I just confirmed that yes, browser's Tor mode appears to leak all the .onion addresses you visit to your DNS provider
reddit.com/r/netsec/comme
Follow
James Kettle
@albinowax
Director of Research at PortSwigger Burp Suite
Check out my website for published research, other social platforms & contact details
James Kettle’s posts
I've added Log4Shell detection to ActiveScan++. Grab v1.0.23 from here: github.com/PortSwigger/ac
Manually testing for IDOR can get pretty tedious... so Backslash Powered Scanner will now recognise and flag iterable inputs!
If you're interested in the background and philosophy behind BPS, check out the presentation:
portswigger.net/research/backs
A few people had issues figuring out how to use HTTP Request Smuggler, so I've posted step-by-step instructions on how to use it to solve an online lab:
Looking for a mentor? I don't tutor, but I do lead a team dedicated to teaching web hacking to everyone for free.
Every topic is designed by hackers - , , and myself. You're in good hands. Start here:
How to find a HTTP/2 playmate:
1. Install Burp 2020.8 and HTTP Request Smuggler
2. Configure scope & browse some bug-bounty sites
3. Go to proxy, hide out of scope traffic
4. Ctrl+A, right click->Extensions->pick your scan
5. Wait
portswigger.net/research/http2
I'm thrilled to announce "HTTP/2: The Sequel is Always Worse" will premiere at #BHUSA!
blackhat.com/us-21/briefing
Authentication bypass by supplying a regex as a session token - seems like a cool variant on the classic NoSQL 'where' injection
I've designed labs so you can practice numerous HTTP Host header attacks including advanced password reset poisoning, host-header SSRF, and auth bypass!
Watch me attempt to explain HTTP Request Smuggling in 3 minutes, in a collaboration with :
When you find response header injection, you can probably do better than mere XSS or open-redir. Try injecting a short Content-Length header to cause a reverse desync and exploit random live users.
Just watched "Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond" - must-read research by 's Daniel Thatcher
Practical Web Cache Poisoning: Redefining 'Unexploitable' portswigger.net/blog/practical
I've published some thoughts and advice on breaking into web security research:
Annual reminder: you can find all my past research, whitepapers & presentations helpfully archived at skeletonscribe.net
Often the oldest techniques are the most valuable.
During last year's #BlackFriday promotion, half the internet bought a Burp Suite Certified Practitioner exam but mysteriously got cold feet about taking it. We feel really guilty about taking your $10, so this year we have a new deal: you prepare, we pay:
HTTP/2: The Sequel is Always Worse is coming out tomorrow! Featuring 9 months of research condensed into 40 minutes of raw HTTP/2 exploitation. You can watch the presentation live at both and ...
"Abusing HTTP hop-by-hop request headers" by was nominated as a top web hacking technique back in 2019, and has just blossomed into an F5 BIG-IP unauth RCE!
nathandavison.com/blog/abusing-h
portswigger.net/research/top-1
github.com/horizon3ai/CVE
The two PayPal bugs have now been publicly disclosed.
hackerone.com/reports/488147
hackerone.com/reports/510152
It was a pleasure to work with the PayPal team, I'll definitely be paying close attention to their website in future :)
The ActiveScan++ #Log4Shell check has now been superseded by dedicated tools like burp-log4shell, which can detect asynchronous and deferred variations. I hope you found it useful! Go switch :)
I'm thrilled to announce Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling. This will premier live in Vegas at ' #BHUSA. Check out the teaser:
blackhat.com/us-22/briefing
Using oldschool DNS attacks to pwn password resets. It's amazing that this still works - awesome finding by !
Blind SSRF in Slack via
"X-Forwarded-Host: example.com@internal-ip" - nice find!
