Gareth Heyes
@garethheyes.co.uk
javascript:/*--></title></style></textarea></script></xmp><svg/onload='-/"/-/onmouseover=1/-/[*/[]/-alert(1)//'>
https://garethheyes.co.uk/#latestBook
https://garethheyes.co.uk/#latestBook
Pinned
Gareth Heyes
@garethheyes.co.uk
· Sep 26
In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more.
www.amazon.com/dp/B0BRD9B3GS
www.amazon.com/dp/B0BRD9B3GS
We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors!
Browse them here: portswigger.net/web-security...
Browse them here: portswigger.net/web-security...
January 28, 2026 at 1:38 PM
We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors!
Browse them here: portswigger.net/web-security...
Browse them here: portswigger.net/web-security...
January 26, 2026 at 12:18 PM
Did huge amounts of updates to Shazzer. The fuzzing network was particularly tricky. I had production issues but hopefully I've fixed them. You can now visually see the fuzzing network at:
shazzer.co.uk/network
shazzer.co.uk/network
Fuzzing Network - Shazzer
Real-time view of the distributed fuzzing network
shazzer.co.uk
January 25, 2026 at 9:39 PM
Did huge amounts of updates to Shazzer. The fuzzing network was particularly tricky. I had production issues but hopefully I've fixed them. You can now visually see the fuzzing network at:
shazzer.co.uk/network
shazzer.co.uk/network
Shazzer now has a generated cheat sheet that will improve over time as vectors are added and data is collected.
shazzer.co.uk/cheat-sheet
shazzer.co.uk/cheat-sheet
Shazzer - Shared online fuzzing
An app to enable to fuzz all sorts of browser behaviour. Share your fuzz results with the world and discover new bugs!
shazzer.co.uk
January 24, 2026 at 9:39 AM
Shazzer now has a generated cheat sheet that will improve over time as vectors are added and data is collected.
shazzer.co.uk/cheat-sheet
shazzer.co.uk/cheat-sheet
New Shazzer feature: Distributed Fuzzing 🔥
Your browser can now help test vectors across the community. Just visit Shazzer and your idle browser cycles contribute fuzzing results for everyone.
shazzer.co.uk/blog/distrib...
Your browser can now help test vectors across the community. Just visit Shazzer and your idle browser cycles contribute fuzzing results for everyone.
shazzer.co.uk/blog/distrib...
Distributed Fuzzing: Crowdsourced Browser Testing - Shazzer
Shazzer has always been about discovering browser quirks and security edge cases through fuzzing. Today, I'm excited to introduce a new feature that takes this to the next level: Distributed Fuzzing.
...
shazzer.co.uk
January 23, 2026 at 11:37 PM
New Shazzer feature: Distributed Fuzzing 🔥
Your browser can now help test vectors across the community. Just visit Shazzer and your idle browser cycles contribute fuzzing results for everyone.
shazzer.co.uk/blog/distrib...
Your browser can now help test vectors across the community. Just visit Shazzer and your idle browser cycles contribute fuzzing results for everyone.
shazzer.co.uk/blog/distrib...
January 23, 2026 at 7:20 PM
Reposted by Gareth Heyes
Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!
apply.workable.com/portswigger/...
apply.workable.com/portswigger/...
January 23, 2026 at 10:36 AM
Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!
apply.workable.com/portswigger/...
apply.workable.com/portswigger/...
You can now dynamically render templates in Shazzer which could be useful for LLM to gather information about browser behaviour.
shazzer.co.uk/render-templ...
shazzer.co.uk/render-templ...
Shazzer - Shared online fuzzing
An app to enable to fuzz all sorts of browser behaviour. Share your fuzz results with the world and discover new bugs!
shazzer.co.uk
January 22, 2026 at 10:26 PM
You can now dynamically render templates in Shazzer which could be useful for LLM to gather information about browser behaviour.
shazzer.co.uk/render-templ...
shazzer.co.uk/render-templ...
