Have you ever found an HTTP desync vulnerability that seemed impossible to exploit due to its complicated constraints? In this blogpost we will explore a new exploitation technique that can be used to ...
We found a real world example of this on Infosec Mastodon where they used a fork of Mastodon that didn't filter HTML correctly. An attacker could then use form hijacking to send credentials to their ...
You can now set any value in the configuration file using an environment variable. This means that you don’t have to create a new configuration file in your CI/CD ...
Reflected cross-site scripting (XSS) arises when an application receives data in an HTTP request, then includes that data in its response in an unsafe way. Applications use a range of processing and ...
When testing, some actions may result in an application terminating your session. For example, an application may automatically log you out if you submit suspicious input. This may prevent you from ...
Martin Doyhenard is a Security Researcher at Portswigger, known for exploiting HTTP Servers and Web Applications. His latest work includes HTTP Response Smuggling and exploiting SAP’s Inter-Process ...
A database connection string specifies information about a data source and the means of connecting to it. In web applications, connection strings are generally used by the application tier to connect ...
What is the impact of a CSRF attack? 0 of 1 What is the impact of a CSRF attack? How to construct a CSRF attack 0 of 2 How to construct a CSRF attack Lab: CSRF vulnerability with no defenses ...
You can start an API scan in various ways: In both Burp Suite Professional and Burp Suite Enterprise Edition, Burp Scanner parses any API definitions that it encounters as part of its regular crawling ...
In this learning path, you'll explore how simple file upload functions can become a vector for severe attacks. You'll learn how to bypass common defense mechanisms to upload a web shell, enabling full ...
The system requirements for Burp Suite are largely dependent on your intended use for the software. While you can generally perform most tasks on a relatively low-spec machine, some use cases (for ...
Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year ...