To enhance content discovery, I highly recommend dynamic wordlists like Turbo Intruder's 'wordlists.observedWords'. This gets populated during passive scanning if you enable the 'learn observed words' setting. Built-in lists are documented here:
github.com/PortSwigger/tu
A few people asked advice on how to get into web security research, and how I personally select research topics. I can't give a one-sentence answer to that but this post is worth a read:
"I can easily attribute over $250,000 worth of bounties to this class of attack" -
A hacking technique can seem blindingly obvious, and still be massively overlooked. Still love this post from 2016.
web.archive.org/web/2016090708
JSON Interoperability vulnerabilities sound like they have some serious bug-bounty potential. Nice work once again by /
We've just published a new topic on GraphQL! Learn how to abuse introspection, discover hidden data, bypass rate-limits, and trigger CSRF with this popular API technology.
I've updated Browser-Powered Desync Attacks with a screenshot showing how HTTP pipelining is easily mistaken for request smuggling. This may be a useful reference link for triagers:
portswigger.net/research/brows
Found a site fetching the Referer header? Maybe you can use DNS Rebinding to steal its AWS creds! Quality research by
labs.mwrinfosecurity.com/blog/from-http
When hacking, never assume that something won't happen just because it makes no sense...
Annual reminder: you can find all my past&present research helpfully archived at skeletonscribe.net Often the oldest techniques are the most valuable.
In 2017 I won a CTF, leading to an invite to my first HackerOne live hacking event. I flew to New York, landed in a money-fevered environment, deployed the secret tool I'd spent months developing, and made $100. Sometimes you get money, sometimes you get learning opportunities.
It's great that people are reading this and applying it. But when you're testing a race condition on registration, there is no need to use my email address!
Just finished recording "HTTP/2: The Sequel is Always Worse" for #BHUSA! It currently contains 0-days in multiple major vendors, hopefully they'll manage to patch in time...
"An Attacker is able to bruteforce the Admin account until it is locked. After that an empty Password can be used to authenticate as admin to get access" - classic find by
Bug bounty protip: stop your browser snitching on your XSS findings with a proxy match/replace rule
I'm thrilled to announce "Smashing the State Machine: the True Potential of Web Race Conditions" will premiere at ' #BHUSA this August! Looking forward to sharing some exploits that blew my mind!
blackhat.com/us-23/briefing
Wondering what this bug was? You'll get the full story on this and some much nastier stuff in "Web Cache Entanglement: Novel Pathways to Poisoning" at
blackhat.com/us-20/briefing
Following months of research, I've just submitted to Black Hat USA! This talk will feature my feature my messiest, highest-risk attack-technique yet. #BHUSA
If you find an x-user desync vulnerability and it doesn't get classed as P1, it might be time to try out these quality exploitation techniques from
drive.google.com/file/d/1sbcq-f
youtube.com/watch?v=suxDcY
Thanks for listening! Turbo Intruder is now available via the BApp store. Code's here: github.com/portswigger/tu
I've got a blog post coming next week for those who missed the stream.
In the last year my understanding of how webservers handle HTTP has been proven wrong so many times, I'm about to try an attack that I believe is completely impossible, just in case I'm wrong 😂
Ever wondered how I choose what topic to research? I've shared my personal approach, using Smashing the State Machine as a case-study:
Sometimes our research hits a brick wall, but that’s nothing to be ashamed of. We’ve created 8 ‘impossible’ labs documenting common unsolved XSS scenarios. By openly declaring what we can’t exploit, we hope to help further research in this field
I'm thrilled to announce I'll be presenting 'HTTP Desync Attacks: Smashing into the Cell Next Door' at #BHUSA! Check out the abstract here: blackhat.com/us-19/briefing
This update to HTTP Request Smuggler also adds a new attack type: "Launch all scans". Hope it's useful (also, hope you have a big monitor...)
portswigger.net/research/how-t
Backslash Powered Scanner can now detect proxy subfolder escapes using 's path normalization research from last year - just enable 'experimental folder attacks'.
