サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
WWDC24
portswigger.net
Published: 11 October 2018 at 14:40 UTC Updated: 05 January 2021 at 14:10 UTC The verdict is in! Following 37 nominations whittled down to a shortlist of 15 by a community vote, our panel of experts has conferred and selected the top 10 web hacking techniques of 2017 (and 2016). The panel consisted of myself, and distinguished researchers Gareth Heyes, Nicolas Grégoire, Frans Rosén, and Soroush Da
Published: 09 August 2018 at 23:20 UTC Updated: 02 October 2023 at 14:39 UTC AbstractWeb cache poisoning has long been an elusive vulnerability, a 'theoretical' threat used mostly to scare developers into obediently patching issues that nobody could actually exploit. In this paper I'll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery sys
#NoFilter UPDATE (26/7) In a blog post yesterday, Microsoft confirmed it is removing XSS Filter in Edge. “We are retiring the XSS Filter in Microsoft Edge beginning in today’s [Windows 10 Insider Preview] build,” the company said. “Our customers remain protected thanks to modern standards like Content Security Policy, which provide more powerful, performant, and secure mechanisms to protect agains
Published: 23 May 2018 at 14:00 UTC Updated: 23 June 2023 at 07:28 UTC Are you interested in pushing hacking techniques beyond the current state of the art and sharing your findings with the infosec community? In this post I’ll share some guidance on how to become a web security researcher, shaped by the opportunities and pitfalls I’ve experienced while pursuing this path myself. What is a web sec
Unearthing Z͌̈́̾a͊̈́l͊̿g̏̉͆o̾̚̚S̝̬ͅc̬r̯̼͇ͅi̼͖̜̭͔p̲̘̘̹͖t̠͖̟̹͓͇ͅ with visual fuzzing Published: 07 March 2018 at 15:46 UTC Updated: 02 June 2021 at 13:11 UTC This is valid JavaScript on Edge: ̀̀̀̀̀́́́́́̂̂̂̂̂̃̃̃̃̃̄̄̄̄̄̅̅̅̅̅̆̆̆̆̆̇̇̇̇̇̈̈̈̈̈̉̉̉̉̉̊̊̊̊̊ͅͅͅͅͅͅͅͅͅͅͅalert(̋̋̋̋̋̌̌̌̌̌̍̍̍̍̍̎̎̎̎̎̏̏̏̏̏ͅͅͅͅͅ1̐̐̐̐̐̑̑̑̑̑̒̒̒̒̒̓̓̓̓̓̔̔̔̔̔ͅͅͅͅͅ)̡̡̡̡̡̛̛̛̛̛̖̖̖̖̖̗̗̗̗̗̘̘̘̘̘̙̙̙̙̙̜̜̜̜̜̝̝̝̝̝̞̞̞̞̞̟̟̟̟̟̠̠̠̠̠̕̕̕̕̕̚̚̚̚̚ͅͅͅͅͅͅͅͅͅͅͅͅͅ
Published: 27 July 2017 at 00:30 UTC Updated: 09 March 2023 at 09:26 UTC Modern websites are browsed through a lens of transparent systems built to enhance performance, extract analytics and supply numerous additional services. This almost invisible attack surface has been largely overlooked for years. In this paper, I'll show how to use malformed requests and esoteric headers to coax these system
Published: 31 May 2016 at 14:38 UTC Updated: 01 February 2021 at 11:33 UTC I was recently asked whether it was safe to store session tokens using Web Storage (sessionStorage/localStorage) instead of cookies. Upon googling this I found the top results nearly all assert that web storage is highly insecure relative to cookies, and therefore not suitable for session tokens. For the sake of transparenc
Published: 16 November 2015 at 11:25 UTC Updated: 14 June 2019 at 12:03 UTC At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it's behaving properly. Whilst doing this recently, Liam found a Cross-Site Scripting (XSS) vulnerability in [REDACTED], inside a hidden input element: <input type="hidden" name="redacted"
As we use reCAPTCHA, you need to be able to access Google's servers to use this function. Want faster, more reliable testing? Try Burp Suite Professional for free Speed up your testing - with powerful automated tools and workflows. Increase productivity - with features designed for busy workloads. Customize your experience - with Pro-specific BApps, a powerful API, and other user options.
Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities Published: 17 February 2015 at 15:48 UTC Updated: 10 February 2021 at 14:29 UTC Early last year Gareth Heyes unveiled a fascinating new technique for attacking web applications by exploiting path-relative stylesheet imports, and dubbed it ‘Relative Path Overwrite’. This attack tricks browsers into importing HTML pages
We're very pleased to announce that Burp is now integrated with the WebInspect vulnerability scanner, thanks to a new extension created by the WebInspect team. People who make use of both Burp and WebInspect can use this integration to share findings between the two products, and make your testing workflows more efficient. To use the integration, first install the WebInspect Connector extension fr
The latest release of Burp includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including: DOM-based XSSJavaScript injectionClient-side SQL injectionWebSocket hijackingLocal file path manipulationDOM-based open redirectionCookie manipulationAjax request header manipulationDOM-based denial of serviceWeb message manipulatio
The first draft of the new edition of WAHH is now completed, and the lengthy editing and production process is underway. Just to whet everyone's appetite, I'm posting below an exclusive extract from the Introduction, describing what has changed in the second edition. (And in a vain attempt to quell the tidal wave of questions: the book will be published in October; there won't be any more extracts
Deploying Enterprise Edition Preparing to deploy Burp Suite Enterprise Edition Scanning sites Create a new scan Troubleshooting Download logs, run diagnostics, and debug Contact Enterprise Edition support Talk to the experts
Hands-on web security testing Test, find, and exploit vulnerabilities faster with a complete suite of security testing tools.
Trusted by security professionals. Best-in-class software and learning for security engineers and penetration testers.
このページを最初にブックマークしてみませんか?
『Web Application Security, Testing, & Scanning - PortSwigger』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く