Gareth Heyes
@garethheyes.co.uk
javascript:/*--></title></style></textarea></script></xmp><svg/onload='-/"/-/onmouseover=1/-/[*/[]/-alert(1)//'>
https://garethheyes.co.uk/#latestBook
https://garethheyes.co.uk/#latestBook
Pinned
Gareth Heyes
@garethheyes.co.uk
· Sep 26
In a shameless effort to promote my book. I've crafted some very special vectors for you. If you like them please purchase my book to read more.
www.amazon.com/dp/B0BRD9B3GS
www.amazon.com/dp/B0BRD9B3GS
I meant to have a break from the computer on my day off...but I couldn't resist. I've updated my blog with cool effects!
December 18, 2025 at 8:54 PM
I meant to have a break from the computer on my day off...but I couldn't resist. I've updated my blog with cool effects!
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
December 16, 2025 at 3:31 PM
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
Reposted by Gareth Heyes
Looking for a Christmas gift for yourself? #burp #training #2026
There’s 9 seats left for the English-speaking session, and 5 for the French-speaking one
There’s 9 seats left for the English-speaking session, and 5 for the French-speaking one
The 2026 online public sessions of my "Mastering Burp Suite Pro" course have been published 📅
- March 24th to 27th, in French 🇫🇷
- April 14th to 17th, in English 🇬🇧
hackademy.agarri.fr/2026
PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon 🎁
- March 24th to 27th, in French 🇫🇷
- April 14th to 17th, in English 🇬🇧
hackademy.agarri.fr/2026
PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon 🎁
Agarri
Training
hackademy.agarri.fr
December 13, 2025 at 1:39 PM
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
AutoVader - The Spanner
Four years ago we released DOM Invader, I added a feature called callbacks that enabled you to execute JavaScript and log when sinks, messages or sources are found. This was so powerful but over the y...
thespanner.co.uk
December 9, 2025 at 12:22 PM
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
Reposted by Gareth Heyes
New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html
December 7, 2025 at 9:14 PM
New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html
Delighted to present at NDC Manchester. If you attended the talk and want the materials you can grab them from here:
github.com/portswigger/...
github.com/portswigger/...
GitHub - PortSwigger/splitting-the-email-atom
Contribute to PortSwigger/splitting-the-email-atom development by creating an account on GitHub.
github.com
December 4, 2025 at 6:02 PM
Delighted to present at NDC Manchester. If you attended the talk and want the materials you can grab them from here:
github.com/portswigger/...
github.com/portswigger/...
Burp Hackvertor has a bunch of new shortcuts and functionality. Try them out in Burp. They are activated from a Burp repeater request.
December 3, 2025 at 12:29 PM
Burp Hackvertor has a bunch of new shortcuts and functionality. Try them out in Burp. They are activated from a Burp repeater request.
On Thursday I'm presenting "Splitting the email atom:exploiting parsers to bypass access controls" at NDC Manchester. Please join me if you want to find out how to turn an RFC compliant email address into RCE.
portswigger.net/research/tal...
portswigger.net/research/tal...
Upcoming Conference Talks - PortSwigger Research
Find details of upcoming talks from the PortSwigger Research team. We also have research papers and recordings available from previous conferences and events.
portswigger.net
December 1, 2025 at 11:14 AM
On Thursday I'm presenting "Splitting the email atom:exploiting parsers to bypass access controls" at NDC Manchester. Please join me if you want to find out how to turn an RFC compliant email address into RCE.
portswigger.net/research/tal...
portswigger.net/research/tal...
This is the last weekend "JavaScript for hackers" will be available for $13.37. HackFriday! Grab yours now while you can...
www.amazon.com/JavaScript-h...
www.amazon.com/JavaScript-h...
JavaScript for hackers: Learn to think like a hacker
JavaScript for hackers: Learn to think like a hacker [Heyes, Gareth] on Amazon.com. *FREE* shipping on qualifying offers. JavaScript for hackers: Learn to think like a hacker
www.amazon.com
November 28, 2025 at 1:22 PM
This is the last weekend "JavaScript for hackers" will be available for $13.37. HackFriday! Grab yours now while you can...
www.amazon.com/JavaScript-h...
www.amazon.com/JavaScript-h...
Hackvertor 2.2.33 released!
- New MultiEncoder window (CTRL+ALT+M) for applying multiple transformations across layers and sending to Repeater tab
- WebSockets support including a WebSocket handler and a new WebSocket setting
- Improved auto decoding
- New MultiEncoder window (CTRL+ALT+M) for applying multiple transformations across layers and sending to Repeater tab
- WebSockets support including a WebSocket handler and a new WebSocket setting
- Improved auto decoding
November 28, 2025 at 12:17 PM
Hackvertor 2.2.33 released!
