You might have found HTML injection, but unfortunately identified that the site is protected with CSP. All is not lost, it might be possible to bypass CSP using DOM clobbering, which you can now de...

TL;DR ¶ A few months ago, while hunting on a public bug-bounty programme, I found a nice little bug chain that involved an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DO...

Any individual website component can undermine the security of the entire site, and analytics platforms are no exception. With this in mind, we decided to do a quick audit of Piwik PRO to make sure...

One common perception is that it is easier to write rules for Semgrep than CodeQL. Having worked extensively with both of these static code analysis tools for about a year, I have some thoughts.

In this post, we’ll explore a little-known feature in curl that led to a local-file disclosure vulnerability in both Burp Suite Pro, and Google Chrome. We patched Burp Suite a while back, but suspect

In this post, we’ll introduce a new exploitation technique for Server-Side Prototype Pollution. If you’ve detected SSPP (maybe using one of our black-box techniques), the next step towards RCE is t...

Server-side prototype pollution is hard to detect black-box without causing a DoS. In this post, we introduce a range of safe detection techniques, which we’ve also implemented in an open source Burp

Welcome to the Top 10 Web Hacking Techniques of 2022, the 16th edition of our annual community-powered effort to identify the most important and innovative web security research published in the last

TL;DR ¶ In this post, I investigate why developers struggle with CORS and I derive Fearless CORS, a design philosophy for better CORS middleware libraries, which comprises the following twelve prin...

This bug could allow a malicious actor to takeover Facebook ( and Meta ) accounts after tricking the user to<p>Continue readingDOM-XSS in Instant Games due to improper verification of supplie...