Lightnews — Scholar-powered news

d4d @zakfedotkin.bsky.social · 6d

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

6 27

d4d @zakfedotkin.bsky.social · 26d

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...

WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine

Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi

portswigger.net

6 13

d4d @zakfedotkin.bsky.social · Sep 11

WebSocket security testing is so painful that this ever -expanding attack surface is largely overlooked. Learn how to dive where others fear to tread with WebSocket Turbo Intruder.
Join me live on Sept 17 at 4PM (GMT+1)

discord.gg/portswigger?...

Join the PortSwigger Discord Server!

A place where security professionals, hobbyists, and passionate Burp users can hang out, chat, and collaborate. | 12858 members

discord.gg

1 4

d4d @zakfedotkin.bsky.social · Sep 3

For a visual walk‑through, see the @steelcon.info livestream recording: youtu.be/wxu1axAdPhw?...

Cookie Chaos: Exploiting Parser Discrepancies - Zack

YouTube video by SteelCon

youtu.be

2 4

d4d @zakfedotkin.bsky.social · Sep 3

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

Cookie Chaos: How to bypass __Host and __Secure cookie prefixes

Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve

portswigger.net

1 14 13

d4d @zakfedotkin.bsky.social · Jul 25

I love discrepancies so much that I decided to introduce them to my nickname too @d4d89704243.bsky.social →
@zakfedotkin.bsky.social

Because why be consistent when you can keep people guessing?

1

d4d @zakfedotkin.bsky.social · Jun 26

3

d4d @zakfedotkin.bsky.social · Jun 26

Thrilled to announce: I’ll be presenting a major new version of WebSocket Turbo Intruder at Black Hat Arsenal 2025! This open-source toolkit makes high-speed, advanced WebSocket attacks practical and painless.

1 3 9

d4d @zakfedotkin.bsky.social · May 28

If you missed the original research, you can find it at portswigger.net/research/dra...

Drag and Pwnd: Leverage ASCII characters to exploit VS Code

Control characters like SOH, STX, EOT and ETX were never meant to run your code - but in the world of modern terminal emulators, they sometimes do. In this post, I'll dive into the forgotten mechanics

portswigger.net

1 3

d4d @zakfedotkin.bsky.social · May 28

Active Scan++ just got sharper - we’ve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store

1 6 10

d4d @zakfedotkin.bsky.social · May 7

I'm thrilled to announce my talk "Cookie Chaos: Exploiting Parser Discrepancies" at @steelcon.info ! Catch it live in Sheffield, or later on YoutTube. Check out the full abstract here: portswigger.net/research/tal...

Upcoming Conference Talks - PortSwigger Research

Find details of upcoming talks from the PortSwigger Research team. We also have research papers and recordings available from previous conferences and events.

portswigger.net

5 24

d4d @zakfedotkin.bsky.social · May 1

Thank you @agarri.fr fixed

2

d4d @zakfedotkin.bsky.social · Apr 30

portswigger.net/research/dra...

Drag and Pwnd: Leverage ASCII characters to exploit VS Code

Control characters like SOH, STX, EOT and EOT were never meant to run your code - but in the world of modern terminal emulators, they sometimes do. In this post, I'll dive into the forgotten mechanics

portswigger.net

1 1 7

d4d @zakfedotkin.bsky.social · Apr 30

Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the comments👇

1 9 26

d4d @zakfedotkin.bsky.social · Mar 18

I’m excited to introduce Namespace Confusion, a novel attack discovered during Gareth's and mySAML Roulette: The Hacker Always Wins research. We uncovered a brutal attack on XML signature validation that destroys authentication in Ruby-SAML!

6 23

d4d @zakfedotkin.bsky.social · Mar 5

Check out the newest version here:
portswigger.net/web-security...

Null byte tricks:
portswigger.net/web-security...

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security Academy

This cheat sheet contains payloads for bypassing URL validation. These wordlists are useful for attacks such as server-side request forgery, CORS ...

portswigger.net

1 3

d4d @zakfedotkin.bsky.social · Mar 5

Today's update to the URL Validation Bypass Cheat Sheet includes a new trick: bypassing domain allow lists using a full URL in the query, submitted by Alexis Hapiot!

This idea came after our previous update from @dyak0xdb, which sparked great discussions! More updates are live. Link in the reply 👇

1 5 20

d4d @zakfedotkin.bsky.social · Feb 6

Check it out here👇
portswigger.net/web-security...

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security Academy

This cheat sheet contains payloads for bypassing URL validation. These wordlists are useful for attacks such as server-side request forgery, CORS ...

portswigger.net

1

d4d @zakfedotkin.bsky.social · Feb 6

We've updated our URL validation bypass cheat sheet with this shiny Domain allow list bypass payload contributed by dyak0xdb!

1 9 28

Reposted by d4d

Gareth Heyes @garethheyes.co.uk · Jan 28

Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique.

portswigger.net/research/byp...

GET /%0D%0ASet-Cookie: foo=bar
403 Forbidden

GET /%E4%BC%8D%E4%BC%8ASet-Cookie: foo=bar
200 OK
Set-Cookie: foo=bar

22 39

d4d @zakfedotkin.bsky.social · Jan 22

Hot out of the oven! The Cookie Sandwich – a technique that lets you bypass the HttpOnly protection! This isn't your average dessert; it’s a recipe for disaster if your app isn’t prepared: portswigger.net/research/ste...

Stealing HttpOnly cookies with the cookie sandwich technique

In this post, I will introduce the "cookie sandwich" technique which lets you bypass the HttpOnly flag on certain servers. This research follows on from Bypassing WAFs with the phantom $Version cookie

portswigger.net

13 34

d4d @zakfedotkin.bsky.social · Dec 20

Ruby secret_key_base can be decrypted from credentials.yml.enc file using following java code:

1

d4d @zakfedotkin.bsky.social · Dec 20

New in SignSaboteur v1.0.6!
Now supports Ruby on Rails Encrypted Cookies:
- Brute force secret keys
- Decrypt cookie values
Update now:

1 2 8

d4d @zakfedotkin.bsky.social · Dec 4

I really liked how this research turned out. I hope you did too.

PortSwigger Research @portswiggerres.bsky.social · Dec 4

Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...

Bypassing WAFs with the phantom $Version cookie

HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known

portswigger.net

1 4 14

d4d @zakfedotkin.bsky.social · Nov 27

Hi, Blue Sky! I am a web security researcher at PortSwigger. You can find my latest researches and tools at portswigger.net/research/zak...

Researcher - Zakhar Fedotkin

Zakhar Fedotkin is a security researcher at PortSwigger, known for his work in exploiting vulnerabilities in image processing libraries and HTTP clients.

portswigger.net

3 41