New writeup: "Hacking Millions of Modems (and Investigating Who Hacked My Modem)" samcurry.net/hacking-millio… Thanks for reading! Huge thanks to veritas, Brett Buerhaus, shubs, d0nut 🦀, Ian Carroll, and everyone who reviewed the post beforehand.

PHP just fixed one of my RCE vulnerabilities, which affects XAMPP by default. Check to see if you are affected and update now! 🔥 blog.orange.tw/2024/06/cve-20…

New blog! This time a high severity session takeover in Zoom worth $15,000. Read the story of how sudi , BrunoZero and I chained 2 completely useless XSS vulns to steal OAuth tokens, hijack browser permissions, and more: nokline.github.io/bugbounty/2024…

I recently developed and posted about a technique called "First sequence sync", expanding James Kettle's single packet attack. This technique allowed me to send 10,000 requests in 166ms, which breaks the packet size limitation of the single packet attack. flatt.tech/research/posts…

The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here -> portswigger.net/research/liste…

Everyone knows that the RFCs for email addresses are crazy. This post will show without doubt that you should not be following the RFC. portswigger.net/research/split…

Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confus… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code

In April, Sam Curry and I discovered a way to bypass airport security via SQL injection in a database of crewmembers. Unfortunately, DHS ghosted us after we disclosed the issue, and the TSA attempted to cover up what we found. Here is our writeup: ian.sh/tsa

In August, watchTowr Labs hijacked parts of the global .mobi TLD - and went on to discover the mayhem that we could cause. Enjoy.... labs.watchtowr.com/we-spent-20-to…

Love a good client-side exploit chain! This crazy cross-product chain targeting Google by Rebane is a great example of the type of exploit that gets easier the longer you spend targeting a single company lyra.horse/blog/2024/09/u…

Attacking UNIX Systems via CUPS, Part I evilsocket.net/2024/09/26/Att…

1 Bug, $50K+ in bounties: how Zendesk left a backdoor in hundreds of companies #bugbountytips gist.github.com/hackermondev/6…

Check out our latest blog post! We dive into GitHub Enterprise’s SAML implementation and explore an authentication bypass in encrypted assertion mode. CVE-2024-4985 / CVE-2024-9487: GitHub Enterprise SAML Authentication Bypass. projectdiscovery.io/blog/github-en…

Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Neither did we. Enjoy! portswigger.net/research/bypas…

Research into a unique 0-click deanonymization exploit targeting Signal, Discord and hundreds of platform 🧵

Introducing the Cookie Sandwich, a tasty technique to steal HttpOnly cookies using legacy RFC features: portswigger.net/research/steal…

Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! Read it all below 🧵

New blog post with shubs: We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here: samcurry.net/hacking-subaru

8 million requests, $400 later - we’re back. 🚀 We have demonstrated supply chain attacks that could have allowed us to trivially compromise critical infra. networks, including .gov, .mil, and more. This is real Attack Surface Management. labs.watchtowr.com/8-million-requ…

The results are in! We're proud to announce the Top ten web hacking techniques of 2024! portswigger.net/research/top-1…