The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...
Some sites may use direct IP address today if their domain name servers were not with Cloudflare too! There is this opportunity for WAF bypass... please share it , sharing is caring... ๐ค
happy cloudflare outage day to all who celebrate
With cloudflare being down, and as a result, most things I use being down, I came here to say hi ๐คญ I guess I will use other AIs than chatgpt today!
Wouldn't this also be vulnerable to dns rebinding attacks?
I only have one ticket! I am not the worst ๐คฃ
You would have kept it if it was called activity logs ๐ฅน Probably an ego boost would be a better name for these activities though ๐ฅฒ
These days, Iโm off work, busy taking care of a family member, so this really brightened my day and brought a big smile to my face. ๐ thanks @portswigger.net
I wonder if burp itself can do something for jython extensions since it has access to the location of a jython jar file to share it with extensions. But even with that I need to see how jython can use montoya ๐ฅฒ
Do we need to include the jython jar file in it? forum.portswigger.net/thread/are-j...
I always thought jython cannot use montoya. Is this a hackvertor hack or it's been always possible?
Did you know? DC4420, the London monthly that graced central London for all of the 10s and before, has a new home and a new date!
Greene Man, 383 Euston Road, London, NW1 3AU
April 29
Be there.
www.eventbrite.co.uk/e/dc4420-apr... has details. you don't have to register.
#infosec #security
If you like hacking XML, this article is a gold mine! ๐ฑ
It includes parser discrepancies, round-trip attacks and my favorite, namespace confusion ๐คฉ
As always, also thanks to @albinowax and @PortSwigger for keeping the top 10 flame alive for another year!
Congrats to all the winners (especially @orange.tw) and all researchers who made the 2024 long list! ๐ฅ Thanks for sharing your work with us! ๐ซก
To readers: Donโt just read the top 10โstart there and then explore the rest. There are many great works beyond the top 10, so donโt limit yourself! ๐ฆพ
This year two new security legends have joined the top-ten expert panel - @liveoverflow.bsky.social and @stokfredrik.bsky.social! Excited to see what analysis & insights they bring to the top ten alongside long-time contributors @agarri.fr and @irsdl.bsky.social
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...
Please submit any interesting and especially new web/http related topic published in 2024
You are right. Unfortunately it's a cruel one especially when there is no sponsor. Most researchers also just use it with not much contribution which is ok but sad.
If you are using YSoSerial .Net, we have accepted a few PRs and patched several bugs & improved the ViewState plugin!
Merry Christmas ๐
github.com/pwntester/ys...
We are extending our call for papers to January 1, 2025!
We are now targeting an end of January release.
If you have any Linux/ELF related research, projects, or papers, we would love to publish them!
Huge thank you to everyone who has already submitted!
tmpout.sh/blog/vol4-cf...
It seems Bsides Birmingham is now happening:
www.bsidesbrum.com
CFP is also open! ๐
Currently at #BSidesLDN2024
@n1ckdunn.bsky.social
๐ฅ Get ready for the biggest #SecuriTay yet! ๐ฅ
๐ฆ 500 attendees
๐ฎ 2-day CTF
๐ค Multiple sponsors
๐
Happening 28 | 02 | 2025 - First ticket drop coming soon! ๐
More details at securi-tay.co.uk
Extended the starter with shy writers! ๐ If you're not on the list but write about web security, then feel free to reply with the article you're most proud of, and I will add you to the pack!
Make sure to resubscribe to not not miss on the amazing ๐research!
go.bsky.app/9JXnB17
๐
I've released 'brainstorm': an alternative way to do web fuzzing combining my fav fuzzing tool 'ffuf' (from @joohoi.bsky.social )with local LLMs (via Ollama API) to generate smarter filename tests. It usually finds more endpoints with fewer requests. Added a IIS shortname support @irsdl.bsky.social
The "bug bounty hunters and content creators" starter pack is now up to 60 users! Follow this to get instantly connected to the bug bounty community & let me know if I've missed you off!
go.bsky.app/GD7hKPX
๐
