Thomas Stacey
@t0xodile.com
Penetration tester trying to perform novel research. You can find all of my write-ups and research at https://thomas.stacey.se.
Pinned
Thomas Stacey
@t0xodile.com
· May 22
The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling
In this paper I will reveal the discovery of wide-spread cases of request tunnelling in applications powered by popular servers including IIS, Azure Front Door and AWS' application load balancer inclu...
www.assured.se
Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling".
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Reposted by Thomas Stacey
[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
Turning List-Unsubscribe into an SSRF/XSS Gadget
The List-Unsubscribe SMTP header is standardized but often overlooked during security assessments. It allows email clients to provide an easy way for end-users to unsubscribe from mailing lists.
This ...
security.lauritz-holtmann.de
December 23, 2025 at 7:38 AM
[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
Reposted by Thomas Stacey
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
December 16, 2025 at 3:31 PM
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
Reposted by Thomas Stacey
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
AutoVader - The Spanner
Four years ago we released DOM Invader, I added a feature called callbacks that enabled you to execute JavaScript and log when sinks, messages or sources are found. This was so powerful but over the y...
thespanner.co.uk
December 9, 2025 at 12:22 PM
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
Reposted by Thomas Stacey
When looking for postMessage vulnerabilities, the FancyTracker Firefox extension can be very useful.
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
November 25, 2025 at 12:03 PM
When looking for postMessage vulnerabilities, the FancyTracker Firefox extension can be very useful.
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
Reposted by Thomas Stacey
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
With some CORS configurations, some handlers can introduce synchronisation bugs and cause data races · Issue #198 · rs/cors
Problem Presumably for performance, the library (v1.11.1 and some older versions) reuses some non-exported slice variables and struct field from one middleware call to the next: package-level var h...
github.com
November 21, 2025 at 7:44 PM
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
November 20, 2025 at 9:47 AM
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
Reposted by Thomas Stacey
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
Shadow Repeater v1.2.3 release - The Spanner
The new version of Shadow Repeater has been released with a couple of cool new features.
Timing differences
Shadow Repeater analyses your Repeater requests and looks for response differences but it wa...
thespanner.co.uk
November 18, 2025 at 12:59 PM
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
After the whole... Expect breaks the internet debacle (not that this is past tense, it clearly still does) I was pretty sure another header was gonna be useful for desync things... Today, I think I actually have an exploit that works specifically due to that header's weirdness. 🔥
November 13, 2025 at 3:53 PM
After the whole... Expect breaks the internet debacle (not that this is past tense, it clearly still does) I was pretty sure another header was gonna be useful for desync things... Today, I think I actually have an exploit that works specifically due to that header's weirdness. 🔥
Reposted by Thomas Stacey
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
HTTP Anomaly Rank - a new Turbo Intruder feature
YouTube video by PortSwigger
youtu.be
November 11, 2025 at 2:49 PM
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
Reposted by Thomas Stacey
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
November 10, 2025 at 2:49 PM
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
Those who are monitoring academic research paper releases. How? Google scholar alerts seems okay? Trying to build-up my daily research consumption feeds. (Would be convenient if there was an RSS feed somewhere)
November 10, 2025 at 8:24 AM
Those who are monitoring academic research paper releases. How? Google scholar alerts seems okay? Trying to build-up my daily research consumption feeds. (Would be convenient if there was an RSS feed somewhere)
Reposted by Thomas Stacey
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Release Initial Release! · CoreyD97/InsiKt
Logger++ is dead, long live InsiKt!
It has been a long time since I first adopted Logger++ from @irsdl back in 2017. Since then I have left NCC Group and no longer have access to the repository, so...
github.com
November 8, 2025 at 7:44 PM
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Well then... I can tell by looking at the vulnerable domains that this is working. Interestingly, the PDS scan may be identifying things my own tool has missed. Even if not, its ability to go ahead and try out 0.CL / CL.0 is super fancy. I suspect I'll submit a pull request when the time is right 😁
October 28, 2025 at 12:17 PM
Well then... I can tell by looking at the vulnerable domains that this is working. Interestingly, the PDS scan may be identifying things my own tool has missed. Even if not, its ability to go ahead and try out 0.CL / CL.0 is super fancy. I suspect I'll submit a pull request when the time is right 😁
I often end up re-watching research presentations because I'm terrible at absorbing new information the first time around. This has so often given me a new lead or idea for a tweak in my tooling, that I often re-watch them on a whim even when I'm fairly sure I've understood 100% of the content.
October 26, 2025 at 10:17 AM
I often end up re-watching research presentations because I'm terrible at absorbing new information the first time around. This has so often given me a new lead or idea for a tweak in my tooling, that I often re-watch them on a whim even when I'm fairly sure I've understood 100% of the content.
Expect is the gift that just keeps on giving. It's almost never consistent, but it's almost always interesting behaviour...
October 23, 2025 at 7:27 AM
Expect is the gift that just keeps on giving. It's almost never consistent, but it's almost always interesting behaviour...
Reposted by Thomas Stacey
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
October 21, 2025 at 9:16 AM
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
For every BB response that is a bit sad. There's a program that pays out, and is happy to help support your research presentation by being name-dropped. Super hyped for this one!
October 21, 2025 at 6:56 AM
For every BB response that is a bit sad. There's a program that pays out, and is happy to help support your research presentation by being name-dropped. Super hyped for this one!
Reposted by Thomas Stacey
The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...
DEF CON 33 - HTTP 1 1 Must Die! The Desync Endgame - James 'albinowax' Kettle
YouTube video by DEFCONConference
www.youtube.com
October 17, 2025 at 10:20 AM
The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...
Reposted by Thomas Stacey
Want to learn how to craft payloads like these?
Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work.
🧠 Learn to think like a hacker
⚡ Master the art of payload design
Grab your copy 👉 www.amazon.com/JavaScript-h...
Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work.
🧠 Learn to think like a hacker
⚡ Master the art of payload design
Grab your copy 👉 www.amazon.com/JavaScript-h...
October 14, 2025 at 11:17 AM
Want to learn how to craft payloads like these?
Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work.
🧠 Learn to think like a hacker
⚡ Master the art of payload design
Grab your copy 👉 www.amazon.com/JavaScript-h...
Read JavaScript for Hackers to master creative XSS techniques and understand exactly why they work.
🧠 Learn to think like a hacker
⚡ Master the art of payload design
Grab your copy 👉 www.amazon.com/JavaScript-h...
Reposted by Thomas Stacey
Last chance to catch "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" at the NDC Conference, Manchester. Join me and see just how wild the email RFCs really are.
portswigger.net/research/tal...
portswigger.net/research/tal...
October 13, 2025 at 9:00 AM
Last chance to catch "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" at the NDC Conference, Manchester. Join me and see just how wild the email RFCs really are.
portswigger.net/research/tal...
portswigger.net/research/tal...
Reposted by Thomas Stacey
The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...
RomHack 2025 - James “albinowax” Kettle - HTTP/1.1 Must Die! The Desync Endgame
YouTube video by Cyber Saiyan
www.youtube.com
October 8, 2025 at 2:16 PM
The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...
Reposted by Thomas Stacey
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
October 7, 2025 at 2:55 PM
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
I cannot get over how bonkers the HEAD technique is in relation to desync vulns. I've never gotten a chance to use it in a real-word situation, but finally had a chance this week. Not only does it produce some serious impact, it also just looks incomprehensibly cool when it finally works.
October 3, 2025 at 1:28 PM
I cannot get over how bonkers the HEAD technique is in relation to desync vulns. I've never gotten a chance to use it in a real-word situation, but finally had a chance this week. Not only does it produce some serious impact, it also just looks incomprehensibly cool when it finally works.
Correction the issue was cross-domain related. BUT fetch followed by a location change now doesn't reuse a connection... Both requests are towards the same domain.
Why would chrome not reuse a connection when two requests are triggered from a script, but WILL reuse a connection when it's all done via the console! Same script, just with <script> tags breaks things...
October 1, 2025 at 2:19 PM
Correction the issue was cross-domain related. BUT fetch followed by a location change now doesn't reuse a connection... Both requests are towards the same domain.