PortSwigger Research

It’s finally landed! You can now watch “Listen to the whispers: web timing attacks that actually work” on YouTube: https://lnkd.in/ewBfVp7B

Struggling to bypass a WAF with an attribute blocklist? We've just updated the XSS cheat sheet with the obscure 'onwaiting' event from @AmirMSafari https://lnkd.in/exW94KwF

"Digging for XSS Gold: Unearthing Browser Quirks with Shazzer" is now live on YouTube! Discover powerful techniques to hunt XSS vulnerabilities with Shazzer. Watch now and start exploring browser quirks like a pro! https://lnkd.in/ees5zqNd

You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):

You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):

Exploit XSS in hidden inputs with no user-interaction, using this amazing new auto-executing vector from Masato Kinugawa! We've added this powerful trick to our XSS cheat sheet linked below ??

Ever wanted to fuzz a WebSocket? We've just updated WebSocket Turbo Intruder with some new features. If you've used Turbo Intruder already, it should feel familiar :)

Want to discover advanced XSS vectors like this? I'll be presenting "Digging for XSS Gold: Unearthing Browser Quirks with Shazzer" live online at 16:00 UTC November 7th https://lnkd.in/eNvJqYtM

We've just updated our URL Validation Bypass Cheat Sheet with a new IP address obfuscator by e1abrador, and new payloads by SeanPesce and t0xodile. Check out the full details at: https://lnkd.in/eNPj33YM

Learn how to conceal payloads in URL credentials and abuse them for DOM XSS and DOM Clobbering. https://lnkd.in/gZ7vYUxh