Ridiculous, I love it 😂!

Me and @t0xodile.com submitted our latest research to DEF CON 34 CFP, hopefully we get to present it on the big stage! But regardless, it's going to be a banger 🔥

The idea that you can go from "0.CL expect-detection v2: 0/200" to a full desync in minutes if the target lets you know that it's running IIS is absolutely bonkers...

Prepping CFPs this year has been a great feeling. Something about actually writing down everything we've discovered / built during research from tooling, novel techniques and even bounties gives you that perspective of what we've actually achieved... Mega excited for this one!

Love it when someone mentions a vuln class to you that sounds cool and then is suddenly applicable in your very next test!

SSRF blacklist bypass using DNS rebinding. The Single-packet attack continues to make my stupid race condition ideas a reality.

I'm making a habit of writing down literally any thought that suddenly pops into my head related to research leads. I'm finding it fun to laugh at my own ideas. But all of a sudden, I also have a long list of fun/interesting ideas to try before I need to panic about running out of ideas.

I do have a specific post in mind about something very related! That one actually produced results outside of my test.

This one is truly a terrible idea... but if it proves the concept... perhaps 😁

The fact that I can use claude in the background to adjust custom tooling on the fly to test out relatively insane theories on the off chance they work all without losing any measurable time for my actual test is really really powerful.

Agarri Training

Spring is just around the corner, and that's when I offer online training courses on Burp Suite Pro 👨‍🏫 Two sessions are planned (in English and French), and there are still a few spots left in each.

Contact me to get an early-bird discount code! 💰

Podcast Spotlight: The Threat from Quantum Computers Our embedded security and cryptography expert Joachim Strömbergson guested a Swedish security podcast (Bli Säker) and discussed Post Quantum Cryptography.

Our embedded security and cryptography expert Joachim Strömbergson guested a Swedish security podcast (Bli Säker @nikkasystems.com) and discussed Post Quantum Cryptography. Find our English summary and the link to the episode in our blog.
www.assured.se/posts/podcas...
#pqc #security #cryptography

Going here github.com/vladko312/Re... and implementing a selection / all of these into Backslash-Powered Scanner (or a custom scan check...) is probably very useful.

The real work comes from creating a safe but syntactically similar payload for the probe pair.

Bring back SSTI!

Top 10 web hacking techniques of 2025 Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year

The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...

Yeah this is the approach I am taking now I think. New branch, let it implement something and then try to critique it somewhat or ask it about the implementation. If it can't be easily fixed or get's a bit insane, I can just kill the entire branch worst cast 😀. When it does work it's beautiful!

Interesting, I only just started using git with it but perhaps I'll hold off... Or at least be very careful 😅

Super impressed by it having moved over from Gemini CLI recently. Are you doing anything particularly special out of interest in terms of dev usage? Multiple instances, or specific agents etc? Just curious!

Got one of our most impactful cases re-opened and accepted after a quick email chain. Always happy to see programs supporting researchers in this way. Going to try writing my reports with a public disclosure section right at the top to see if this helps in these cases.

Spent a long time on a case over the last few weeks getting absolutely nowhere. Remember to try this, instant RQP... I must remember to take my own advise occasionally.

100 Security Assessments in One Year! Looking back at 2025 In 2025, Assured completed 100 security assessments covering many different industries and technologies. Here are the numbers, and what records we’re aiming to break in 2026.

Celebrating 100 #security assessments, over 1000 findings, and over 2000 pages of #pentest reports in 2025!
www.assured.se/posts/100-se...

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

apply.workable.com/portswigger/...

We got our "bigmac" 🍔 AI machine up and running today! Time to find out if I can start using shadow-repeater every day 🔥

EU Tightens Cybersecurity Requirements for Medtech - MDR and IVDR The EU is strengthening cybersecurity requirements in MDR and IVDR. Manufacturers must embed cybersecurity from the start, document processes, and ensure security throughout the entire device lifecycl...

Cybersecurity in #MedTech is no longer something you "add later."
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...

Introducing Feedworm: A Privacy-First RSS Reader That Lives in DevTools - The Spanner I've been using RSS readers for years. They're the best way to keep up with blogs, news sites, and security research without being at the mercy of algorithmic feeds. But every time I found a reader I ...

🐛 Built a simple RSS reader called Feedworm that runs in DevTools and never phones home. Keep up with blogs and research without selling your data.

thespanner.co.uk/introducing-...

Needed a custom hackvertor tag for reasons. IIRC there's this AI integration now right? **enter prompt**. Oh okay it works and I'm done. I suspect I've been sleeping on this... One of my favourite extensions atm.

Top 10 web hacking techniques of 2025 Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.

Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...

On a whim I asked Gemini a ridiculously specific question. "Give me a response that has length X and is text/html for X proxy". And while it basically made up the answer (I assume) it still pointed me to a solution I've needed for months! I Guess trying "stupid ideas" can work for LLMs too.

Ledig tjänst: Säljansvarig Security Engineering Vi söker en teknisk konsultsäljare som vill ta ett större ansvar och vara med och bygga upp ett växande affärsområde inom utvecklingsnära säkerhet.

Kom och jobba med mig!
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc

www.assured.se/sv/jobb/ledi...

Maybe to search inside of encoded data? If I want to search a json blob that is also base64 encoded, it could be cool to simply write out the hackvertor tag into a filter and have the filter process the result of that tag?

Top 10 web hacking techniques of 2025: call for nominations Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te

Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...

[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget

security.lauritz-holtmann.de/post/xss-ssr...

Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.

Read the spec!

Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.