chrome infoleak
- Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
- Framing without iframes
- Bypassing Firefox's HTML Sanitizer API
- Widespread prototype pollution gadgets
- Bypassing CSP with dangling iframes
- Hunting evasive vulnerabilities
- New XSS vectors
- Top 10 web hacking techniques of 2021
- Top 10 web hacking techniques of 2021 - nominations open
- uBlock, I exfiltrate: exploiting ad blockers with CSS
- Creating a 3D world in pure CSS
- Hunting nonce-based CSP bypasses with dynamic analysis
- HTTP/2: The Sequel is Always Worse
- alert() is dead, long live print()
- Finding DOM Polyglot XSS in PayPal the Easy Way
- Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)
- nOtWASP bottom 10: vulnerabilities that make you cry
- Hidden OAuth attack vectors