Top 10 web hacking techniques of 2025 Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.

The Annual @portswiggerres.bsky.social Web Hacking Techniques Top 10 is now open for voting. If you believe my research “Permission Hijacking at Scale” adds value to the community, I’d be thankful for your vote.

portswigger.net/polls/top-10...

2026 has arrived. I’m exploring job opportunities and projects. Feel free to reach out.

pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!

Please please please share to spread the news - thank you!

Matrix.org Matrix, the open protocol for secure decentralised communications

So: the matrix.org database secondary lost its FS due to a RAID failure earlier today (11:17 UTC). Then, we lost the primary at 17:26. We're trying to restore the primary DB FS (which could be fastish), while also doing a point-in-time backup restore from last night (which takes >10h).

Excited to share that I’ll be speaking at #DefCampRO in November. See you there! 🇷🇴

Blink: Intent to Ship: Escape "<" and ">" in attributes on serialization

That's me!

Blink: Intent to Deprecate and Remove: Remove auto-detection of ISO-2022-JP charset in HTML

Thanks! I noticed this two months ago, and I thought they completely removed the option to see the source.

Yeah hahahahaha but from the full spec document, not including the header,
Firefox and Safari, IIRC, implement more or less the rest of stuff ;)

I completely agree, but are the standards that regulate the rest of specs that define a permission 😅

I'll take a look, thanks :)
Btw, when do you plan to deploy PP header? xD

Hope Bluesky adds bookmarks soon. I can't wait to have hundred of bookmarks I’ll never read, while lying to myself that I will.

I posted a blog about how browser permissions work. albertofdr.github.io/web-security...

facebook error

netflix error

okta error

whatsapp error

Handling Cookies is a Minefield:

Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.

grayduck.mn/2024/11/21/h...

From time to time I write about web/browser stuff here (albertofdr.github.io/web-security...) and post about CTF writeups (albertofdr.github.io/post/hkcert-...). That said, @ericlaw.bsky.social should definitely be on the list!

DEF CON 32 - Exploiting the Unexploitable Insights from the Kibana Bug Bounty - Mikhail Shcherbakov YouTube video by DEFCONConference

If you missed it, my #DEFCON talk "Exploiting the Unexploitable: Insights from the Kibana Bug Bounty" is now live on YouTube!

youtu.be/H-bhmSwnRdY

This one is also funny!

🚨 Introducing the 2024 Web Almanac, our annual "state of the web" report!

🔖 almanac.httparchive.org/en/2024/

21 chapters (11 publishing today, the rest to follow)
65 contributors for today's chapters (more to follow)
17M websites analyzed
83 TB of data processed
628 queries written