Hacking Techniques

Top 10 web hacking techniques of 2023

Portswigger's yearly TOP10 hacking techniques is a collection of the top writeups of the year. I make sure to read all the articles from the top 10 but also, I don't forget about the nominations list - I try to read the most interesting ones from there, too....

37C3 – Breaking “DRM” in Polish trains

This talk isn’t about bug bounty. It isn’t even about the web. But it’s such a cool hacking story. In short, suspiciously, some trains in Poland were not working properly and the company that was using them hired hackers from the Dragon Sector CTF team. They reversed...

Content-Type shenanigans

Parsing of the Content-Type header isn’t straightforward at all yet it can be crucial for some bug classes. Mathias Karlsson published a nice writeup where he described some techniques we can use when we control a suffix of this response header....

Even more ways to bypass URL validation

While I was reading this tweet from Justin Gardner about leaking Oauth codes, I found a cool research paper in a reply by SickSec. The paper was about URL validations and I didn’t think I will find something new. But I have. For example, these two bypasses I wasn’t...

Hacking Salesforce-backed WebApps

I know for a fact that Salesforce is properly complex and hard to secure. On the other hand, however, you need to know a lot of Salesforce-specific things to hack it well. From this blogpost, you can learn how are IDs created, why they are not as random as they look,...

XSS attacks via Content sniffing

In short, content sniffing is a bug that causes the browser to interpret a response without a content-type header as HTML. This vulnerability can be exploited to smuggle XSS payloads in files like images. I was aware of this issue and had found a few XSS...

Good Web Security course for beginners

People often ask me for recommendations on a good introductory web security book or resource. While I learned from the legendary “Web Application Hacker's Handbook”, it was already out-of-date by 2017, so I hesitate to recommend it today. A course from Stanford...

Top 10 web hacking techniques of 2022

The results of the Top 10 web hacking techniques of 2022 are here! If I were only restricted to reading 10 web hacking articles per year, I would choose these ones. This is the final list: 1 - Account hijacking using dirty dancing in sign-in OAuth-flows 2 -...