HTTP Request Smuggling in Node/ATS via chunk extensions, by
hackerone.com/reports/1238099
github.com/mattiasgrenfel
Update: I've found my first vulnerability in LinkedIn, and also my account has been suspended 😂
Quote
After about ten years of putting it off, I've joined LinkedIn in case this social network explodes. I'll mostly use it to share notable research:
linkedin.com/in/james-kettl
Keep an eye out for headers called '0', because sometimes you'll find stuff like this... #BugBountyTips
Turbo Intruder supports final-byte synchronisation to help find this type of bug. You can see how to use it here: github.com/PortSwigger/tu
Quote
Microsoft Account Takeover! 
Thank you very much @msftsecresponse for the bounty! 
Write up - thezerohack.com/how-i-might-ha
Thank you very much @msftsecresponse for the bounty!
Write up - thezerohack.com/how-i-might-ha
ActiveScan++ should now detect the Ruby on Rails file disclosure (CVE-2019-5418). Have a good weekend. github.com/albinowax/Acti
github.com/mpgn/CVE-2019-
The top 10 web hacking techniques of 2019 has some new contenders, thanks to community nominations. Keep them coming!
I'm thrilled to announce my upcoming #BHUSA talk -
"Web Cache Entanglement: Novel Pathways to Poisoning"
blackhat.com/us-20/briefing
#bugbounty protip: If you're posting a writeup that might get shared outside the bounty community, don't mention the bounty amount; it's all anyone will discuss.
We've just updated the Top 10 Hacking Techniques of 2020 candidate list with 13 new community nominations! Thanks for the support so far, keep them coming!
Sometimes, alert() just isn't scary enough. and I helped design some labs where you can practise XSS exploitation by stealing cookies, snaffling passwords and CSRFing settings:
I've just submitted my talk proposal to #BHUSA! Been working on this research since September... can't wait to share it.
This is awesome! I long suspected server-side formula injection was possible but never proved it. Nice one bishopfox.com/blog/2018/06/s
You can find a curated list of my past research, tools & presentations at skeletonscribe.net - Now with a new section on how to
tackle novel research.
CVE-2019-16276: HTTP Request Smuggling in Golang groups.google.com/forum/m/#!topi
Blocking requests containing 'burpcollaborator.net' is a terrible defence, but that doesn't stop people using it. If you're scanning websites that don't have your IP whitelisted, I highly recommend using a private collaborator server:
I've just updated HTTP Request Smuggler to make certain techniques stealthier, support padding to prevent 'dechunking', and automatically launch proof-of-concept attacks to confirm vulnerabilities. I'll write up the details shortly.
Facebook's servers give a mystery error if you send any HTTP header that contains " and ends in \. But not if you omit the " or the \ isn't at the end 🤔
This cryptic and likely pointless finding was brought to you by Backslash Powered Scanner
portswigger.net/research/backs
I didn't have space to discuss this in my talk, but Param Miner is a seriously powerful general purpose tool for finding that extra bit of overlooked attack surface github.com/PortSwigger/pa
If you have the RAM, I highly recommend enabling 'learn observed words' :)
I've updated the Top 10 Hacking Techniques of 2020 entry list with another seven quality entries. The nomination phase closes on Sunday so this is your last chance to submit!
Turbo Intruder 1.0.15 has a major quality of life enhancement: it now remembers your window size! Also you can use ctrl+enter to start/stop attacks. I've updated the original post to document recent features:
The verdict is in! Following a community vote and extensive deliberation, our expert panel has selected the Top 10 Web Hacking Techniques of 2017 portswigger.net/blog/top-10-we
The Web Security Academy labs are now covered by our bug bounty program! If you can get root or escape our containers, we'd love to hear from you. (Sorry, we're not paying for XSS :)
Start here:
Amazon is now running 'HTTP Desync Guardian' on their load balancers, interesting!
I'm sorry to say the vaunted 'X-Custom-IP-Authorization' header won't work on real websites because we made it up for a lab as an example of a non-standard custom header name.
portswigger.net/web-security/i
Quote
How to find authentication bypass vulnerabilities.
Focus. I Added headers.
