The Black Cat
@theblackcat-13.bsky.social
Reposted by The Black Cat
HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:
youtu.be/BAZ-z2fA8E4
youtu.be/BAZ-z2fA8E4
HTTP is supposed to be stateless...
YouTube video by PortSwigger
youtu.be
October 22, 2025 at 2:06 PM
HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:
youtu.be/BAZ-z2fA8E4
youtu.be/BAZ-z2fA8E4
Reposted by The Black Cat
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Cookie Chaos: How to bypass __Host and __Secure cookie prefixes
Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve
portswigger.net
September 3, 2025 at 2:54 PM
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Reposted by The Black Cat
The recording for my latest research has been released! If you prefer to listen rather than read, now is your chance.
P.S. It may be worth listening to it at a slower speed due to my tendency to talk at the speed of light...
P.S. It may be worth listening to it at a slower speed due to my tendency to talk at the speed of light...
The Single-Packet Shovel: Digging For Desync-Powered Request Tunnelling - Thomas Stacey
YouTube video by Bsides Exeter
www.youtube.com
September 11, 2025 at 3:19 PM
The recording for my latest research has been released! If you prefer to listen rather than read, now is your chance.
P.S. It may be worth listening to it at a slower speed due to my tendency to talk at the speed of light...
P.S. It may be worth listening to it at a slower speed due to my tendency to talk at the speed of light...
Reposted by The Black Cat
Bug bounties ain't just web. Throwback to when @kernelpaniek and I got RCE on Steam Client via a buffer overflow in Server Browser 🚨
Here's how it went down 👇
Here's how it went down 👇
May 5, 2025 at 9:02 AM
Bug bounties ain't just web. Throwback to when @kernelpaniek and I got RCE on Steam Client via a buffer overflow in Server Browser 🚨
Here's how it went down 👇
Here's how it went down 👇
Reposted by The Black Cat
Hot out of the oven! The Cookie Sandwich – a technique that lets you bypass the HttpOnly protection! This isn't your average dessert; it’s a recipe for disaster if your app isn’t prepared: portswigger.net/research/ste...
Stealing HttpOnly cookies with the cookie sandwich technique
In this post, I will introduce the "cookie sandwich" technique which lets you bypass the HttpOnly flag on certain servers. This research follows on from Bypassing WAFs with the phantom $Version cookie
portswigger.net
January 22, 2025 at 3:06 PM
Hot out of the oven! The Cookie Sandwich – a technique that lets you bypass the HttpOnly protection! This isn't your average dessert; it’s a recipe for disaster if your app isn’t prepared: portswigger.net/research/ste...
Reposted by The Black Cat
Here's how to use the XSS fuzz type to fuzz URLs. The trick is to use a base tag to get round the sandbox restrictions. This shows characters allowed before slashes which result in an external URL:
shazzer.co.uk/vectors/6789...
shazzer.co.uk/vectors/6789...
Characters allowed before slashes which result in an external URL - Shazzer
This is an example how you can use the XSS type to fuzz URLs. This one fuzzes characters before double slashes. It uses a base tag to get round the sandboxed iframe problems.
shazzer.co.uk
January 16, 2025 at 7:12 PM
Here's how to use the XSS fuzz type to fuzz URLs. The trick is to use a base tag to get round the sandbox restrictions. This shows characters allowed before slashes which result in an external URL:
shazzer.co.uk/vectors/6789...
shazzer.co.uk/vectors/6789...
Reposted by The Black Cat
A small code-golf web challenge (free research from you, for me), how short can you make a "fetch content and execute it inline".
There is a CSP in a meta tag.
Goal: get the content from the file hack.js and have it inserted in the page. like in the image
joaxcar.com/xss/self.html
There is a CSP in a meta tag.
Goal: get the content from the file hack.js and have it inserted in the page. like in the image
joaxcar.com/xss/self.html
December 12, 2024 at 1:00 PM
A small code-golf web challenge (free research from you, for me), how short can you make a "fetch content and execute it inline".
There is a CSP in a meta tag.
Goal: get the content from the file hack.js and have it inserted in the page. like in the image
joaxcar.com/xss/self.html
There is a CSP in a meta tag.
Goal: get the content from the file hack.js and have it inserted in the page. like in the image
joaxcar.com/xss/self.html
Reposted by The Black Cat
There's no doubt that AI is taking bug bounty hunting to the next level.
Check out the full blog by Ben Lampere for tips, tricks, and tools to supercharge your bug bounty game ➡️ blog.ethiack.com/blog/superch...
Stay tuned for more in the Hacking with AI series! 👀
#bugbounty #ethiack
Check out the full blog by Ben Lampere for tips, tricks, and tools to supercharge your bug bounty game ➡️ blog.ethiack.com/blog/superch...
Stay tuned for more in the Hacking with AI series! 👀
#bugbounty #ethiack
Super-charging Bug Bounty Hunting with the Power of AI
Discover how AI-driven tools supercharge bug bounty hunting. Boost reconnaissance, streamline vulnerability exploitation, and enhance reporting.
blog.ethiack.com
January 17, 2025 at 12:23 PM
There's no doubt that AI is taking bug bounty hunting to the next level.
Check out the full blog by Ben Lampere for tips, tricks, and tools to supercharge your bug bounty game ➡️ blog.ethiack.com/blog/superch...
Stay tuned for more in the Hacking with AI series! 👀
#bugbounty #ethiack
Check out the full blog by Ben Lampere for tips, tricks, and tools to supercharge your bug bounty game ➡️ blog.ethiack.com/blog/superch...
Stay tuned for more in the Hacking with AI series! 👀
#bugbounty #ethiack
Reposted by The Black Cat
Great paper from Orange Tsai about unicode transformations: worst.fit/assets/EU-24...
worst.fit
December 31, 2024 at 3:18 PM
Great paper from Orange Tsai about unicode transformations: worst.fit/assets/EU-24...
Reposted by The Black Cat
Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...
portswigger.net/research/byp...
Bypassing WAFs with the phantom $Version cookie
HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known
portswigger.net
December 4, 2024 at 3:17 PM
Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...
portswigger.net/research/byp...
Reposted by The Black Cat
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties
Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...
srcincite.io
November 26, 2024 at 11:57 PM
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Reposted by The Black Cat
If you like bounties, I highly recommend this presentation from Martin Doyhenard on novel web cache deception techniques. It comes with Web Security Academy labs too!
www.youtube.com/watch?v=70yy...
www.youtube.com/watch?v=70yy...
DEF CON 32 - Gotta Cache ‘em all bending the rules of web cache exploitation - Martin Doyhenard
YouTube video by DEFCONConference
www.youtube.com
November 26, 2024 at 2:33 PM
If you like bounties, I highly recommend this presentation from Martin Doyhenard on novel web cache deception techniques. It comes with Web Security Academy labs too!
www.youtube.com/watch?v=70yy...
www.youtube.com/watch?v=70yy...