Thomas Stacey's Avatar

Thomas Stacey

@t0xodile.com.bsky.social

Penetration tester trying to perform novel research. You can find all of my write-ups and research at https://thomas.stacey.se.

299 Followers  |  160 Following  |  79 Posts  |  Joined: 27.12.2023  |  1.873

Latest posts by t0xodile.com on Bluesky

That is coming eventually but only just started on it really 😁. This is more β€œswiggery”

08.08.2025 20:24 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Something like that 😁!

08.08.2025 15:14 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
HTTP/1.1 Must Die Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

06.08.2025 23:43 β€” πŸ‘ 38    πŸ” 20    πŸ’¬ 0    πŸ“Œ 2

It’s Defcon travel day today! Mega excited for an enormous number of reasons. If all goes well, many of them will become apparent roughly two weeks after it all ends…

06.08.2025 07:39 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I imagine smashing the state machine was pretty rough for that πŸ˜…?

30.07.2025 11:11 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I've gotten so lost in working on detection techniques that I've forgotten about a few very valid looking cases I found with the initial probe. πŸ˜„ Good news is, the tool looks like it might actually be useful regardless of what happens. But I guess I should focus on getting some exploits...

30.07.2025 07:03 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! πŸ”₯

The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs πŸ‘‡

gmsgadget.com

1/4

24.07.2025 15:31 β€” πŸ‘ 22    πŸ” 13    πŸ’¬ 1    πŸ“Œ 0

Not yet sure on how API access works yet, but a new online subdomain lookup service has arrived. subintel.tushal.io, seems pretty great!

24.07.2025 06:53 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Faaaantastic! πŸ”₯

23.07.2025 14:59 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Everything I do leads me back to param-miner 😁. What a tool ⛏️

23.07.2025 07:46 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

This is pretty cool. Things start getting really confusing when you look into the chunk extensions so... this is a huge help!

22.07.2025 14:00 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

This has GOT to be as sticker?!

18.07.2025 13:01 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Video thumbnail

You're not ready for how powerful Custom Actions are.
You can now build your own AI hacking sidekicks that rewrite requests for you.
Forget typing payloads - just let your assistant do it.
πŸ”₯ Welcome to the future of offensive automation.

Get the source code:
github.com/PortSwigger/...

17.07.2025 13:44 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

What on earth is this wizardry πŸ§™!

17.07.2025 13:57 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Leaking IPs in Brave Tor Window & Chrome VPNs + Popunders + CSP Bypass This writeup details multiple IP leak vulnerabilities I discovered affecting Brave's Tor window and Chrome VPN extensions that allowed a malicious actor to leak the real IP address of any visitor to a...

New blog post is up: How I leaked the IP addresses of Brave's Tor window and Chrome VPN extension users--plus, a new Popunder technique and connect-src CSP directive bypass. Read more @ 0x999.net/blog/leaking...

16.07.2025 11:00 β€” πŸ‘ 5    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Manual testing doesn't have to be repetitive.
Meet Repeater Strike - an AI-powered Burp Suite extension that turns your Repeater traffic into a scan check.

Source code:
github.com/hackvertor/r...

Blog post:
portswigger.net/research/rep...

15.07.2025 13:48 β€” πŸ‘ 8    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Submitted a second case based on the same research lead, this time using a technique I've not personally seen before to achieve a desync and a completely accidental exploit chain to achieve impact. Should make for a fun story even if this lead doesn't continue to produce results πŸ”₯

14.07.2025 07:40 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

This feels like a possible T-Shirt using the "I reported X and all I got was this lousy X" template.

11.07.2025 12:27 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Modeling CORS frameworks with CodeQL to find security vulnerabilities Discover how to increase the coverage of your CodeQL CORS security by modeling developer headers and frameworks.

🧠 CORS misconfigurations are sneaky. Want to catch them with static analysis?
Kevin Stubbings from GitHub Security Lab shows how to model CORS middleware in CodeQLβ€”using Go’s Gin framework as a case study.
Great insights for researchers & devs:
github.blog/security/app...

10.07.2025 19:31 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

πŸ”₯ Want to think like a hacker and truly understand JavaScript?

πŸ’» JavaScript for Hackers is your guide to breaking, bending, and mastering the language like never before.

09.07.2025 17:11 β€” πŸ‘ 16    πŸ” 6    πŸ’¬ 1    πŸ“Œ 0

Close enough! AMA: docs.google.com/forms/d/e/1F...

I'll do a live stream answering questions some time soon :)

08.07.2025 13:24 β€” πŸ‘ 6    πŸ” 4    πŸ’¬ 0    πŸ“Œ 1

I noticed in my latest post that a lot of the initial traffic was mobile. And later on it’s been desktop and others. Thank god someone told me to check the mobile view for all the markdown code πŸ˜‚

07.07.2025 15:17 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Gooood to know 😁 thanks!

07.07.2025 12:08 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Did you add this in because of your research? πŸ€” just came across it in the wild.

05.07.2025 19:38 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Nonce CSP bypass using Disk Cache | Jorian Woltjer The solution to my small XSS challenge, explaining a new kind of CSP bypass with browser-cached nonces. Leak it with CSS and learn about Disk Cache to safely update your payload

Here's my writeup the technique allowing some nonce-based CSPs to be bypassed. I think it definitely has some practical use, so included some details about different scenario's.

Don't let that HTML-injection of yours wait!
jorianwoltjer.com/blog/p/resea...

02.07.2025 16:56 β€” πŸ‘ 15    πŸ” 5    πŸ’¬ 3    πŸ“Œ 1
Post image

New video! Getting Into Cybersecurity - An Interview with James Kettle!

In this episode, James Kettle talks about how he got started in security research, and how you can pivot into this rare but worthwhile role.

Watch now: youtu.be/S64Eq0Y3SrY

Listen on Spotify: open.spotify.com/show/5m5711J...

02.07.2025 14:49 β€” πŸ‘ 9    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Getting Into Cybersecurity - An Interview with James Kettle!
YouTube video by Tib3rius Getting Into Cybersecurity - An Interview with James Kettle!

Interested in pushing hacking techniques beyond the state of the art, or breaking into full-time security research? I recently had a great chat with Tib3rius on the topic! Watch it here:

www.youtube.com/watch?v=S64E...

02.07.2025 14:56 β€” πŸ‘ 11    πŸ” 3    πŸ’¬ 1    πŸ“Œ 2
Post image

Nginx normalizes paths (/../, %2e, etc.) before applying access rules like: location = /admin { deny all; }

But backends like Node.js or PHP handle decoding again, and differently.

02.07.2025 08:21 β€” πŸ‘ 8    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0

Building detection techniques is an underrated part of research for me. I imagine working on solid detection code for a DAST scanner would be fun. Today I made a small change based on a particularly sensitive header and suddenly a bunch of new cases popped up in, critically, a different tech stack.

27.06.2025 08:03 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Thrilled to announce: I’ll be presenting a major new version of WebSocket Turbo Intruder at Black Hat Arsenal 2025! This open-source toolkit makes high-speed, advanced WebSocket attacks practical and painless.

26.06.2025 13:56 β€” πŸ‘ 9    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

@t0xodile.com is following 20 prominent accounts