Couldn't make Gareth Heyes \u2028 Splitting the Email Atom event earlier this week? We'll be sharing the recording on our Discord next week. 👀 Make sure you've joined the official PortSwigger Discord 👉 discord.com/invite/portswi…

Love a good client-side exploit chain! This crazy cross-product chain targeting Google by Rebane is a great example of the type of exploit that gets easier the longer you spend targeting a single company lyra.horse/blog/2024/09/u…

Excited to release my latest research today. Exploiting CORS can be a tricky in modern web apps, but there are still critical cases out there if you know what to look for. If you want to learn more about CORS exploitation, the research is available at outpost24.com/blog/exploitin…

From HTTP request to ROP chain in Node.js! 🔥 Our latest blog post explains how to turn a file write vulnerability in a Node.js application into RCE – even though the target's file system is read-only: sonarsource.com/blog/why-code-…

Introducing the Cookie Sandwich, a tasty technique to steal HttpOnly cookies using legacy RFC features: portswigger.net/research/steal…

New blog post with shubs: We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here: samcurry.net/hacking-subaru

During x3CTF, I discovered an unintended solution that turned out to be a pretty cool generic technique. It allows you to detect the result of a selector during CSS Injection, bypassing any CSP restricting external requests! Check out the writeup below: jorianwoltjer.com/blog/p/ctf/x3c…

Sometimes, SQL injection is still possible, even when prepared statements are being used. Our researcher hashkitten has written up a blog post about a novel technique for SQL Injection in PDO’s prepared statements: slcyber.io/assetnote-secu…

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

At DEF CON, I presented my research on client-side deanonymization attacks in Google's Privacy Sandbox! Privacy research doesn't get as much attention, but ad-tech is increasingly embedded in everything - it's all about your attention and data. spaceraccoon.dev/client-side-de…

My favourite finding from Searchlight Cyber's Security Research team in 2025 so far is a secondary context path traversal in Omnissa Workspace One UEM (CVE-2025-25231). Really interesting bug, and fun kill chain to RCE. slcyber.io/assetnote-secu…

The watchTowr team has broken down the Oracle EBS unauth RCE exploit chain (tagged as CVE-2025-61882). Important to note: it is not one vulnerability, but multiple chained together. As always, we'll share more soon.

As a homage to the work of Blaklis, our Security Researcher Tomais debuts his first research post on reverse engineering a critical unauthenticated RCE in Magento (SessionReaper) CVE-2025-54236 at Searchlight Cyber: slcyber.io/assetnote-secu…

Oracle has patched two new critical CVEs (CVE-2025-53072 & CVE-2025-62481) in the Marketing Administration component of Oracle E-Business Suite. Given the recent Cl0p activity, exploitation is likely. Patch ASAP. Need help assessing exposure? watchTowr.com

Today, we’re releasing watchTowr Labs’ Piotr Bazydło’s BlackHat .NET research, owning Barracuda, Ivanti and more solutions. Enjoy the read as Piotr explains a new .NET Framework primitive, used to achieve pre- and post-auth RCE on numerous enterprise appliances.

This is your last chance to nominate research for the top ten web hacking techniques of 2025! Nominations close at 0800 UTC tomorrow. Form linked below.

Assetnote Searchlight Cyber My work on the novel SSRF technique that landed a critical payout at a Live Hacking Event: slcyber.io/assetnote-secu…

📞 Microsoft fixed an authenticated RCE in Windows Telephony Service (CVE-2026-20931), discovered by our researcher Sergey Bliznyuk bronzebee Read the write-up: swarm.ptsecurity.com/whos-on-the-li…

We got frustrated with dealing with vendor dependencies when reverse engineering large applications. Patrik Grobshäuser from Searchlight Cyber’s Sec Research Team built Hyoktesu to solve this problem forever: github.com/assetnote/hyok… - releasing this today! Blog: slcyber.io/research-cente…

Chained CSPT into full account takeover using a 2FA bypass technique I hadn't seen used in bug bounty before. whoareme.com/blog/cspt-acco…