Get the most out of our new URL Validation Bypass Cheat Sheet! Read our latest blog post for a comprehensive guide on how to use this tool -

@0xTib3rius @Rhynorater @dyak0xdb Agree, the payload exploit the mandatory / at hostname. Interestingly, that Q-encoding can be used at HTTP requests too. @garethheyes demonstrated the technique in his research

Check it out here👇

RT @PortSwiggerRes: The results are in! We're proud to announce the Top ten web hacking techniques of 2024!

RT @t0xodile: Officially in the BApp store! The research is in the thread if you'd like to understand more. Otherwise, go ahead and try out…

Bypass Bot Detection now in BApp store! - The extension now parses the User-Agent header and suggests matching TLS ciphers in the context menu. - You can still manually set a TLS cipher suite if the User-Agent header is unknown. Stay stealthy!

@ankursundara While working on the Memcached Injections research I did not think about the client side of this attack. The great blog post by @ankursundara made me look at this class of vulnerabilities differently. But that's not all, part 3 is ahead!

RT @ankursundara: @d4d89704243 Love the name Cookie Sandwich. I talked a bit about this idea in this blog post and…

RT @albinowax: Thanks for your all your votes! The public vote is now closed, and we're kicking off the panel vote with fifteen quality nom…

@slonser_ @albinowax @kobi_hk I tested the Link header injection scenario in redirect response (30X) Unfortunately, payment handler ignores it 🫤

RT @albinowax: Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: http…

RT @albinowax: Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here: htt…

RT @albinowax: I've just released HTTP Request Smuggler 2.17 which fixes a nasty Client-Side Desync false-negative. Big thanks to @t0xodile…

Reflecting on the year, here are some tools I’ve been building: 🚀 URL validation bypass cheat sheet 🔒Sign Saboteur Extension 🤖 Bypass bot detection Extension More to come in 2025! 🎄

Ruby secret_key_base can be decrypted from credentials.yml.enc file using following java code:

Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Neither did we. Enjoy!

RT @albinowax: We’re finally live! You can now watch “Listen to the whispers: web timing attacks that actually work” on YouTube: https://t.…

You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):