Live webinar | March 27th: Learn the future of AppSec as we launch our vision for Burp Suite in 2025.            Register Now

presentations

presentations Articles

Browser-Powered Desync Attacks

10 August 2022Browser-Powered Desync Attacks

Hunting evasive vulnerabilities

13 May 2022
Hunting evasive vulnerabilities

HTTP/2: The Sequel is Always Worse

05 August 2021HTTP/2: The Sequel is Always Worse

Portable Data exFiltration: XSS for PDFs

10 December 2020Portable Data exFiltration: XSS for PDFs

Web Cache Entanglement

05 August 2020Web Cache Entanglement

HTTP Desync Attacks: Request Smuggling Reborn

07 August 2019HTTP Desync Attacks: Request Smuggling Reborn

Turbo Intruder: Embracing the billion-request attack

25 January 2019Turbo Intruder: Embracing the billion-request attack

Practical Web Cache Poisoning

Redefining 'unexploitable'09 August 2018Practical Web Cache PoisoningRedefining 'unexploitable'

Hackability inspector

06 July 2018Hackability inspector

Cracking the lens: targeting HTTP's hidden attack-surface

27 July 2017Cracking the lens: targeting HTTP's hidden attack-surface

DOM based AngularJS sandbox escapes

11 May 2017DOM based AngularJS sandbox escapes

JSON hijacking for the modern web

25 November 2016JSON hijacking for the modern web

Backslash Powered Scanning: hunting unknown vulnerability classes

04 November 2016Backslash Powered Scanning: hunting unknown vulnerability classes

Exploiting CORS misconfigurations for Bitcoins and bounties

14 October 2016Exploiting CORS misconfigurations for Bitcoins and bounties

Hunting asynchronous vulnerabilities

15 September 2015Hunting asynchronous vulnerabilities

Server-Side Template Injection

05 August 2015
Server-Side Template Injection