We released a new version of Burp recently on the Early Adopter channel that updates DOM Invader to help find cross-domain secrets. In this post we are going to show you how to use DOM Invader to d...

Every image is potentially a URL on Safari, thanks to over-enthusiastic OCR (Optical Character Recognition). This means you can link any image to an external website - and Safari might already be s...

I recently documented a dangerous reverse-proxy behaviour called first-request routing, which enables host-header attacks on back-end systems. In this post, I’ll show how first-request routing also...

Since we launched the ever popular XSS cheat sheet, we’ve had some fantastic contributions from the XSS community. In this post, we thought we’d take the opportunity to highlight the seven best com...

HTTP header injection is often under-estimated and misclassified as a moderate severity flaw equivalent to XSS or worse, Open Redirection. In this post, I’ll share a simple technique I used to take a

On August 24th, 2022, we reported a vulnerability to Netlify affecting their Next.js “netlify-ipx” repository which would allow an attacker to achieve persistent cross-site scripting and full-respo...

Although I do not actively participate in CTFs, I enjoy creating challenges for them as it forces me to learn by doing. Creating a good CTF challenge is an art, not a science. As the winner of <...

I thought I knew all the ways to call functions without parentheses: alert1337 throw onerror=alert,1337 Functionx${'alert\x281337\x29'}x`` ‘alert\x281337\x29’instanceof{[Symbol[‘hasInstance’]]:eva

TL;DR ¶ In this post, I present an XSLeak technique that allows an active network attacker to observe, from an insecure Web origin, the presence or absence of some Secure cookie that may have been ...

Have you ever seen a promising hacking technique, only to try it out and struggle to find any vulnerable systems or non-duplicate findings? In this post, I’ll take a concise look at the most effect...