Thomas Stacey
@t0xodile.com
Penetration tester trying to perform novel research. You can find all of my write-ups and research at https://thomas.stacey.se.
Pinned
Thomas Stacey
@t0xodile.com
· May 22
The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling
In this paper I will reveal the discovery of wide-spread cases of request tunnelling in applications powered by popular servers including IIS, Azure Front Door and AWS' application load balancer inclu...
www.assured.se
Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling".
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Reposted by Thomas Stacey
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...
portswigger.net/polls/top-10...
Top 10 web hacking techniques of 2025
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.
portswigger.net
January 15, 2026 at 3:29 PM
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...
portswigger.net/polls/top-10...
On a whim I asked Gemini a ridiculously specific question. "Give me a response that has length X and is text/html for X proxy". And while it basically made up the answer (I assume) it still pointed me to a solution I've needed for months! I Guess trying "stupid ideas" can work for LLMs too.
January 10, 2026 at 1:20 PM
On a whim I asked Gemini a ridiculously specific question. "Give me a response that has length X and is text/html for X proxy". And while it basically made up the answer (I assume) it still pointed me to a solution I've needed for months! I Guess trying "stupid ideas" can work for LLMs too.
Reposted by Thomas Stacey
Kom och jobba med mig!
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
Ledig tjänst: Säljansvarig Security Engineering
Vi söker en teknisk konsultsäljare som vill ta ett större ansvar och vara med och bygga upp ett växande affärsområde inom utvecklingsnära säkerhet.
www.assured.se
January 8, 2026 at 8:34 AM
Kom och jobba med mig!
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
Maybe to search inside of encoded data? If I want to search a json blob that is also base64 encoded, it could be cool to simply write out the hackvertor tag into a filter and have the filter process the result of that tag?
January 7, 2026 at 2:54 PM
Maybe to search inside of encoded data? If I want to search a json blob that is also base64 encoded, it could be cool to simply write out the hackvertor tag into a filter and have the filter process the result of that tag?
Reposted by Thomas Stacey
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...
Top 10 web hacking techniques of 2025: call for nominations
Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te
portswigger.net
January 6, 2026 at 3:32 PM
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...
Reposted by Thomas Stacey
[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
Turning List-Unsubscribe into an SSRF/XSS Gadget
The List-Unsubscribe SMTP header is standardized but often overlooked during security assessments. It allows email clients to provide an easy way for end-users to unsubscribe from mailing lists.
This ...
security.lauritz-holtmann.de
December 23, 2025 at 7:38 AM
[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
Reposted by Thomas Stacey
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
December 16, 2025 at 3:31 PM
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
Reposted by Thomas Stacey
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
AutoVader - The Spanner
Four years ago we released DOM Invader, I added a feature called callbacks that enabled you to execute JavaScript and log when sinks, messages or sources are found. This was so powerful but over the y...
thespanner.co.uk
December 9, 2025 at 12:22 PM
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
Reposted by Thomas Stacey
When looking for postMessage vulnerabilities, the FancyTracker Firefox extension can be very useful.
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
November 25, 2025 at 12:03 PM
When looking for postMessage vulnerabilities, the FancyTracker Firefox extension can be very useful.
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
Reposted by Thomas Stacey
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
With some CORS configurations, some handlers can introduce synchronisation bugs and cause data races · Issue #198 · rs/cors
Problem Presumably for performance, the library (v1.11.1 and some older versions) reuses some non-exported slice variables and struct field from one middleware call to the next: package-level var h...
github.com
November 21, 2025 at 7:44 PM
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
November 20, 2025 at 9:47 AM
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
Reposted by Thomas Stacey
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
Shadow Repeater v1.2.3 release - The Spanner
The new version of Shadow Repeater has been released with a couple of cool new features.
Timing differences
Shadow Repeater analyses your Repeater requests and looks for response differences but it wa...
thespanner.co.uk
November 18, 2025 at 12:59 PM
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
I would so love to share! Or in fact, I 100% will 😅 but not for a while... Just in case it works on more things!
November 18, 2025 at 7:27 AM
I would so love to share! Or in fact, I 100% will 😅 but not for a while... Just in case it works on more things!
After the whole... Expect breaks the internet debacle (not that this is past tense, it clearly still does) I was pretty sure another header was gonna be useful for desync things... Today, I think I actually have an exploit that works specifically due to that header's weirdness. 🔥
November 13, 2025 at 3:53 PM
After the whole... Expect breaks the internet debacle (not that this is past tense, it clearly still does) I was pretty sure another header was gonna be useful for desync things... Today, I think I actually have an exploit that works specifically due to that header's weirdness. 🔥
Perhaps unsurprisingly (?) this works amazingly on tunnelled responses where subtle differences can be the difference between a new lead and giving up. 🔥
November 13, 2025 at 10:28 AM
Perhaps unsurprisingly (?) this works amazingly on tunnelled responses where subtle differences can be the difference between a new lead and giving up. 🔥
Reposted by Thomas Stacey
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
HTTP Anomaly Rank - a new Turbo Intruder feature
YouTube video by PortSwigger
youtu.be
November 11, 2025 at 2:49 PM
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
Reposted by Thomas Stacey
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
November 10, 2025 at 2:49 PM
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
Those who are monitoring academic research paper releases. How? Google scholar alerts seems okay? Trying to build-up my daily research consumption feeds. (Would be convenient if there was an RSS feed somewhere)
November 10, 2025 at 8:24 AM
Those who are monitoring academic research paper releases. How? Google scholar alerts seems okay? Trying to build-up my daily research consumption feeds. (Would be convenient if there was an RSS feed somewhere)
Reposted by Thomas Stacey
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Release Initial Release! · CoreyD97/InsiKt
Logger++ is dead, long live InsiKt!
It has been a long time since I first adopted Logger++ from @irsdl back in 2017. Since then I have left NCC Group and no longer have access to the repository, so...
github.com
November 8, 2025 at 7:44 PM
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Well then... I can tell by looking at the vulnerable domains that this is working. Interestingly, the PDS scan may be identifying things my own tool has missed. Even if not, its ability to go ahead and try out 0.CL / CL.0 is super fancy. I suspect I'll submit a pull request when the time is right 😁
October 28, 2025 at 12:17 PM
Well then... I can tell by looking at the vulnerable domains that this is working. Interestingly, the PDS scan may be identifying things my own tool has missed. Even if not, its ability to go ahead and try out 0.CL / CL.0 is super fancy. I suspect I'll submit a pull request when the time is right 😁
I often end up re-watching research presentations because I'm terrible at absorbing new information the first time around. This has so often given me a new lead or idea for a tweak in my tooling, that I often re-watch them on a whim even when I'm fairly sure I've understood 100% of the content.
October 26, 2025 at 10:17 AM
I often end up re-watching research presentations because I'm terrible at absorbing new information the first time around. This has so often given me a new lead or idea for a tweak in my tooling, that I often re-watch them on a whim even when I'm fairly sure I've understood 100% of the content.
Expect is the gift that just keeps on giving. It's almost never consistent, but it's almost always interesting behaviour...
October 23, 2025 at 7:27 AM
Expect is the gift that just keeps on giving. It's almost never consistent, but it's almost always interesting behaviour...
Reposted by Thomas Stacey
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
October 21, 2025 at 9:16 AM
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
For every BB response that is a bit sad. There's a program that pays out, and is happy to help support your research presentation by being name-dropped. Super hyped for this one!
October 21, 2025 at 6:56 AM
For every BB response that is a bit sad. There's a program that pays out, and is happy to help support your research presentation by being name-dropped. Super hyped for this one!