LightNews
t0xodile.com
Thomas Stacey
@t0xodile.com
310 followers 160 following 95 posts
Penetration tester trying to perform novel research. You can find all of my write-ups and research at https://thomas.stacey.se.
thomas.stacey.se.
Posts Media Videos Starter Packs
Pinned
t0xodile.com
Thomas Stacey @t0xodile.com · May 22
Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling".

Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling
In this paper I will reveal the discovery of wide-spread cases of request tunnelling in applications powered by popular servers including IIS, Azure Front Door and AWS' application load balancer inclu...
www.assured.se
1 4 17
Reposted by Thomas Stacey
garethheyes.co.uk
Gareth Heyes @garethheyes.co.uk · 5h
Last chance to catch "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" at the NDC Conference, Manchester. Join me and see just how wild the email RFCs really are.

portswigger.net/research/tal...
Splitting the email atom Gareth Heyes Researcher, PortSwigger Thurs, Dec 4, 2025 | 9:00am
2 1
Reposted by Thomas Stacey
jameskettle.com
James Kettle @jameskettle.com · 5d
The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...
RomHack 2025 - James “albinowax” Kettle - HTTP/1.1 Must Die! The Desync Endgame
YouTube video by Cyber Saiyan
www.youtube.com
1 3 14
Reposted by Thomas Stacey
zakfedotkin.bsky.social
d4d @zakfedotkin.bsky.social · 6d
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
6 27
t0xodile.com
Thomas Stacey @t0xodile.com · 10d
I cannot get over how bonkers the HEAD technique is in relation to desync vulns. I've never gotten a chance to use it in a real-word situation, but finally had a chance this week. Not only does it produce some serious impact, it also just looks incomprehensibly cool when it finally works.
1 5
t0xodile.com
Thomas Stacey @t0xodile.com · 11d
Issue solved by a friend using some client-side magic I won't even pretend I can explain! I've never seen / read about the overall technique before, hoping it's novel as hell 🤞
2
t0xodile.com
Thomas Stacey @t0xodile.com · 11d
Oh hang on. Maybe location changes no longer end up in the "credentials" connection pool at all?
1
t0xodile.com
Thomas Stacey @t0xodile.com · 11d
Yeah that was my first thought also on a re-read. But it's even weirder than that... specifically cross-domain fetch().then(location=) seemingly refuses to reuse the connection. fetch().then(fetch()) is completely fine (with "no-cors" and creds). But I need to render the content to make this work 😅
1
t0xodile.com
Thomas Stacey @t0xodile.com · 12d
Correction the issue was cross-domain related. BUT fetch followed by a location change now doesn't reuse a connection... Both requests are towards the same domain.
t0xodile.com
Thomas Stacey @t0xodile.com · 12d
Why would chrome not reuse a connection when two requests are triggered from a script, but WILL reuse a connection when it's all done via the console! Same script, just with <script> tags breaks things...
1 3
t0xodile.com
Thomas Stacey @t0xodile.com · 12d
Why would chrome not reuse a connection when two requests are triggered from a script, but WILL reuse a connection when it's all done via the console! Same script, just with <script> tags breaks things...
1 2
Reposted by Thomas Stacey
jameskettle.com
James Kettle @jameskettle.com · 16d
One hour till HTTP/1.1 Must Die kicks off at #romhack2025!

Watch the livestream here: m.youtube.com/watch?v=T009...
RomHack Conference 2025 Live Stream
YouTube video by Cyber Saiyan
m.youtube.com
2 13
Reposted by Thomas Stacey
acrosspondpod.bsky.social
Across the Pondcast @acrosspondpod.bsky.social · 17d
Episode 20: War Stories with Julien Richard!

@tib3rius.bsky.social & @swiftsecur.bsky.social chat with Julien Richard about his war stories!

Thank you to @portswigger.net for sponsoring today's episode! Check out portswigger.net/burp/ai to learn more about AI in Burp Suite.

Links below!
Burp AI - PortSwigger
Hack smarter, not harder. Seamlessly integrate trusted AI capabilities into Burp Suite - on your terms with Burp AI.
portswigger.net
1 4 5
t0xodile.com
Thomas Stacey @t0xodile.com · 17d
First big oof of the research today. Program has set one of our coolest PoCs so far to informative. Fortunately, it's so cool that we will absolutely be talking about how it all played at some point.

