Thomas Stacey
@t0xodile.com
Penetration tester trying to perform novel research. You can find all of my write-ups and research at https://thomas.stacey.se.
Pinned
Thomas Stacey
@t0xodile.com
· May 22
The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling
In this paper I will reveal the discovery of wide-spread cases of request tunnelling in applications powered by popular servers including IIS, Azure Front Door and AWS' application load balancer inclu...
www.assured.se
Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling".
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Reposted by Thomas Stacey
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
HTTP Anomaly Rank - a new Turbo Intruder feature
YouTube video by PortSwigger
youtu.be
November 11, 2025 at 2:49 PM
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
Reposted by Thomas Stacey
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
November 10, 2025 at 2:49 PM
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
Those who are monitoring academic research paper releases. How? Google scholar alerts seems okay? Trying to build-up my daily research consumption feeds. (Would be convenient if there was an RSS feed somewhere)
November 10, 2025 at 8:24 AM
Those who are monitoring academic research paper releases. How? Google scholar alerts seems okay? Trying to build-up my daily research consumption feeds. (Would be convenient if there was an RSS feed somewhere)
Reposted by Thomas Stacey
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Release Initial Release! · CoreyD97/InsiKt
Logger++ is dead, long live InsiKt!
It has been a long time since I first adopted Logger++ from @irsdl back in 2017. Since then I have left NCC Group and no longer have access to the repository, so...
github.com
November 8, 2025 at 7:44 PM
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Well then... I can tell by looking at the vulnerable domains that this is working. Interestingly, the PDS scan may be identifying things my own tool has missed. Even if not, its ability to go ahead and try out 0.CL / CL.0 is super fancy. I suspect I'll submit a pull request when the time is right 😁
October 28, 2025 at 12:17 PM
Well then... I can tell by looking at the vulnerable domains that this is working. Interestingly, the PDS scan may be identifying things my own tool has missed. Even if not, its ability to go ahead and try out 0.CL / CL.0 is super fancy. I suspect I'll submit a pull request when the time is right 😁
I often end up re-watching research presentations because I'm terrible at absorbing new information the first time around. This has so often given me a new lead or idea for a tweak in my tooling, that I often re-watch them on a whim even when I'm fairly sure I've understood 100% of the content.
October 26, 2025 at 10:17 AM
I often end up re-watching research presentations because I'm terrible at absorbing new information the first time around. This has so often given me a new lead or idea for a tweak in my tooling, that I often re-watch them on a whim even when I'm fairly sure I've understood 100% of the content.
Expect is the gift that just keeps on giving. It's almost never consistent, but it's almost always interesting behaviour...
October 23, 2025 at 7:27 AM
Expect is the gift that just keeps on giving. It's almost never consistent, but it's almost always interesting behaviour...
Reposted by Thomas Stacey
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
October 21, 2025 at 9:16 AM
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
For every BB response that is a bit sad. There's a program that pays out, and is happy to help support your research presentation by being name-dropped. Super hyped for this one!
October 21, 2025 at 6:56 AM
For every BB response that is a bit sad. There's a program that pays out, and is happy to help support your research presentation by being name-dropped. Super hyped for this one!
Reposted by Thomas Stacey
The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...
DEF CON 33 - HTTP 1 1 Must Die! The Desync Endgame - James 'albinowax' Kettle
YouTube video by DEFCONConference
www.youtube.com
October 17, 2025 at 10:20 AM
The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...
Reposted by Thomas Stacey
Want to learn how to craft payloads like these?
Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work.
🧠 Learn to think like a hacker
⚡ Master the art of payload design
Grab your copy 👉 www.amazon.com/JavaScript-h...
Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work.
🧠 Learn to think like a hacker
⚡ Master the art of payload design
Grab your copy 👉 www.amazon.com/JavaScript-h...
October 14, 2025 at 11:17 AM
Want to learn how to craft payloads like these?
Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work.
🧠 Learn to think like a hacker
⚡ Master the art of payload design
Grab your copy 👉 www.amazon.com/JavaScript-h...
Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work.
🧠 Learn to think like a hacker
⚡ Master the art of payload design
Grab your copy 👉 www.amazon.com/JavaScript-h...
Reposted by Thomas Stacey
Last chance to catch "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" at the NDC Conference, Manchester. Join me and see just how wild the email RFCs really are.
portswigger.net/research/tal...
portswigger.net/research/tal...
October 13, 2025 at 9:00 AM
Last chance to catch "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" at the NDC Conference, Manchester. Join me and see just how wild the email RFCs really are.
portswigger.net/research/tal...
portswigger.net/research/tal...
Reposted by Thomas Stacey
The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...
RomHack 2025 - James “albinowax” Kettle - HTTP/1.1 Must Die! The Desync Endgame
YouTube video by Cyber Saiyan
www.youtube.com
October 8, 2025 at 2:16 PM
The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...
Reposted by Thomas Stacey
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
October 7, 2025 at 2:55 PM
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
I cannot get over how bonkers the HEAD technique is in relation to desync vulns. I've never gotten a chance to use it in a real-word situation, but finally had a chance this week. Not only does it produce some serious impact, it also just looks incomprehensibly cool when it finally works.
