Soroush Dalili 🍏🍐
@irsdl.bsky.social
Hacker (ethical), web appsec specialist, trainer, tools builder & apps breaker, X: @irsdl
https://secproject.com/
https://soroush.me/
https://burpsuite.ninja/
https://secproject.com/
https://soroush.me/
https://burpsuite.ninja/
Reposted by Soroush Dalili 🍏🍐
The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...
Top 10 web hacking techniques of 2025
Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 5, 2026 at 3:40 PM
The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...
Some sites may use direct IP address today if their domain name servers were not with Cloudflare too! There is this opportunity for WAF bypass... please share it , sharing is caring... 🤗
November 18, 2025 at 2:06 PM
Some sites may use direct IP address today if their domain name servers were not with Cloudflare too! There is this opportunity for WAF bypass... please share it , sharing is caring... 🤗
Reposted by Soroush Dalili 🍏🍐
happy cloudflare outage day to all who celebrate
November 18, 2025 at 11:57 AM
happy cloudflare outage day to all who celebrate
With cloudflare being down, and as a result, most things I use being down, I came here to say hi 🤭 I guess I will use other AIs than chatgpt today!
November 18, 2025 at 1:23 PM
With cloudflare being down, and as a result, most things I use being down, I came here to say hi 🤭 I guess I will use other AIs than chatgpt today!
These days, I’m off work, busy taking care of a family member, so this really brightened my day and brought a big smile to my face. 😌 thanks @portswigger.net
April 8, 2025 at 1:06 PM
These days, I’m off work, busy taking care of a family member, so this really brightened my day and brought a big smile to my face. 😌 thanks @portswigger.net
Reposted by Soroush Dalili 🍏🍐
Did you know? DC4420, the London monthly that graced central London for all of the 10s and before, has a new home and a new date!
Greene Man, 383 Euston Road, London, NW1 3AU
April 29
Be there.
www.eventbrite.co.uk/e/dc4420-apr... has details. you don't have to register.
#infosec #security
Greene Man, 383 Euston Road, London, NW1 3AU
April 29
Be there.
www.eventbrite.co.uk/e/dc4420-apr... has details. you don't have to register.
#infosec #security
DC4420 - April 2025
A beta relaunch of the calendar classic DC4420.
www.eventbrite.co.uk
April 7, 2025 at 7:16 PM
Did you know? DC4420, the London monthly that graced central London for all of the 10s and before, has a new home and a new date!
Greene Man, 383 Euston Road, London, NW1 3AU
April 29
Be there.
www.eventbrite.co.uk/e/dc4420-apr... has details. you don't have to register.
#infosec #security
Greene Man, 383 Euston Road, London, NW1 3AU
April 29
Be there.
www.eventbrite.co.uk/e/dc4420-apr... has details. you don't have to register.
#infosec #security
Reposted by Soroush Dalili 🍏🍐
If you like hacking XML, this article is a gold mine! 😱
It includes parser discrepancies, round-trip attacks and my favorite, namespace confusion 🤩
It includes parser discrepancies, round-trip attacks and my favorite, namespace confusion 🤩
You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.
portswigger.net/research/sam...
portswigger.net/research/sam...
SAML roulette: the hacker always wins
Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library
portswigger.net
March 28, 2025 at 6:33 PM
If you like hacking XML, this article is a gold mine! 😱
It includes parser discrepancies, round-trip attacks and my favorite, namespace confusion 🤩
It includes parser discrepancies, round-trip attacks and my favorite, namespace confusion 🤩
Congrats to all the winners (especially @orange.tw) and all researchers who made the 2024 long list! 🥂 Thanks for sharing your work with us! 🫡
To readers: Don’t just read the top 10—start there and then explore the rest. There are many great works beyond the top 10, so don’t limit yourself! 🦾
To readers: Don’t just read the top 10—start there and then explore the rest. There are many great works beyond the top 10, so don’t limit yourself! 🦾
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 4, 2025 at 4:49 PM
Congrats to all the winners (especially @orange.tw) and all researchers who made the 2024 long list! 🥂 Thanks for sharing your work with us! 🫡
To readers: Don’t just read the top 10—start there and then explore the rest. There are many great works beyond the top 10, so don’t limit yourself! 🦾
To readers: Don’t just read the top 10—start there and then explore the rest. There are many great works beyond the top 10, so don’t limit yourself! 🦾
Reposted by Soroush Dalili 🍏🍐
This year two new security legends have joined the top-ten expert panel - @liveoverflow.bsky.social and @stokfredrik.bsky.social! Excited to see what analysis & insights they bring to the top ten alongside long-time contributors @agarri.fr and @irsdl.bsky.social
January 23, 2025 at 12:37 PM
This year two new security legends have joined the top-ten expert panel - @liveoverflow.bsky.social and @stokfredrik.bsky.social! Excited to see what analysis & insights they bring to the top ten alongside long-time contributors @agarri.fr and @irsdl.bsky.social
Reposted by Soroush Dalili 🍏🍐
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...