🐛 Built a simple RSS reader called Feedworm that runs in DevTools and never phones home. Keep up with blogs and research without selling your data.
thespanner.co.uk/introducing-...
thespanner.co.uk/introducing-...
Introducing Feedworm: A Privacy-First RSS Reader That Lives in DevTools - The Spanner
I've been using RSS readers for years. They're the best way to keep up with blogs, news sites, and security research without being at the mercy of algorithmic feeds. But every time I found a reader I ...
thespanner.co.uk
January 22, 2026 at 12:11 PM
🐛 Built a simple RSS reader called Feedworm that runs in DevTools and never phones home. Keep up with blogs and research without selling your data.
thespanner.co.uk/introducing-...
thespanner.co.uk/introducing-...
I don't know about you but I'm struggling to find time to read some excellent blog posts. So I created speedy! A browser extension that lets you read posts very fast.
thespanner.co.uk/speedy-rsvp-...
thespanner.co.uk/speedy-rsvp-...
Speedy RSVP extension - The Spanner
I had a spare 30 minutes and I do not trust existing speed-reading extensions. Even when they are free, they could contain security issues or be sold off later. At least I know I will not sell my exte...
thespanner.co.uk
January 20, 2026 at 8:07 PM
I don't know about you but I'm struggling to find time to read some excellent blog posts. So I created speedy! A browser extension that lets you read posts very fast.
thespanner.co.uk/speedy-rsvp-...
thespanner.co.uk/speedy-rsvp-...
Reposted by Gareth Heyes
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...
portswigger.net/polls/top-10...
Top 10 web hacking techniques of 2025
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.
portswigger.net
January 15, 2026 at 3:29 PM
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...
portswigger.net/polls/top-10...
If you could use Hackvertor on selected items of proxy history, site map or organizer items what would you want to do?
January 7, 2026 at 12:55 PM
If you could use Hackvertor on selected items of proxy history, site map or organizer items what would you want to do?
Reposted by Gareth Heyes
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...
Top 10 web hacking techniques of 2025: call for nominations
Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te
portswigger.net
January 6, 2026 at 3:32 PM
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...
Been experimenting with AI to produce 3D effects. Here as you scroll the tiles rotate into place.
January 5, 2026 at 9:24 PM
Been experimenting with AI to produce 3D effects. Here as you scroll the tiles rotate into place.
Reposted by Gareth Heyes
I made a shorter writeup for the CatGPT challenge during hxp CTF at 39C3!
It featured a cool combination of JavaScript injections to escape our context and fix the remaining syntax. Check it out:
jorianwoltjer.com/blog/p/ctf/h...
It featured a cool combination of JavaScript injections to escape our context and fix the remaining syntax. Check it out:
jorianwoltjer.com/blog/p/ctf/h...
hxpCTF 2025 - CatGPT | Jorian Woltjer
The hardest web challenge during 39C3's hxp CTF. Auditing RegExes in a PHP library to uncover small gadgets that allow escaping and fixing a JavaScript context.
jorianwoltjer.com
January 5, 2026 at 9:39 AM
I made a shorter writeup for the CatGPT challenge during hxp CTF at 39C3!
It featured a cool combination of JavaScript injections to escape our context and fix the remaining syntax. Check it out:
jorianwoltjer.com/blog/p/ctf/h...
It featured a cool combination of JavaScript injections to escape our context and fix the remaining syntax. Check it out:
jorianwoltjer.com/blog/p/ctf/h...
I meant to have a break from the computer on my day off...but I couldn't resist. I've updated my blog with cool effects!
December 18, 2025 at 8:54 PM
I meant to have a break from the computer on my day off...but I couldn't resist. I've updated my blog with cool effects!
