Thomas Stacey
@t0xodile.com
Penetration tester trying to perform novel research. You can find all of my write-ups and research at https://thomas.stacey.se.
Pinned
Thomas Stacey
@t0xodile.com
· May 22
The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling
In this paper I will reveal the discovery of wide-spread cases of request tunnelling in applications powered by popular servers including IIS, Azure Front Door and AWS' application load balancer inclu...
www.assured.se
Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling".
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!
Reposted by Thomas Stacey
Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!
apply.workable.com/portswigger/...
apply.workable.com/portswigger/...
January 23, 2026 at 10:36 AM
Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!
apply.workable.com/portswigger/...
apply.workable.com/portswigger/...
We got our "bigmac" 🍔 AI machine up and running today! Time to find out if I can start using shadow-repeater every day 🔥
January 23, 2026 at 10:13 AM
We got our "bigmac" 🍔 AI machine up and running today! Time to find out if I can start using shadow-repeater every day 🔥
Reposted by Thomas Stacey
Cybersecurity in #MedTech is no longer something you "add later."
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...
EU Tightens Cybersecurity Requirements for Medtech - MDR and IVDR
The EU is strengthening cybersecurity requirements in MDR and IVDR. Manufacturers must embed cybersecurity from the start, document processes, and ensure security throughout the entire device lifecycl...
www.assured.se
January 23, 2026 at 9:47 AM
Cybersecurity in #MedTech is no longer something you "add later."
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...
Under #MDR / #IVDR, security is a prerequisite for market access, not an optional feature.
When addressed too late, the result is rework, delays, or products that never make it to market.
Read more: www.assured.se/areas/medtec...
Reposted by Thomas Stacey
🐛 Built a simple RSS reader called Feedworm that runs in DevTools and never phones home. Keep up with blogs and research without selling your data.
thespanner.co.uk/introducing-...
thespanner.co.uk/introducing-...
Introducing Feedworm: A Privacy-First RSS Reader That Lives in DevTools - The Spanner
I've been using RSS readers for years. They're the best way to keep up with blogs, news sites, and security research without being at the mercy of algorithmic feeds. But every time I found a reader I ...
thespanner.co.uk
January 22, 2026 at 12:11 PM
🐛 Built a simple RSS reader called Feedworm that runs in DevTools and never phones home. Keep up with blogs and research without selling your data.
thespanner.co.uk/introducing-...
thespanner.co.uk/introducing-...
Needed a custom hackvertor tag for reasons. IIRC there's this AI integration now right? **enter prompt**. Oh okay it works and I'm done. I suspect I've been sleeping on this... One of my favourite extensions atm.
January 21, 2026 at 3:03 PM
Needed a custom hackvertor tag for reasons. IIRC there's this AI integration now right? **enter prompt**. Oh okay it works and I'm done. I suspect I've been sleeping on this... One of my favourite extensions atm.
Reposted by Thomas Stacey
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...
portswigger.net/polls/top-10...
Top 10 web hacking techniques of 2025
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.
portswigger.net
January 15, 2026 at 3:29 PM
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...
portswigger.net/polls/top-10...
On a whim I asked Gemini a ridiculously specific question. "Give me a response that has length X and is text/html for X proxy". And while it basically made up the answer (I assume) it still pointed me to a solution I've needed for months! I Guess trying "stupid ideas" can work for LLMs too.
January 10, 2026 at 1:20 PM
On a whim I asked Gemini a ridiculously specific question. "Give me a response that has length X and is text/html for X proxy". And while it basically made up the answer (I assume) it still pointed me to a solution I've needed for months! I Guess trying "stupid ideas" can work for LLMs too.
Reposted by Thomas Stacey
Kom och jobba med mig!
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
Ledig tjänst: Säljansvarig Security Engineering
Vi söker en teknisk konsultsäljare som vill ta ett större ansvar och vara med och bygga upp ett växande affärsområde inom utvecklingsnära säkerhet.
www.assured.se
January 8, 2026 at 8:34 AM
Kom och jobba med mig!
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
@assuredab.bsky.social söker nytt blod. Bland annat en säljansvarig för #securityengineering #allthecybers #cra #nis2 #dora #sdlc
www.assured.se/sv/jobb/ledi...
Reposted by Thomas Stacey
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...
Top 10 web hacking techniques of 2025: call for nominations
Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te
portswigger.net
January 6, 2026 at 3:32 PM
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...