- New MultiEncoder window (CTRL+ALT+M) for applying multiple transformations across layers and sending to Repeater tab
- WebSockets support including a WebSocket handler and a new WebSocket setting
- Improved auto decoding
- New MultiEncoder window (CTRL+ALT+M) for applying multiple transformations across layers and sending to Repeater tab
- WebSockets support including a WebSocket handler and a new WebSocket setting
- Improved auto decoding
HackFriday starts now
JavaScript for Hackers is on sale for $13.37 and the deal runs past Hack Friday
Boost your payload skills and sharpen your hacking game
Grab it while it lasts 🔥
www.amazon.com/JavaScript-h...
JavaScript for Hackers is on sale for $13.37 and the deal runs past Hack Friday
Boost your payload skills and sharpen your hacking game
Grab it while it lasts 🔥
www.amazon.com/JavaScript-h...
JavaScript for hackers: Learn to think like a hacker
JavaScript for hackers: Learn to think like a hacker [Heyes, Gareth] on Amazon.com. *FREE* shipping on qualifying offers. JavaScript for hackers: Learn to think like a hacker
www.amazon.com
November 20, 2025 at 12:45 PM
HackFriday starts now
JavaScript for Hackers is on sale for $13.37 and the deal runs past Hack Friday
Boost your payload skills and sharpen your hacking game
Grab it while it lasts 🔥
www.amazon.com/JavaScript-h...
JavaScript for Hackers is on sale for $13.37 and the deal runs past Hack Friday
Boost your payload skills and sharpen your hacking game
Grab it while it lasts 🔥
www.amazon.com/JavaScript-h...
If you are planning to buy the paperback version of "JavaScript for hackers" I'd wait till Friday as I'm going to run a promotion for Black Friday. Also it makes a good Christmas present 🎁
November 19, 2025 at 1:08 PM
If you are planning to buy the paperback version of "JavaScript for hackers" I'd wait till Friday as I'm going to run a promotion for Black Friday. Also it makes a good Christmas present 🎁
Just released a major update to Hackvertor:
History logging: your conversions are now replayable and stored in the project file.
Tag-Finder window (props to @CoreyD97): filter and insert tags from within the UI. CTRL+ALT+F
Lastly: Tab persistence
thespanner.co.uk/hackvertor-h...
History logging: your conversions are now replayable and stored in the project file.
Tag-Finder window (props to @CoreyD97): filter and insert tags from within the UI. CTRL+ALT+F
Lastly: Tab persistence
thespanner.co.uk/hackvertor-h...
Hackvertor history and tag finder - The Spanner
I've been pretty busy with side projects lately and I've found using Claude code I can work on multiple features and projects easily at the same time. I did lots of refactoring with Claude to get the ...
thespanner.co.uk
November 19, 2025 at 12:25 PM
Just released a major update to Hackvertor:
History logging: your conversions are now replayable and stored in the project file.
Tag-Finder window (props to @CoreyD97): filter and insert tags from within the UI. CTRL+ALT+F
Lastly: Tab persistence
thespanner.co.uk/hackvertor-h...
History logging: your conversions are now replayable and stored in the project file.
Tag-Finder window (props to @CoreyD97): filter and insert tags from within the UI. CTRL+ALT+F
Lastly: Tab persistence
thespanner.co.uk/hackvertor-h...
Demo of the new Shadow Repeater response timing differences.
November 18, 2025 at 2:47 PM
Demo of the new Shadow Repeater response timing differences.
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
Shadow Repeater v1.2.3 release - The Spanner
The new version of Shadow Repeater has been released with a couple of cool new features.
Timing differences
Shadow Repeater analyses your Repeater requests and looks for response differences but it wa...
thespanner.co.uk
November 18, 2025 at 12:59 PM
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
Coming to Hackvertor soon...
Big thanks to CoreyD97 for the suggestion!
Big thanks to CoreyD97 for the suggestion!
November 14, 2025 at 10:45 PM
Coming to Hackvertor soon...
Big thanks to CoreyD97 for the suggestion!
Big thanks to CoreyD97 for the suggestion!
Reposted by Gareth Heyes
Last chance to catch "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" at the NDC Conference, Manchester. Join me and see just how wild the email RFCs really are.
portswigger.net/research/tal...
portswigger.net/research/tal...
