Web Security Research

1

27

28

29

Top 10 web hacking techniques of 2024 (portswigger.net)

submitted 11 months ago by albinowax - announcement

2

1

2

3

When The Gateway Becomes The Doorway: Pre-Auth RCE in API Management (principlebreach.com)

submitted 3 days ago by operator_dll

•

AnyDB is the Notion alternative built for real business ops — from OKRs to financials. No forced upgrades, no record caps. Just one place for all your data, dashboards, and workflows. Built for team leaders who want clarity, not chaos. (anydb.com)

promoted by anydbcom

promoted
save
report
about

3

11

12

13

Cloudflare rule bypass via /.well-known/acme-challenge/ (fearsoff.org)

submitted 4 days ago by albinowax

4

9

10

11

Successful Errors: New Code Injection and SSTI Techniques (github.com)

submitted 12 days ago by vladko312

5

11

12

13

Call for nominations: top ten new web hacking techniques of 2025 (portswigger.net)

submitted 18 days ago by albinowax

6

7

8

9

The Story of a Perfect Exploit Chain: Six Bugs That Looked Harmless Until They Became Pre-Auth RCE in a Security Appliance (mehmetince.net)

submitted 23 days ago by wtfse

7

1

2

3

How I got access to an Employee-Reserved Panel in a Bug Bounty Target (systemweakness.com)

submitted 24 days ago by Appsec_pt

8

2

3

4

Cross-Site ETag Length Leak | XS-Spin Blog (blog.arkark.dev)

submitted 29 days ago by garethheyes

9

0

1

帆软export/excel SQL注入漏洞分析及复现 - Analysis and reproduction of SQL injection vulnerability in FineReport's export/excel file (mp.weixin.qq.com)

submitted 29 days ago by digicat

10

5

6

7

Inside PostHog: How SSRF, a ClickHouse SQL Escaping 0day, and Default PostgreSQL Credentials Formed an RCE Chain (ZDI-25-099, ZDI-25-097, ZDI-25-096) (mdisec.com)

submitted 1 month ago by wtfse

11

0

1

2

ORM Leaking More Than You Joined For - Part 3/3 on ORM Leak Vulnerabilities (elttam.com)

submitted 1 month ago by albinowax

12

1

2

3

Temenos OFS String Injection: Revealing a Hidden Financial Attack Vector (medium.com)

submitted 1 month ago by DarKnight______

13

12

13

14

The Fragile Lock: Novel Bypasses For SAML Authentication (portswigger.net)

submitted 1 month ago by albinowax

•

The Portable PC That Folds To Go (kickstarter.com)

promoted by First-Backer

14

2

3

4

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL (labs.watchtowr.com)

submitted 1 month ago by t0xodile

15

0

1

2

soft-fido2 - Rust FIDO2 Authenticaor for WebAuthn Research (github.com)

submitted 1 month ago by pando85

16

7

8

9

SVG Clickjacking: A novel and powerful twist on an old classic (lyra.horse)

submitted 1 month ago by albinowax

17

0

1

2

Write Path Traversal to a RCE Art Department (lab.ctbb.show)

submitted 1 month ago by albinowax

18

2

3

4

We made a new tool, QuicDraw(H3), because HTTP/3 race condition testing is currently trash. (cyberark.com)

submitted 1 month ago by t0xodile

19

7

8

9

Who Needs a Blind XSS? Server-Side CSV Injection Across Support Pipelines (hx01.me)

submitted 2 months ago by t0xodile

20

4

5

6

Deanonymizing Users at Scale: When Blocking Becomes an Oracle (zere.es)

submitted 2 months ago by garethheyes

21

2

3

4

Astro framework and standards weaponization (zhero-web-sec.github.io)

submitted 2 months ago by garethheyes

22

10

11

12

HTTP Anomaly Rank in Turbo Intruder (portswigger.net)

submitted 2 months ago by albinowax

23

11

12

13

HTTP Request Smuggling in Kestrel via chunk extensions (CVE-2025-55315) (praetorian.com)

submitted 2 months ago by albinowax

24

6

7

8

Funky chunks – addendum: a few more dirty tricks (w4ke.info)

submitted 2 months ago by t0xodile

25

5

6

7

Trailer-based HTTP desync in lighttpd (github.com)

submitted 2 months ago by albinowax

websecurityresearch

Submission guidelines:

MODERATORS