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
December 16, 2025 at 3:31 PM
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
Reposted by Gareth Heyes
Looking for a Christmas gift for yourself? #burp #training #2026
There’s 9 seats left for the English-speaking session, and 5 for the French-speaking one
There’s 9 seats left for the English-speaking session, and 5 for the French-speaking one
The 2026 online public sessions of my "Mastering Burp Suite Pro" course have been published 📅
- March 24th to 27th, in French 🇫🇷
- April 14th to 17th, in English 🇬🇧
hackademy.agarri.fr/2026
PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon 🎁
- March 24th to 27th, in French 🇫🇷
- April 14th to 17th, in English 🇬🇧
hackademy.agarri.fr/2026
PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon 🎁
Agarri
Training
hackademy.agarri.fr
December 13, 2025 at 1:39 PM
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
AutoVader - The Spanner
Four years ago we released DOM Invader, I added a feature called callbacks that enabled you to execute JavaScript and log when sinks, messages or sources are found. This was so powerful but over the y...
thespanner.co.uk
December 9, 2025 at 12:22 PM
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
Reposted by Gareth Heyes
New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html
December 7, 2025 at 9:14 PM
New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html
Delighted to present at NDC Manchester. If you attended the talk and want the materials you can grab them from here:
github.com/portswigger/...
github.com/portswigger/...
GitHub - PortSwigger/splitting-the-email-atom
Contribute to PortSwigger/splitting-the-email-atom development by creating an account on GitHub.
github.com
December 4, 2025 at 6:02 PM
Delighted to present at NDC Manchester. If you attended the talk and want the materials you can grab them from here:
github.com/portswigger/...
github.com/portswigger/...
Burp Hackvertor has a bunch of new shortcuts and functionality. Try them out in Burp. They are activated from a Burp repeater request.
December 3, 2025 at 12:29 PM
Burp Hackvertor has a bunch of new shortcuts and functionality. Try them out in Burp. They are activated from a Burp repeater request.
On Thursday I'm presenting "Splitting the email atom:exploiting parsers to bypass access controls" at NDC Manchester. Please join me if you want to find out how to turn an RFC compliant email address into RCE.
portswigger.net/research/tal...
portswigger.net/research/tal...
Upcoming Conference Talks - PortSwigger Research
Find details of upcoming talks from the PortSwigger Research team. We also have research papers and recordings available from previous conferences and events.
portswigger.net
December 1, 2025 at 11:14 AM
On Thursday I'm presenting "Splitting the email atom:exploiting parsers to bypass access controls" at NDC Manchester. Please join me if you want to find out how to turn an RFC compliant email address into RCE.
portswigger.net/research/tal...
portswigger.net/research/tal...
This is the last weekend "JavaScript for hackers" will be available for $13.37. HackFriday! Grab yours now while you can...
www.amazon.com/JavaScript-h...
www.amazon.com/JavaScript-h...
JavaScript for hackers: Learn to think like a hacker
JavaScript for hackers: Learn to think like a hacker [Heyes, Gareth] on Amazon.com. *FREE* shipping on qualifying offers. JavaScript for hackers: Learn to think like a hacker
www.amazon.com
November 28, 2025 at 1:22 PM
This is the last weekend "JavaScript for hackers" will be available for $13.37. HackFriday! Grab yours now while you can...
www.amazon.com/JavaScript-h...
www.amazon.com/JavaScript-h...
Hackvertor 2.2.33 released!
- New MultiEncoder window (CTRL+ALT+M) for applying multiple transformations across layers and sending to Repeater tab
- WebSockets support including a WebSocket handler and a new WebSocket setting
- Improved auto decoding
- New MultiEncoder window (CTRL+ALT+M) for applying multiple transformations across layers and sending to Repeater tab
- WebSockets support including a WebSocket handler and a new WebSocket setting
- Improved auto decoding
November 28, 2025 at 12:17 PM
Hackvertor 2.2.33 released!
- New MultiEncoder window (CTRL+ALT+M) for applying multiple transformations across layers and sending to Repeater tab
- WebSockets support including a WebSocket handler and a new WebSocket setting
- Improved auto decoding
- New MultiEncoder window (CTRL+ALT+M) for applying multiple transformations across layers and sending to Repeater tab
- WebSockets support including a WebSocket handler and a new WebSocket setting
- Improved auto decoding