October 13, 2025 at 9:00 AM
Last chance to catch "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" at the NDC Conference, Manchester. Join me and see just how wild the email RFCs really are.
portswigger.net/research/tal...
portswigger.net/research/tal...
Reposted by Gareth Heyes
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
HTTP Anomaly Rank - a new Turbo Intruder feature
YouTube video by PortSwigger
youtu.be
November 11, 2025 at 2:49 PM
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
Reposted by Gareth Heyes
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
November 10, 2025 at 2:49 PM
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
Reposted by Gareth Heyes
I only released InsiKt last night, but I've already made a great improvement to row filtering.
Filtering 130k entries with regex now takes only 2 seconds! 🔥
Filtering 130k entries with regex now takes only 2 seconds! 🔥
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Release Initial Release! · CoreyD97/InsiKt
Logger++ is dead, long live InsiKt!
It has been a long time since I first adopted Logger++ from @irsdl back in 2017. Since then I have left NCC Group and no longer have access to the repository, so...
github.com
November 9, 2025 at 2:00 PM
I only released InsiKt last night, but I've already made a great improvement to row filtering.
Filtering 130k entries with regex now takes only 2 seconds! 🔥
Filtering 130k entries with regex now takes only 2 seconds! 🔥
Reposted by Gareth Heyes
This was pretty fun to exploit! Even though I didn't manage to pwn the version used for Pwn2Own Berlin, I still learned a ton about LLMs. Maybe I can get my revenge in future competitions 🤞
From bit flip to RCE in Ollama! 🦙
Our latest blog post explains how a file parsing bug led to an interesting out-of-bounds write primitive. Learn how it could have been exploited in Ollama, a tool to run LLMs locally:
www.sonarsource.com/blog/ollama-...
#security #vulnerability #llm #ai
Our latest blog post explains how a file parsing bug led to an interesting out-of-bounds write primitive. Learn how it could have been exploited in Ollama, a tool to run LLMs locally:
www.sonarsource.com/blog/ollama-...
#security #vulnerability #llm #ai
www.sonarsource.com
November 4, 2025 at 5:45 PM
This was pretty fun to exploit! Even though I didn't manage to pwn the version used for Pwn2Own Berlin, I still learned a ton about LLMs. Maybe I can get my revenge in future competitions 🤞
Firefox nightly introduces the setHTML() method. Which is like a native DOMPurify. You can easily test it here:
portswigger-labs.net/mxss/
Set HTMLSanitizer ✅
Auto update ✅
I'm trying to break it, I encourage you to break it too
portswigger-labs.net/mxss/
Set HTMLSanitizer ✅
Auto update ✅
I'm trying to break it, I encourage you to break it too
November 3, 2025 at 12:26 PM
Firefox nightly introduces the setHTML() method. Which is like a native DOMPurify. You can easily test it here:
portswigger-labs.net/mxss/
Set HTMLSanitizer ✅
Auto update ✅
I'm trying to break it, I encourage you to break it too
portswigger-labs.net/mxss/
Set HTMLSanitizer ✅
Auto update ✅
I'm trying to break it, I encourage you to break it too
New Safari vector:
Instead of using window name, I use document.URL to smuggle the payload and the title attribute to create the TypeError XSS.
Hash:
#'-alert(1)//
Poc:
portswigger-labs.net/xss/xss.php?...
Instead of using window name, I use document.URL to smuggle the payload and the title attribute to create the TypeError XSS.
Hash:
#'-alert(1)//
Poc:
portswigger-labs.net/xss/xss.php?...
October 30, 2025 at 12:48 PM
New Safari vector:
Instead of using window name, I use document.URL to smuggle the payload and the title attribute to create the TypeError XSS.
Hash:
#'-alert(1)//
Poc:
portswigger-labs.net/xss/xss.php?...
Instead of using window name, I use document.URL to smuggle the payload and the title attribute to create the TypeError XSS.
Hash:
#'-alert(1)//
Poc:
portswigger-labs.net/xss/xss.php?...
You can now create private vectors on Shazzer. Useful if you're working on something you're not ready to share yet.
shazzer.co.uk/blog/shazzer...
shazzer.co.uk/blog/shazzer...
Shazzer now has private vectors - Shazzer
When I first designed Shazzer, my goal was to ensure that even if an account were compromised, no private data could be stolen - because there simply wasn’t any private data to begin with. This was a ...
shazzer.co.uk
October 27, 2025 at 8:08 PM
You can now create private vectors on Shazzer. Useful if you're working on something you're not ready to share yet.
shazzer.co.uk/blog/shazzer...
shazzer.co.uk/blog/shazzer...