New to SQL but want to learn to hack it?  Here are 9 basic yet useful commands to get you started 👇

Beginner bug bounty hunters fail because they chase quick wins. Skipping foundational steps keeps most from hitting real payouts. Here are 8 tips for landing your first $1,000 bounty in 2025👇

Is your vulnerability scanner drowning you in false positives? Struggling to keep up with new CVEs and exploits? ProjectDiscovery cloud is powered by Nuclei, the go-to tool for hackers, pentesters, and security researchers worldwide. With 10,000+ detection templates, it's the

Real friends help you find vulnerabilities. Find yours on Discord: discord.gg/portswigger

[APPRENTICE LAB] Exploiting LLM APIs with Excessive Agency When an LLM is given too much control without proper safeguards, you can manipulate it into executing dangerous actions like deleting user accounts. In this lab, you’ll: 🔸 Discover the LLM’s accessible API surface 🔸

How to find viable targets for client-side desync attacks: 1️⃣ Open Burp Suite and intercept requests. 2️⃣ Choose an endpoint that wouldn't usually expect a POST request (e.g GET) and send it to repeater. 3️⃣ Go to Inspector > Request Attributes > Protocol field > Upgrade to

What is HTTP request smuggling? 🤷 Here's what you need to know👇 1️⃣ What is it? It’s a vulnerability that arises when two servers disagree on where an HTTP request ends. Attackers exploit these inconsistencies to interfere with or inject unintended requests. This can

The real reason CISOs fail in the boardroom 👇

Learning Path: CORS Misconfigurations This learning path teaches you how to find, exploit, and escalate CORS misconfigurations, step by step. You’ll learn: 🔶 How CORS works (and where it breaks) 🔶 How to exploit origin reflection and insecure protocols 🔶 How misconfigured

Can you name this gadget? (bonus points if you know what you could chain this with)

Heading to DEF CON!? On Friday at 11:30am, John Hammond and myself will be officially "Kicking Off DEF CON", at the IoT Village with a friendly Q&A session! Make sure to add this one to your schedule! 🚀 See you at #DEFCON! #DEFCON33

We just dropped some research and used our hackbot to take it further. Read and go bypass some WAFs 🚨 Congrats Bruno Mendes for the great research 🔥

This Friday, @Nahamsec & Adam Langley are hitting DEF CON’s Bug Bounty Village! 💥 12pm - Catch them live with "Regex for Hackers" 💥 Right after - Ben joins the Creator Panel Add it to your DEFCON must-see list! #DEFCON #BugBounty

How to use Request Smuggler's Smuggle Probe option to detect CL.TE request smuggling vulnerabilities! Request Smuggler is fully compatible with Burp Suite DAST, Professional, and Community editions! 🚀 Install Request Smuggler here: portswigger.net/bappstore/aaaa… And test it out

How to manually check for CL.TE Request Smuggling Vulnerabilities: 1️⃣ See if a GET request accepts POST 2️⃣ See if it accepts HTTP/1 3️⃣ Disable "Update Content-Length" 4️⃣ Send with CL & TE headers: POST / HTTP/1.1 Host: <HOST-URL> Content-Length: 6 Transfer-Encoding: chunked 0

It's been great to see people 'enjoying' the 0CL Web Security Academy lab! Tune in this Friday at 11AM PT to watch me livestream the solution with Off By One Security - registration link below 👇

You need to learn Python... RIGHT NOW!! If you want a job in IT, it is fast becoming a requirement to know the Python programming language. In this free Python course, my goal is to make you DANGEROUS in Python. Get started: tinyurl.com/2w2bddpr

How to deliver reflected XSS via HTTP request smuggling vulnerability! 👇 Try this Practitioner lab now: portswigger.net/web-security/r…

What’s the difference between these two DNS lookups? They look similar, but they tell very different stories. In the first command: ⌨️ nslookup academy.networkchuck.com You're asking your default DNS resolver (router or ISP). ✅ Recursive lookup, following all CNAMEs to the

The Windows command prompt is stupid. I use this now instead👇