Request
GET /delete?user=test HTTP/1.1
Response
HTTP/1.1 401 Unauthorized
Reqeust
GET /delete?user=test HTTP/1.1
X-Custom-IP-Authorization: 127.0.0.1
Response
HTTP/1.1 302 Found
#bugbounty #bugbountytip
I've updated my Practical Web Cache Poisoning paper to outline how to handle scenarios where you find a cache poisoning vulnerability but can't replicate it outside Burp Suite
SSRF->Telnet->RCE chain in Scrapy, found by
I'm writing up the results of the Top 10 Web Hacking Techniques of 2021 and the research quality this year is astounding! Could have easily done a top 20.
Got bored and added a small new convenience feature to Turbo Intruder 1.0.17: wordlists.clipboard. Happy Easter! github.com/PortSwigger/tu
Hope everyone's having some fun getting creative with HTTP/2! But if you just want to sent some requests really fast... check out the Turbo Intruder H/2 integration: github.com/PortSwigger/tu
Ever hijacked an OAuth flow with host header poisoning? Awesome, innovative work by
Well-earned congratulations to , , Olivier Arteau, , , , Robin Peraglie, @9r4shar4j4y/ and Luan Herrera! Your research is an inspiration to us all 🎉
Thanks to everyone who attended Browser-Powered Desync Attacks, hope you enjoyed it! If you missed it but you're in the area, I'll be doing a repeat at 15:30 on Friday at #DEFCON. You can find the whitepaper, slides, code and labs at
Param Miner v1.26 is now out, with bugfixes and a shiny new built-in wordlist from
wordlists.assetnote.io
github.com/PortSwigger/pa
I'm thrilled to announce 'HTTP Desync Attacks: Smashing into the Cell Next Door' is coming to 27! Details here: skeletonscribe.net #DEFCON
I've just released Backslash Powered Scanner v1.20. This is a fairly big refactor to lay the foundation for future enhancements. It also adds support for bulk-scanning.
portswigger.net/research/backs
This request smuggling vulnerability in a US Department of Defence system is a solid example of the multiple-frontend problem:
Solutions are now available for the HTTP Desync Attacks labs portswigger.net/web-security/r by
I know quite a few of you have been waiting for this :)
My (shaky) understanding of this is that Golang's network stack attempts to parse HTTP headers as ~UTF-8 even though everyone else treats them as ASCII. If correct, this enables quite a range of interesting attacks on both clients and servers.
I'm attempting to kick off some research on a topic unrelated to request smuggling & cache poisoning, and wow it's a struggle. Specialism is dangerous stuff.
5.5 hours until HTTP/2: The Sequel is Always Worse premiers at #BHUSA! The presentation is quite fast-paced and builds on concepts from HTTP Desync Attacks, so if you have time you might want to refresh your memory on that:
My final presentation of HTTP Desync Attacks will be at Black Hat Europe next week. New content includes a novel desync technique, major automation improvements, a defensive case-study, and updated bounty figures #BHEU blackhat.com/eu-19/briefing
My presentation of HTTP Desync Attacks at #OWASP Global AppSec Amsterdam next week will feature three all-new, freshly proven desync techniques. I'll release them publicly shortly after.
Just been shown an awesome race attack by on Shopify for $15k back in 2017! This is the same attack concept described in my Gitlab multi-endpoint example. You can practise on this lab:
portswigger.net/research/smash
portswigger.net/web-security/r
Need Turbo Intruder to go even faster? Try identifying the datacenter the target website is hosted in, spinning up your own machine there, then running Turbo via the command line interface:
I'm thrilled to announce I'll be presenting a keynote at Berlin, exploring the topic of vulnerabilities that most people miss, and how to (maybe) find them.
#NullconBerlin2022
nullcon.net/berlin-2022/co
"Smashing the State Machine: the true potential of web race conditions" is coming to #DEFCON31!! Can't wait to share this and unleash some chaos. Check out the abstract here: