Thomas Stacey
@t0xodile.com
Penetration tester trying to perform novel research. You can find all of my write-ups and research at https://thomas.stacey.se.
Pinned
Thomas Stacey
@t0xodile.com
· May 22
The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling
In this paper I will reveal the discovery of wide-spread cases of request tunnelling in applications powered by popular servers including IIS, Azure Front Door and AWS' application load balancer inclu...
www.assured.se
Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling".
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
The fact that I can use claude in the background to adjust custom tooling on the fly to test out relatively insane theories on the off chance they work all without losing any measurable time for my actual test is really really powerful.
February 10, 2026 at 9:37 AM
The fact that I can use claude in the background to adjust custom tooling on the fly to test out relatively insane theories on the off chance they work all without losing any measurable time for my actual test is really really powerful.
Reposted by Thomas Stacey
Spring is just around the corner, and that's when I offer online training courses on Burp Suite Pro 👨🏫 Two sessions are planned (in English and French), and there are still a few spots left in each.
Contact me to get an early-bird discount code! 💰
Contact me to get an early-bird discount code! 💰
Agarri
Training
hackademy.agarri.fr
January 31, 2026 at 12:31 PM
Spring is just around the corner, and that's when I offer online training courses on Burp Suite Pro 👨🏫 Two sessions are planned (in English and French), and there are still a few spots left in each.
Contact me to get an early-bird discount code! 💰
Contact me to get an early-bird discount code! 💰
Reposted by Thomas Stacey
Our embedded security and cryptography expert Joachim Strömbergson guested a Swedish security podcast (Bli Säker @nikkasystems.com) and discussed Post Quantum Cryptography. Find our English summary and the link to the episode in our blog.
www.assured.se/posts/podcas...
#pqc #security #cryptography
www.assured.se/posts/podcas...
#pqc #security #cryptography
Podcast Spotlight: The Threat from Quantum Computers
Our embedded security and cryptography expert Joachim Strömbergson guested a Swedish security podcast (Bli Säker) and discussed Post Quantum Cryptography.
www.assured.se
February 6, 2026 at 9:56 AM
Our embedded security and cryptography expert Joachim Strömbergson guested a Swedish security podcast (Bli Säker @nikkasystems.com) and discussed Post Quantum Cryptography. Find our English summary and the link to the episode in our blog.
www.assured.se/posts/podcas...
#pqc #security #cryptography
www.assured.se/posts/podcas...
#pqc #security #cryptography
Going here github.com/vladko312/Re... and implementing a selection / all of these into Backslash-Powered Scanner (or a custom scan check...) is probably very useful.
The real work comes from creating a safe but syntactically similar payload for the probe pair.
Bring back SSTI!
The real work comes from creating a safe but syntactically similar payload for the probe pair.
Bring back SSTI!
github.com
February 6, 2026 at 8:00 AM
Going here github.com/vladko312/Re... and implementing a selection / all of these into Backslash-Powered Scanner (or a custom scan check...) is probably very useful.
The real work comes from creating a safe but syntactically similar payload for the probe pair.
Bring back SSTI!
The real work comes from creating a safe but syntactically similar payload for the probe pair.
Bring back SSTI!
Reposted by Thomas Stacey
The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...
Top 10 web hacking techniques of 2025
Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 5, 2026 at 3:40 PM
The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...
Got one of our most impactful cases re-opened and accepted after a quick email chain. Always happy to see programs supporting researchers in this way. Going to try writing my reports with a public disclosure section right at the top to see if this helps in these cases.
February 4, 2026 at 10:16 AM
Got one of our most impactful cases re-opened and accepted after a quick email chain. Always happy to see programs supporting researchers in this way. Going to try writing my reports with a public disclosure section right at the top to see if this helps in these cases.
Spent a long time on a case over the last few weeks getting absolutely nowhere. Remember to try this, instant RQP... I must remember to take my own advise occasionally.
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
February 1, 2026 at 12:41 PM
Spent a long time on a case over the last few weeks getting absolutely nowhere. Remember to try this, instant RQP... I must remember to take my own advise occasionally.
Reposted by Thomas Stacey
Celebrating 100 #security assessments, over 1000 findings, and over 2000 pages of #pentest reports in 2025!
www.assured.se/posts/100-se...
www.assured.se/posts/100-se...
100 Security Assessments in One Year! Looking back at 2025
In 2025, Assured completed 100 security assessments covering many different industries and technologies. Here are the numbers, and what records we’re aiming to break in 2026.
www.assured.se
January 29, 2026 at 1:14 PM
Celebrating 100 #security assessments, over 1000 findings, and over 2000 pages of #pentest reports in 2025!
www.assured.se/posts/100-se...
www.assured.se/posts/100-se...
Reposted by Thomas Stacey
Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!
apply.workable.com/portswigger/...
apply.workable.com/portswigger/...
January 23, 2026 at 10:36 AM
Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!
apply.workable.com/portswigger/...
apply.workable.com/portswigger/...
We got our "bigmac" 🍔 AI machine up and running today! Time to find out if I can start using shadow-repeater every day 🔥
January 23, 2026 at 10:13 AM
We got our "bigmac" 🍔 AI machine up and running today! Time to find out if I can start using shadow-repeater every day 🔥
Reposted by Thomas Stacey
Cybersecurity in #MedTech is no longer something you "add later."
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...
EU Tightens Cybersecurity Requirements for Medtech - MDR and IVDR
The EU is strengthening cybersecurity requirements in MDR and IVDR. Manufacturers must embed cybersecurity from the start, document processes, and ensure security throughout the entire device lifecycl...
www.assured.se
January 23, 2026 at 9:47 AM
Cybersecurity in #MedTech is no longer something you "add later."
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...
Reposted by Thomas Stacey
🐛 Built a simple RSS reader called Feedworm that runs in DevTools and never phones home. Keep up with blogs and research without selling your data.
thespanner.co.uk/introducing-...
thespanner.co.uk/introducing-...
Introducing Feedworm: A Privacy-First RSS Reader That Lives in DevTools - The Spanner
I've been using RSS readers for years. They're the best way to keep up with blogs, news sites, and security research without being at the mercy of algorithmic feeds. But every time I found a reader I ...
thespanner.co.uk
January 22, 2026 at 12:11 PM
🐛 Built a simple RSS reader called Feedworm that runs in DevTools and never phones home. Keep up with blogs and research without selling your data.
thespanner.co.uk/introducing-...
thespanner.co.uk/introducing-...
Needed a custom hackvertor tag for reasons. IIRC there's this AI integration now right? **enter prompt**. Oh okay it works and I'm done. I suspect I've been sleeping on this... One of my favourite extensions atm.
January 21, 2026 at 3:03 PM
Needed a custom hackvertor tag for reasons. IIRC there's this AI integration now right? **enter prompt**. Oh okay it works and I'm done. I suspect I've been sleeping on this... One of my favourite extensions atm.
Reposted by Thomas Stacey
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...
portswigger.net/polls/top-10...
Top 10 web hacking techniques of 2025
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.
portswigger.net
January 15, 2026 at 3:29 PM
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...
portswigger.net/polls/top-10...
On a whim I asked Gemini a ridiculously specific question. "Give me a response that has length X and is text/html for X proxy". And while it basically made up the answer (I assume) it still pointed me to a solution I've needed for months! I Guess trying "stupid ideas" can work for LLMs too.
January 10, 2026 at 1:20 PM
On a whim I asked Gemini a ridiculously specific question. "Give me a response that has length X and is text/html for X proxy". And while it basically made up the answer (I assume) it still pointed me to a solution I've needed for months! I Guess trying "stupid ideas" can work for LLMs too.
Reposted by Thomas Stacey
Kom och jobba med mig!
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
Ledig tjänst: Säljansvarig Security Engineering
Vi söker en teknisk konsultsäljare som vill ta ett större ansvar och vara med och bygga upp ett växande affärsområde inom utvecklingsnära säkerhet.
www.assured.se
January 8, 2026 at 8:34 AM
Kom och jobba med mig!
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
Reposted by Thomas Stacey
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...
Top 10 web hacking techniques of 2025: call for nominations
Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te
portswigger.net
January 6, 2026 at 3:32 PM
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...
Reposted by Thomas Stacey
[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
Turning List-Unsubscribe into an SSRF/XSS Gadget
The List-Unsubscribe SMTP header is standardized but often overlooked during security assessments. It allows email clients to provide an easy way for end-users to unsubscribe from mailing lists.
This ...
security.lauritz-holtmann.de
December 23, 2025 at 7:38 AM
[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
Reposted by Thomas Stacey
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
December 16, 2025 at 3:31 PM
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
Reposted by Thomas Stacey
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
AutoVader - The Spanner
Four years ago we released DOM Invader, I added a feature called callbacks that enabled you to execute JavaScript and log when sinks, messages or sources are found. This was so powerful but over the y...
thespanner.co.uk
December 9, 2025 at 12:22 PM
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
Reposted by Thomas Stacey
When looking for postMessage vulnerabilities, the FancyTracker Firefox extension can be very useful.
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
November 25, 2025 at 12:03 PM
When looking for postMessage vulnerabilities, the FancyTracker Firefox extension can be very useful.
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
Reposted by Thomas Stacey
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
With some CORS configurations, some handlers can introduce synchronisation bugs and cause data races · Issue #198 · rs/cors
Problem Presumably for performance, the library (v1.11.1 and some older versions) reuses some non-exported slice variables and struct field from one middleware call to the next: package-level var h...
github.com
November 21, 2025 at 7:44 PM
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
November 20, 2025 at 9:47 AM
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
Reposted by Thomas Stacey
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
Shadow Repeater v1.2.3 release - The Spanner
The new version of Shadow Repeater has been released with a couple of cool new features.
Timing differences
Shadow Repeater analyses your Repeater requests and looks for response differences but it wa...
thespanner.co.uk
November 18, 2025 at 12:59 PM
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
After the whole... Expect breaks the internet debacle (not that this is past tense, it clearly still does) I was pretty sure another header was gonna be useful for desync things... Today, I think I actually have an exploit that works specifically due to that header's weirdness. 🔥
November 13, 2025 at 3:53 PM
After the whole... Expect breaks the internet debacle (not that this is past tense, it clearly still does) I was pretty sure another header was gonna be useful for desync things... Today, I think I actually have an exploit that works specifically due to that header's weirdness. 🔥