Top 10 web hacking techniques of 2024
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2024.
portswigger.net
January 15, 2025 at 3:24 PM
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...
Please submit any interesting and especially new web/http related topic published in 2024
Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here:
portswigger.net/research/top...
portswigger.net/research/top...
Top ten web hacking techniques of 2024: nominations open
Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an
portswigger.net
January 9, 2025 at 8:13 AM
Please submit any interesting and especially new web/http related topic published in 2024
If you are using YSoSerial .Net, we have accepted a few PRs and patched several bugs & improved the ViewState plugin!
Merry Christmas 🎅
github.com/pwntester/ys...
Merry Christmas 🎅
github.com/pwntester/ys...
December 24, 2024 at 11:54 AM
If you are using YSoSerial .Net, we have accepted a few PRs and patched several bugs & improved the ViewState plugin!
Merry Christmas 🎅
github.com/pwntester/ys...
Merry Christmas 🎅
github.com/pwntester/ys...
Reposted by Soroush Dalili 🍏🍐
We are extending our call for papers to January 1, 2025!
We are now targeting an end of January release.
If you have any Linux/ELF related research, projects, or papers, we would love to publish them!
Huge thank you to everyone who has already submitted!
tmpout.sh/blog/vol4-cf...
We are now targeting an end of January release.
If you have any Linux/ELF related research, projects, or papers, we would love to publish them!
Huge thank you to everyone who has already submitted!
tmpout.sh/blog/vol4-cf...
December 16, 2024 at 9:36 PM
We are extending our call for papers to January 1, 2025!
We are now targeting an end of January release.
If you have any Linux/ELF related research, projects, or papers, we would love to publish them!
Huge thank you to everyone who has already submitted!
tmpout.sh/blog/vol4-cf...
We are now targeting an end of January release.
If you have any Linux/ELF related research, projects, or papers, we would love to publish them!
Huge thank you to everyone who has already submitted!
tmpout.sh/blog/vol4-cf...
December 14, 2024 at 10:52 AM
Reposted by Soroush Dalili 🍏🍐
🔥 Get ready for the biggest #SecuriTay yet! 🔥
🦄 500 attendees
🎮 2-day CTF
🤝 Multiple sponsors
📅 Happening 28 | 02 | 2025 - First ticket drop coming soon! 👀
More details at securi-tay.co.uk
🦄 500 attendees
🎮 2-day CTF
🤝 Multiple sponsors
📅 Happening 28 | 02 | 2025 - First ticket drop coming soon! 👀
More details at securi-tay.co.uk
Securi-Tay 2024
The thirteenth annual occurrence of the Securi-Tay conference! Brought to you by @AbertayHackers.
securi-tay.co.uk
December 12, 2024 at 10:22 AM
🔥 Get ready for the biggest #SecuriTay yet! 🔥
🦄 500 attendees
🎮 2-day CTF
🤝 Multiple sponsors
📅 Happening 28 | 02 | 2025 - First ticket drop coming soon! 👀
More details at securi-tay.co.uk
🦄 500 attendees
🎮 2-day CTF
🤝 Multiple sponsors
📅 Happening 28 | 02 | 2025 - First ticket drop coming soon! 👀
More details at securi-tay.co.uk
Reposted by Soroush Dalili 🍏🍐
Extended the starter with shy writers! 😀 If you're not on the list but write about web security, then feel free to reply with the article you're most proud of, and I will add you to the pack!
Make sure to resubscribe to not not miss on the amazing 🌐research!
go.bsky.app/9JXnB17
Make sure to resubscribe to not not miss on the amazing 🌐research!
go.bsky.app/9JXnB17
December 10, 2024 at 10:29 PM
Extended the starter with shy writers! 😀 If you're not on the list but write about web security, then feel free to reply with the article you're most proud of, and I will add you to the pack!
