Access control bypass via header smuggling, with no desync required! Using header smuggling for more than HTTP desync like this is totally underrated - a lot of defences only filter the CL and TE headers. You can detect these with Parser Discrepancy Scan. www.linkedin.com/posts/jakedm...

New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission. portswigger.net/web-security...

The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...

Thanks to everyone who nominated & voted in the top ten! The panel of @irsdl.bsky.social , @agarri.fr , @liveoverflow.bsky.social and myself are hard at work reviewing the 15 finalists... we're hoping to announce the winners next week!

We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors! Browse them here: portswigger.net/web-security...

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring! apply.workable.com/portswigger/...

🔥 CVE-2026-23993: HarbourJwt JWT auth bypass via unknown alg. Not just alg=none: unsupported alg => empty signature, so forged token header.payload. passes. Write-up + fix: pentesterlab.com/blog/cve-202...

Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques: portswigger.net/polls/top-10...

Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...

Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.

Turbo Intruder now has API docs! You can easily discover its many advanced features including - pauseMarker for pause-basd desync.. or DoS - decorators for easy response filtering - 'randomPlz' - wordlists.clipboard for lazy attack setup ...and many more! github.com/PortSwigger/...

Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀 thespanner.co.uk/autovader

my new blogpost is out!! this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration and i've already used it to get a google docs bounty ^^ have fun <3 lyra.horse/blog/2025/12...

You can now scan for #react2shell in Burp Suite! To enable, install the Extensibility Helper bapp, go to the bambda tab and search for react2shell. Shout-out to Assetnote for sharing a quality detection technique!

🚀 Shadow Repeater just got a big upgrade! It now detects response timing differences. thespanner.co.uk/shadow-repea...

I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y

We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...

Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again! Context: http1mustdie.com cloud.google.com/support/bull...

HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo: youtu.be/BAZ-z2fA8E4

The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

It was an absolute privilege to present at #RomHack2025 with such a vibrant and welcoming community! Thanks to everyone who said hi and shared your stories!

One hour till HTTP/1.1 Must Die kicks off at #romhack2025! Watch the livestream here: m.youtube.com/watch?v=T009...

I'm flying out to #romhack2025 tomorrow, for the final edition of HTTP/1.1 Must Die! Feel free to say hi if you'd like to chat.

HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here: www.youtube.com/watch?v=T009...

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster. The blog post is live! Read it here: portswigger.net/research/web...

We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF. Find out more here: blog.compass-security.com/2025/09/coll... #AppSec #BurpSuite #Pentesting

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

Imagine you have a XSS vulnerability but you have a undefined variable before your injection. Is all hope lost? Not at all you can use a technique called XSS Hoisting to declare the variable and continue your exploit. Thanks to ycam_asafety for the submission. portswigger.net/web-security...

When I condense nine months of research discoveries into a 40-min talk, it can make it seem easy. For a taster of the true experience, watch my battle to solve the 0-CL @WebSecAcademy lab! Research is persistence. www.youtube.com/live/B7p8dIB...

I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.

Ever seen two responses to one request? That's just pipelining... or is it? I've just published "Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling" portswigger.net/research/how...

"This strategy creates an avalanche of desync research leads" is somehow an understatement. Take Smuggler for a spin on your largest burp file right now and just watch the issue counter 🔥. If you want even more results, adding new headers / perms looks to be trivial (it's one line of code).

Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & DEF CON! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!

You can currently watch http/1.1 must die here! Note the link will expire at some point. m.youtube.com/watch?v=ssln...

Watch HTTP/1.1 Must Die live today at 1630 PST! - In person at #defcon33 track 1, main stage - Livestream via YouTube: www.youtube.com/watch?v=ssln...

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

At #BlackHat? Catch "HTTP/1.1 Must Die! The Desync Endgame" today at 3:20 in Oceanside A, Level 2. Hope to see you there!

Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂

Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1: - Watch the livestream from #DEFCON at 16:30 PT on the 8th - Read the whitepaper on our website - Grab the HTTP Request Smuggler update & WebSecAcademy lab Follow for updates & links. It's nearly time!

Our core website uses HTTP/2 end to end, but for maximum irony http1mustdie[.]com is stuck using HTTP/1.1 upstream due to AWS CloudFront limitations! However it's in scope for our bounty program... and if you manage to exploit it with HTTP request smuggling, we'll pay a bonus :)

Ever seen a header injection where achieving a desync seemed impossible? I think I've finally identified the cause - nginx doesn't reuse upstream connections by default, and often has header injection. This means you're left with a blind request tunneling vulnerability 👇

You know those non-vulnerabilities that companies get forced to fix for compliance reasons? I've found a full bypass for a common patch strategy. I'm half-tempted to keep it secret for the greater good 😂

Is your target leaking CSP violations left and right? Mikhail Khramenkov reveals how to hijack the onsecuritypolicyviolation event to trigger JS in hidden inputs - when unsafe-inline is in play and styles are blocked. Now live on our XSS cheat sheet. portswigger.net/web-security...

Now live on tools.honoki.net/smuggler.html Let me know what you think! ✨

There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

New blog post is up: How I leaked the IP addresses of Brave's Tor window and Chrome VPN extension users--plus, a new Popunder technique and connect-src CSP directive bypass. Read more @ 0x999.net/blog/leaking...