Lightnews — Scholar-powered news

LightNews

Gareth Heyes

@garethheyes.co.uk

2.9K followers 330 following 340 posts

javascript:/*--></title></style></textarea></script></xmp><svg/onload='-/"/-/onmouseover=1/-/[*/[]/-alert(1)//'> https://garethheyes.co.uk/#latestBook

garethheyes.co.uk

Posts Media Videos Starter Packs

Pinned

Gareth Heyes @garethheyes.co.uk · 17d

In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more.

www.amazon.com/dp/B0BRD9B3GS

https://www.amazon.com/dp/B0BRD9B3GS

Gareth Heyes @garethheyes.co.uk · 13h

Last chance to catch "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" at the NDC Conference, Manchester. Join me and see just how wild the email RFCs really are.

portswigger.net/research/tal...

Splitting the email atom
Gareth Heyes
Researcher, PortSwigger

Thurs, Dec 4, 2025 | 9:00am

Reposted by Gareth Heyes

d4d @zakfedotkin.bsky.social · 6d

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

Reposted by Gareth Heyes

naugtur @naugtur.pl · 11d

Anyone in Warsaw left without a ticket to THS yet? I found out I have a discount code :)

Come see me next week

Gareth Heyes @garethheyes.co.uk · 11d

Thanks for the info about the permissions flag!

Gareth Heyes @garethheyes.co.uk · 11d

Yeah I have some scripts that use them

Gareth Heyes @garethheyes.co.uk · 11d

Will do, I assume there's nothing you can do about .env files?

Gareth Heyes @garethheyes.co.uk · 11d

That looks really handy thanks mate

Gareth Heyes @garethheyes.co.uk · 11d

Is there gonna be a video?

Gareth Heyes @garethheyes.co.uk · 17d

In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more.

www.amazon.com/dp/B0BRD9B3GS

https://www.amazon.com/dp/B0BRD9B3GS

Gareth Heyes @garethheyes.co.uk · 18d

Hackvertor v2.1.25 has been released and fixes the content-length problem!

Gareth Heyes @garethheyes.co.uk · 18d

Hiya, sure mate. The attackers page doesn't have CSP but the victim does. If you look at:
subdomain1.portswigger-labs.net/bypassing-cs...

You'll see it does have CSP. Cheers

Gareth Heyes @garethheyes.co.uk · 18d

Hackvertor v2.1.24 has a major bug where it doesn't update the content-length. Sorry about that. I've fixed it in v2.1.25. I'll try and get it updated on the BApp store ASAP. Gutted I missed this, sorry I'll try to do better in future.

Gareth Heyes @garethheyes.co.uk · 19d

Did you know you can create AI custom tags in Hackvertor? Did you also know you can actually pass parameters to the AI too? Powerful 🦾

Here's one that creates dummy data:
github.com/hackvertor/h...

<@_createDummyData(5,'email','...')>gareth

Gareth Heyes @garethheyes.co.uk · 20d

🚀 New Hackvertor Release: v2.1.24

New features
- Tag Automator
- Context request tag
- Find and replace input/output
- AI in code custom tags

thespanner.co.uk/burp-hackver...

Burp Hackvertor v2.1.24 release - The Spanner

I finally found some time to work through Hackvertor issues - cut the backlog from 20 down to 6. There were a bunch of interesting bugs and several good feature requests; one in particular stands out....

thespanner.co.uk

Reposted by Gareth Heyes

James Kettle @jameskettle.com · 25d

HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here:
www.youtube.com/watch?v=T009...

RomHack Conference 2025 Live Stream

YouTube video by Cyber Saiyan

www.youtube.com

Reposted by Gareth Heyes

d4d @zakfedotkin.bsky.social · 26d

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...

WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine

Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi

portswigger.net

Reposted by Gareth Heyes

Thomas Stacey @t0xodile.com · Sep 11

The recording for my latest research has been released! If you prefer to listen rather than read, now is your chance.

P.S. It may be worth listening to it at a slower speed due to my tendency to talk at the speed of light...

The Single-Packet Shovel: Digging For Desync-Powered Request Tunnelling - Thomas Stacey

YouTube video by Bsides Exeter

www.youtube.com

Gareth Heyes @garethheyes.co.uk · Sep 10

I've created a email section on Hackvertor to help with my "Splitting the email atom" attacks. This is a really cool attack that I didn't present a Black Hat. It uses quotes to smuggle an email domain in a SMTP parameter.

hackvertor.co.uk/urls/27

Hackvertor - Cutting edge conversion

An app to make conversion tags to help with web security research

hackvertor.co.uk

Gareth Heyes @garethheyes.co.uk · Sep 10

Wrote a old school toString obfuscator.

hackvertor.co.uk/urls/26

eval(8680439..toString(30)+"(1)")

Gareth Heyes @garethheyes.co.uk · Sep 10

I made creating tags easier in Hackvertor by improving the sample code and adding tag arguments automatically.

hackvertor.co.uk/tag-store/new

Hackvertor - Cutting edge conversion

An app to make conversion tags to help with web security research

hackvertor.co.uk

Gareth Heyes @garethheyes.co.uk · Sep 5

In web Hackvertor I've added a nest tag which allows you to generate XML/HTML nested tags useful in reaching maximum node nesting limits.

E.g.
Input: test
Output: test

hackvertor.co.uk/urls/24

Hackvertor - Cutting edge conversion

An app to make conversion tags to help with web security research

hackvertor.co.uk

Gareth Heyes @garethheyes.co.uk · Sep 4

I'd be careful with partial URL matches. If you could use ^=, $= etc or a contains based url match you could potentially make the query parameters discoverable from malicious CSS stylesheet.

Reposted by Gareth Heyes

d4d @zakfedotkin.bsky.social · Sep 3

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

Cookie Chaos: How to bypass __Host and __Secure cookie prefixes

Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve

portswigger.net

Gareth Heyes @garethheyes.co.uk · Sep 1

WAFs still blocking your payloads? Try our newest pointer capture tricks. Our XSS cheat sheet just got an upgrade thanks to Muhammad Ahsan.

portswigger.net/web-security...

<input type=range ongotpointercapture=alert(1)>
<input type=range onlostpointercapture=alert(1)>

Reposted by Gareth Heyes

Rebane @rebane2001.bsky.social · Aug 28

i've finally got a new blogpost out!!

this one talks about modern CSS, it's new features, and practical real world uses

as usual, the visuals are css-only and have lots of cool interactivity and easter eggs :3

have fun!

lyra.horse/blog/2025/08...

You no longer need JavaScript

An overview of what makes modern CSS so awesome.