Can't speak for everyone but it makes me quite uncomfortable when people send me sensitive info in collaboration requests before I've agreed to help. If their bug gets leaked/duped/patched I don't want them blaming me.

In the words of Schneier Blog, 'data is a toxic asset'

We've just published 'How to build custom scanners for web security automation', using a recent dive into automated race-condition detection by James Kettle as a case study. Enjoy!

portswigger.net/research/how-t…

Attendees at NULLCON also asked about cool upcoming Burp Suite features...

There's some crowd pleasers like 'Notes Everywhere', but I'm most excited about 'code your own view filters' - this innocuous feature has massive potential for power users: portswigger.net/burp/pro/roadm…

'How do you choose what topic to research?' This was the number one question I was asked at NULLCON. As it happens I've already published a post exploring this! Check it out here:

portswigger.net/research/how-i…

🔉New topic alert! 🔉

Dive into the world of NoSQL database security with the brand new NoSQL topic - read through the learning materials, then work through the labs to test your knowledge.

portswigger.net/web-security/n…

Thanks everyone for coming to my talk yesterday, hope you found it useful. It's been great meeting the NULLCON community!

Just confirmed my race-condition live demo works just fine from Goa! I know logically that the technique means distance to the target has no effect... but it still surprises me every time. See you at 11:45 tomorrow NULLCON!

The recording for 'Smashing the state machine: the true potential of web race conditions' is now live, courtesy of DEF CON! Watch it here - or catch the updated edition in-person at NULLCON later this week!
youtube.com/watch?v=tKJzsa…

Really excited for the next 3 upcoming Web Security Academy topics! Got some much-requested hits and topics we've been afraid to tackle earlier (but not *that* topic)

Been trying to find the best way to get started on the Web Security Academy?

Introducing learning paths - a carefully curated, structured approach to develop knowledge and enhance your skills.

portswigger.net/blog/new-learn…

While the infosec community ponders where to settle, you can also find me at:

@[email protected]
bsky.app/profile/jamesk…
linkedin.com/in/james-kettl…

Can't wait till everyone's back on one platform. At least I don't have a newsletter yet!

I've just released an update to Backslash Powered Scanner which fixes some annoying false positives caused by WAFs. More updates incoming :)
github.com/PortSwigger/ba…

I'm pleased to announce the NULLCON edition of Smashing the State Machine will feature new content on adventures in race-condition automation, and applying the single-packet attack to other protocols!
nullcon.net/goa-2023/speak…

Burp Suite 2023.10 is harder to fingerprint than earlier versions as it now sets 'Accept-Encoding: gzip, deflate, br'. If you're still blocked, you might bypass it by tinkering with your TLS ciphers using 'Network->TLS -> Use custom protocols and ciphers'

portswigger.net/burp/documenta…

Anyone going to be attending Nullcon Goa on 23 September?

If so, it's your last chance to catch the live presentation of James Kettle's 'Smashing the state machine: the true potential of web race conditions' … NULLCON #NullconGoa2023

portswigger.net/research/talks