'AI and Security Research: Ask Me Anything' with James Kettle 🔥 Join us on Thursday at 4pm BST (11am EDT) for this exclusive event, and don't forget to submit your questions here: app.sli.do/event/ou8cmSGq… Join the PortSwigger Discord to attend 👉 discord.com/invite/portswi…

I think many people are familiar with the topic of blind CSS exfiltration, especially after the post by Gareth Heyes \u2028 However, an important update has occurred since then, which I wrote below ->

Do you use or exploit WebSockets? Check out our new blog post to see how modern browsers may (or may not) be protecting you from Cross-Site WebSocket Hijacking! blog.includesecurity.com/2025/04/cross-…

Apparently RSS isn't dead. Please link me your favorite security feeds.

Wrote a Burp Suite Pro extension that uses AI-powered features to replace values in HTTP requests. Useful for guessing data formats based on parameter or header names. For example, for requests from Swagger / OpenAPI or those generated by my tool BFScan. github.com/BlackFan/Burp-…

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓↓↓

"Parser Differentials: When Interpretation Becomes a Vulnerability" by joernchen !

I have launched a new web CTF. Amazon gift-card for first to solve, and swag draw amongst successful submissions. site: hackcentral.darkfor.ge Code: github.com/darkforge-labs…

Excited to share our latest blog post, where we dive into attacking CEFSharp-based thick clients and introduce CefEnum, our new tool for enumerating and analyzing these applications. Check it out to learn more about securing .NET thick clients: blog.darkforge.io/cef/cefsharp/c…

Writeup for our CTF HackCentral posted blog.darkforge.io/ctf/challenge/…

🌀 𝗦𝗺𝘂𝗴𝗴𝗹𝗲𝗙𝘂𝘇𝘇 - A modular HTTP request smuggling fuzzer built for deep desync exploration. 👉 github.com/moopinger/smug… Perfect for testing reverse proxies, finding obscure smuggling vectors, and pushing fuzzing boundaries. #CyberSecurity #RedTeam #BugBounty

This week’s Disclosed. #BugBounty Beta invite for Hai, the AI security agent for hackers. RCE on Netflix. New tools for XSS, subdomain monitoring, and HTTP smuggling. Plus: SSTI, IDN homographs, and more. Highlights below 🧵

The upcoming "HTTP/1 must die" Web Security Academy lab is no longer impossible! This is good news because I'm planning to attempt to live-stream solving it...

Google CTF will start in less than 48h from now. Make sure not to miss the great challenges we've prepared this year!! Can't describe how exicted I am for it 😶

Join me on the Off By One Security channel for a stream with the amazing James Kettle on August 15th @ 11AM PT on "Novel HTTP/1 Request Smuggling/Desync Attacks!" Be sure to turn on alerts for the channel on YouTube... youtube.com/watch?v=B7p8dI…

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

We had a blast hosting the North Gauteng Science Fair CTF. blog.darkforge.io/ctf/ngsf/2025/…

media.ccc.de/v/39c3-a-post-…

Add the .gitignore entries from ironpeak.be/blog/leaking-s… to your URL fuzzing wordlist. Let the bounties rain! #bugbountytips