"The technique is what matters", it's still an awesome slide 🔥
3
t0xodile.com
Thomas Stacey @t0xodile.com · 20d
Twitter has schooled me on this. Don't interpret it as a universal bypass because it is not! Nevertheless, this very silly bypass works on some large groups of customers implementing bad rules...
t0xodile.com
Thomas Stacey @t0xodile.com · Sep 12
Pretty sure I just found a hilarious bypass for this... If this works then all those hosts that sit behind Akamai are suddenly much more viable targets.
t0xodile.com
Thomas Stacey @t0xodile.com · Sep 12
Another day, another block from Akamai briefly making me think a new bit of detection is breaking the internet 😅. It's my own fault, I have a "Filter WAF" option that I didn't turn on.
1
Reposted by Thomas Stacey
jorianwoltjer.com
Jorian @jorianwoltjer.com · 24d
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Exploiting Web Worker XSS with Blobs
Ways to turn XSS in a Web Worker into full XSS, covering known tricks and a new generic exploit using Blob URLs with the Drag and Drop API
lab.ctbb.show
3 9
Reposted by Thomas Stacey
jameskettle.com
James Kettle @jameskettle.com · 25d
HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here:
www.youtube.com/watch?v=T009...
RomHack Conference 2025 Live Stream
YouTube video by Cyber Saiyan
www.youtube.com
4 9
t0xodile.com
Thomas Stacey @t0xodile.com · 25d
Poker chips are honestly just the absolute best. I swear I've only dropped one loudly onto the wooden floor during a meeting once ... 😅
1
Reposted by Thomas Stacey
zakfedotkin.bsky.social
d4d @zakfedotkin.bsky.social · 26d
Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...
WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine
Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi
portswigger.net
6 13
t0xodile.com
Thomas Stacey @t0xodile.com · Sep 12
Pretty sure I just found a hilarious bypass for this... If this works then all those hosts that sit behind Akamai are suddenly much more viable targets.
t0xodile.com
Thomas Stacey @t0xodile.com · Sep 12
Another day, another block from Akamai briefly making me think a new bit of detection is breaking the internet 😅. It's my own fault, I have a "Filter WAF" option that I didn't turn on.
3
t0xodile.com
Thomas Stacey @t0xodile.com · Sep 12
Another day, another block from Akamai briefly making me think a new bit of detection is breaking the internet 😅. It's my own fault, I have a "Filter WAF" option that I didn't turn on.
1
t0xodile.com
Thomas Stacey @t0xodile.com · Sep 11
Thank you very much!
Reposted by Thomas Stacey
zakfedotkin.bsky.social
d4d @zakfedotkin.bsky.social · Sep 11
WebSocket security testing is so painful that this ever -expanding attack surface is largely overlooked. Learn how to dive where others fear to tread with WebSocket Turbo Intruder.
Join me live on Sept 17 at 4PM (GMT+1)

discord.gg/portswigger?...
Join the PortSwigger Discord Server!
A place where security professionals, hobbyists, and passionate Burp users can hang out, chat, and collaborate. | 12858 members
discord.gg
1 4
t0xodile.com
Thomas Stacey @t0xodile.com · Sep 11
The recording for my latest research has been released! If you prefer to listen rather than read, now is your chance.

P.S. It may be worth listening to it at a slower speed due to my tendency to talk at the speed of light...
The Single-Packet Shovel: Digging For Desync-Powered Request Tunnelling - Thomas Stacey
YouTube video by Bsides Exeter
www.youtube.com
1 5 9
Reposted by Thomas Stacey
zakfedotkin.bsky.social
d4d @zakfedotkin.bsky.social · Sep 3
For a visual walk‑through, see the @steelcon.info livestream recording: youtu.be/wxu1axAdPhw?...
Cookie Chaos: Exploiting Parser Discrepancies - Zack
YouTube video by SteelCon
youtu.be
2 4
Reposted by Thomas Stacey
zakfedotkin.bsky.social
d4d @zakfedotkin.bsky.social · Sep 3
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Cookie Chaos: How to bypass __Host and __Secure cookie prefixes
Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve
portswigger.net
1 14 13
t0xodile.com
Thomas Stacey @t0xodile.com · Aug 27
There’s a solid chance that with just a few lines of code, the new parser discrepancy scan can entirely replace the tool I’ve been working on for my own research… I am not sure how to feel about this 😁

Good news is that the scan is insanely easy to augment with new techniques!
1 4