Make sure to resubscribe to not not miss on the amazing 🌐research!
go.bsky.app/9JXnB17
Make sure to resubscribe to not not miss on the amazing 🌐research!
go.bsky.app/9JXnB17
Reposted by Soroush Dalili 🍏🍐
I've released 'brainstorm': an alternative way to do web fuzzing combining my fav fuzzing tool 'ffuf' (from @joohoi.bsky.social )with local LLMs (via Ollama API) to generate smarter filename tests. It usually finds more endpoints with fewer requests. Added a IIS shortname support @irsdl.bsky.social
November 26, 2024 at 8:57 AM
I've released 'brainstorm': an alternative way to do web fuzzing combining my fav fuzzing tool 'ffuf' (from @joohoi.bsky.social )with local LLMs (via Ollama API) to generate smarter filename tests. It usually finds more endpoints with fewer requests. Added a IIS shortname support @irsdl.bsky.social
Reposted by Soroush Dalili 🍏🍐
The "bug bounty hunters and content creators" starter pack is now up to 60 users! Follow this to get instantly connected to the bug bounty community & let me know if I've missed you off!
go.bsky.app/GD7hKPX
go.bsky.app/GD7hKPX
Bug bounty hunters & content creators
Join the conversation
go.bsky.app
November 23, 2024 at 4:21 PM
The "bug bounty hunters and content creators" starter pack is now up to 60 users! Follow this to get instantly connected to the bug bounty community & let me know if I've missed you off!
go.bsky.app/GD7hKPX
go.bsky.app/GD7hKPX
Reposted by Soroush Dalili 🍏🍐
Any bug bounty people around? I'm creating a starter pack of people to follow but it's pretty brief currently! Let me know if you'd like to be added: go.bsky.app/GD7hKPX
November 21, 2024 at 3:23 PM
Any bug bounty people around? I'm creating a starter pack of people to follow but it's pretty brief currently! Let me know if you'd like to be added: go.bsky.app/GD7hKPX
Reposted by Soroush Dalili 🍏🍐
If you ever find yourself investigating random docker images, dive (github.com/wagoodman/dive) is amazingly useful. It lets you see which files changed in each filesystem layer. I've used it to spot config files accidentally left in images :)
GitHub - wagoodman/dive: A tool for exploring each layer in a docker image
A tool for exploring each layer in a docker image. Contribute to wagoodman/dive development by creating an account on GitHub.
github.com
November 20, 2024 at 12:17 PM
If you ever find yourself investigating random docker images, dive (github.com/wagoodman/dive) is amazingly useful. It lets you see which files changed in each filesystem layer. I've used it to spot config files accidentally left in images :)
Reposted by Soroush Dalili 🍏🍐
That’s what App Passwords are made for 🔒
Go to "Settings > Advanced > App Passwords" to create one for each 3rd-party app
You can login with your handle and this specific password ✅
Go to "Settings > Advanced > App Passwords" to create one for each 3rd-party app
You can login with your handle and this specific password ✅
November 19, 2024 at 12:34 PM
That’s what App Passwords are made for 🔒
Go to "Settings > Advanced > App Passwords" to create one for each 3rd-party app
You can login with your handle and this specific password ✅
Go to "Settings > Advanced > App Passwords" to create one for each 3rd-party app
You can login with your handle and this specific password ✅
Reposted by Soroush Dalili 🍏🍐
The best we have right now in the "My pins" feed
You reply with a pin emoji to the post you want to bookmark
And the feed shows all your messages containing a pin
bsky.app/profile/josh...
You reply with a pin emoji to the post you want to bookmark
And the feed shows all your messages containing a pin
bsky.app/profile/josh...
For anyone wondering why some Bluesky users reply to posts with the pushpin emoji 📌
Ahh, this is a little funny if you’re not used to using feeds, because it’s essentially a workaround. Bluesky doesn’t have a normal bookmarking feature yet. But informally, if you reply to a post with that pin emoji, it’ll show up in this feed (which only shows the pins of whoever’s looking at it)
November 18, 2024 at 12:26 AM
The best we have right now in the "My pins" feed
You reply with a pin emoji to the post you want to bookmark
And the feed shows all your messages containing a pin
bsky.app/profile/josh...
You reply with a pin emoji to the post you want to bookmark
And the feed shows all your messages containing a pin
bsky.app/profile/josh...
I wish I had the bookmark ability here as well. Any pointers?
November 17, 2024 at 9:46 PM
I wish I had the bookmark ability here as well. Any pointers?
Reposted by Soroush Dalili 🍏🍐
As there's more people showing up here who are into Web Application Security and I couldn't find an existing starter pack for it, I decided to create one :)
If you do webappsec stuff and want added ping me :)
go.bsky.app/NB1hgC
If you do webappsec stuff and want added ping me :)
go.bsky.app/NB1hgC
November 15, 2024 at 4:29 PM
As there's more people showing up here who are into Web Application Security and I couldn't find an existing starter pack for it, I decided to create one :)
If you do webappsec stuff and want added ping me :)
go.bsky.app/NB1hgC
If you do webappsec stuff and want added ping me :)
go.bsky.app/NB1hgC