October 3, 2025 at 1:28 PM
I cannot get over how bonkers the HEAD technique is in relation to desync vulns. I've never gotten a chance to use it in a real-word situation, but finally had a chance this week. Not only does it produce some serious impact, it also just looks incomprehensibly cool when it finally works.
Correction the issue was cross-domain related. BUT fetch followed by a location change now doesn't reuse a connection... Both requests are towards the same domain.
Why would chrome not reuse a connection when two requests are triggered from a script, but WILL reuse a connection when it's all done via the console! Same script, just with <script> tags breaks things...
October 1, 2025 at 2:19 PM
Correction the issue was cross-domain related. BUT fetch followed by a location change now doesn't reuse a connection... Both requests are towards the same domain.
Why would chrome not reuse a connection when two requests are triggered from a script, but WILL reuse a connection when it's all done via the console! Same script, just with <script> tags breaks things...
October 1, 2025 at 1:58 PM
Why would chrome not reuse a connection when two requests are triggered from a script, but WILL reuse a connection when it's all done via the console! Same script, just with <script> tags breaks things...
Reposted by Thomas Stacey
One hour till HTTP/1.1 Must Die kicks off at #romhack2025!
Watch the livestream here: m.youtube.com/watch?v=T009...
Watch the livestream here: m.youtube.com/watch?v=T009...
RomHack Conference 2025 Live Stream
YouTube video by Cyber Saiyan
m.youtube.com
September 27, 2025 at 7:20 AM
One hour till HTTP/1.1 Must Die kicks off at #romhack2025!
Watch the livestream here: m.youtube.com/watch?v=T009...
Watch the livestream here: m.youtube.com/watch?v=T009...
Reposted by Thomas Stacey
Episode 20: War Stories with Julien Richard!
@tib3rius.bsky.social & @swiftsecur.bsky.social chat with Julien Richard about his war stories!
Thank you to @portswigger.net for sponsoring today's episode! Check out portswigger.net/burp/ai to learn more about AI in Burp Suite.
Links below!
@tib3rius.bsky.social & @swiftsecur.bsky.social chat with Julien Richard about his war stories!
Thank you to @portswigger.net for sponsoring today's episode! Check out portswigger.net/burp/ai to learn more about AI in Burp Suite.
Links below!
Burp AI - PortSwigger
Hack smarter, not harder. Seamlessly integrate trusted AI capabilities into Burp Suite - on your terms with Burp AI.
portswigger.net
September 26, 2025 at 2:02 PM
Episode 20: War Stories with Julien Richard!
@tib3rius.bsky.social & @swiftsecur.bsky.social chat with Julien Richard about his war stories!
Thank you to @portswigger.net for sponsoring today's episode! Check out portswigger.net/burp/ai to learn more about AI in Burp Suite.
Links below!
@tib3rius.bsky.social & @swiftsecur.bsky.social chat with Julien Richard about his war stories!
Thank you to @portswigger.net for sponsoring today's episode! Check out portswigger.net/burp/ai to learn more about AI in Burp Suite.
Links below!
First big oof of the research today. Program has set one of our coolest PoCs so far to informative. Fortunately, it's so cool that we will absolutely be talking about how it all played at some point.
"The technique is what matters", it's still an awesome slide 🔥
"The technique is what matters", it's still an awesome slide 🔥
September 26, 2025 at 9:35 AM
First big oof of the research today. Program has set one of our coolest PoCs so far to informative. Fortunately, it's so cool that we will absolutely be talking about how it all played at some point.
"The technique is what matters", it's still an awesome slide 🔥
"The technique is what matters", it's still an awesome slide 🔥
Twitter has schooled me on this. Don't interpret it as a universal bypass because it is not! Nevertheless, this very silly bypass works on some large groups of customers implementing bad rules...
Pretty sure I just found a hilarious bypass for this... If this works then all those hosts that sit behind Akamai are suddenly much more viable targets.
Another day, another block from Akamai briefly making me think a new bit of detection is breaking the internet 😅. It's my own fault, I have a "Filter WAF" option that I didn't turn on.
September 23, 2025 at 2:26 PM
Twitter has schooled me on this. Don't interpret it as a universal bypass because it is not! Nevertheless, this very silly bypass works on some large groups of customers implementing bad rules...
Reposted by Thomas Stacey
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Exploiting Web Worker XSS with Blobs
Ways to turn XSS in a Web Worker into full XSS, covering known tricks and a new generic exploit using Blob URLs with the Drag and Drop API
lab.ctbb.show
September 19, 2025 at 2:28 PM
My first post for the @ctbbpodcast.bsky.social Research Lab is live.
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Super excited to be part of this team, can't wait to see what crazy research is gonna come from this!
lab.ctbb.show/research/Exp...
Reposted by Thomas Stacey
HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here:
www.youtube.com/watch?v=T009...
www.youtube.com/watch?v=T009...
RomHack Conference 2025 Live Stream
YouTube video by Cyber Saiyan
www.youtube.com
September 18, 2025 at 1:40 PM
HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here:
www.youtube.com/watch?v=T009...
www.youtube.com/watch?v=T009...
Reposted by Thomas Stacey
Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...
The blog post is live! Read it here:
portswigger.net/research/web...
WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine
Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi
portswigger.net
September 17, 2025 at 12:44 PM
Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...
The blog post is live! Read it here:
portswigger.net/research/web...