Chrome's introduced a new defence against dangling markup attacks, which breaks our lab. Can you find the sneaky alternative solution?

portswigger.net/web-security/c…

There's still a load of potential for further research and discoveries in HTTP request smuggling. This massive-impact finding from I am d3d (dead, мёртв, 死了) exploiting Akamai/F5 is a great example:
blog.malicious.group/from-akamai-to…

Here's a Bambda we wrote to identify responses with multiple </html> tags. It got some false-positives due to inline JS, but also revealed a page that we're pretty sure is meant to be behind authentication, and a completely unexpected source code leak!

Tired of missing research posts because your social media platform suppresses posts with links to keep people on-site? Try RSS:

//portswigger.net/research/rss
//reddit.com/r/websecurityresearch/.rss

Yesterday I published research into adapting the single-packet attack to target other protocols.

Today, Apache 2.4.58 was released with support for bootstrapping WebSockets via HTTP/2 🎉

We've just published our findings on applying the single-packet attack to other popular network protocols. If you're looking for race conditions or research ideas, you'll find some leads here:

portswigger.net/research/the-s…

The new 'Bambda' feature that just landed in Burp Suite 2023.10.3 early-adopter is crazy powerful.

I just filtered through 250,000 requests in my proxy history to find ~70 with an incorrect response Content-Length!

The new reportError() function enables a quite amusing XSS vector:

We've just published 'How to build custom scanners for web security automation', using a recent dive into automated race-condition detection by James Kettle as a case study. Enjoy!

portswigger.net/research/how-t…

Found NoSQL injection in MongoDB but struggling to locate interesting data? You can extract field names using this injection:

'$where':'Object.keys(this)[0].match('^.{0}a.*')'

Try it on the lab here: portswigger.net/web-security/n…

'How do you choose what topic to research?' This was the number one question I was asked at NULLCON. As it happens I've already published a post exploring this! Check it out here:

portswigger.net/research/how-i…

🔉New topic alert! 🔉

Dive into the world of NoSQL database security with the brand new NoSQL topic - read through the learning materials, then work through the labs to test your knowledge.

portswigger.net/web-security/n…

Testing broken sites with DOM Invader enabled? Come across a situation where eval throws an exception? This post explains why it happens and what you can do to fix it and carry on testing ...

portswigger.net/blog/dom-invad…

Have you found XSS inside a function call but severely restricted and can't use the characters `, (), ?, [], or ,? After a discussion on Twitter, ­Mathias Karlsson Frans Rosén found ways of getting around that restriction. We've updated our cheat sheet:

portswigger.net/web-security/c…

The recording for 'Smashing the state machine: the true potential of web race conditions' is now live, courtesy of DEF CON! Watch it here - or catch the updated edition in-person at NULLCON later this week!
youtube.com/watch?v=tKJzsa…

I'm pleased to announce the NULLCON edition of Smashing the State Machine will feature new content on adventures in race-condition automation, and applying the single-packet attack to other protocols!
nullcon.net/goa-2023/speak…

Burp Suite 2023.10 is harder to fingerprint than earlier versions as it now sets 'Accept-Encoding: gzip, deflate, br'. If you're still blocked, you might bypass it by tinkering with your TLS ciphers using 'Network->TLS -> Use custom protocols and ciphers'

portswigger.net/burp/documenta…

About Burp Suite and your RAM...

Over time, Java deliberately uses all the RAM you feed it, in order to minimise CPU cycles spent freeing memory. To feed it less memory, you can use the -XX:MaxRAMPercentage argument. For other RAM tips see:
portswigger.net/burp/documenta…