Reposted by Thomas Stacey
[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
Turning List-Unsubscribe into an SSRF/XSS Gadget
The List-Unsubscribe SMTP header is standardized but often overlooked during security assessments. It allows email clients to provide an easy way for end-users to unsubscribe from mailing lists.
This ...
security.lauritz-holtmann.de
December 23, 2025 at 7:38 AM
[Blog Post] Turning the List-Unsubscribe SMTP Header into an SSRF/XSS Gadget
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
security.lauritz-holtmann.de/post/xss-ssr...
Once again, ancient RFCs and overlooked security hot spots in specifications turned out to be worthwhile for security research.
Read the spec!
Reposted by Thomas Stacey
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
December 16, 2025 at 3:31 PM
Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.
Reposted by Thomas Stacey
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
AutoVader - The Spanner
Four years ago we released DOM Invader, I added a feature called callbacks that enabled you to execute JavaScript and log when sinks, messages or sources are found. This was so powerful but over the y...
thespanner.co.uk
December 9, 2025 at 12:22 PM
Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀
thespanner.co.uk/autovader
thespanner.co.uk/autovader
Reposted by Thomas Stacey
When looking for postMessage vulnerabilities, the FancyTracker Firefox extension can be very useful.
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
November 25, 2025 at 12:03 PM
When looking for postMessage vulnerabilities, the FancyTracker Firefox extension can be very useful.
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
It has built-in syntax highlighting and sortes out duplicates. Check it out 👇
https://github.com/Zeetaz/FancyTracker-FF
And the original for Chrome: https://github.com/fransr/postMessage-tracker
Reposted by Thomas Stacey
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
With some CORS configurations, some handlers can introduce synchronisation bugs and cause data races · Issue #198 · rs/cors
Problem Presumably for performance, the library (v1.11.1 and some older versions) reuses some non-exported slice variables and struct field from one middleware call to the next: package-level var h...
github.com
November 21, 2025 at 7:44 PM
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
November 20, 2025 at 9:47 AM
Desync issues are so finicky which is exceptionally fun. I really love the fact that at any point "you might be 1 byte away from a desync". However, you can also be a few hundred connections in turbo-intruder away from a desync as it turns out. If in doubt, (carefully) increase your connection pool.
Reposted by Thomas Stacey
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
Shadow Repeater v1.2.3 release - The Spanner
The new version of Shadow Repeater has been released with a couple of cool new features.
Timing differences
Shadow Repeater analyses your Repeater requests and looks for response differences but it wa...
thespanner.co.uk
November 18, 2025 at 12:59 PM
🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
It now detects response timing differences.
thespanner.co.uk/shadow-repea...
After the whole... Expect breaks the internet debacle (not that this is past tense, it clearly still does) I was pretty sure another header was gonna be useful for desync things... Today, I think I actually have an exploit that works specifically due to that header's weirdness. 🔥
November 13, 2025 at 3:53 PM
After the whole... Expect breaks the internet debacle (not that this is past tense, it clearly still does) I was pretty sure another header was gonna be useful for desync things... Today, I think I actually have an exploit that works specifically due to that header's weirdness. 🔥
Reposted by Thomas Stacey
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
HTTP Anomaly Rank - a new Turbo Intruder feature
YouTube video by PortSwigger
youtu.be
November 11, 2025 at 2:49 PM
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
Reposted by Thomas Stacey
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
November 10, 2025 at 2:49 PM
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
Those who are monitoring academic research paper releases. How? Google scholar alerts seems okay? Trying to build-up my daily research consumption feeds. (Would be convenient if there was an RSS feed somewhere)
November 10, 2025 at 8:24 AM
Those who are monitoring academic research paper releases. How? Google scholar alerts seems okay? Trying to build-up my daily research consumption feeds. (Would be convenient if there was an RSS feed somewhere)
Reposted by Thomas Stacey
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Release Initial Release! · CoreyD97/InsiKt
Logger++ is dead, long live InsiKt!
It has been a long time since I first adopted Logger++ from @irsdl back in 2017. Since then I have left NCC Group and no longer have access to the repository, so...
github.com
November 8, 2025 at 7:44 PM
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Well then... I can tell by looking at the vulnerable domains that this is working. Interestingly, the PDS scan may be identifying things my own tool has missed. Even if not, its ability to go ahead and try out 0.CL / CL.0 is super fancy. I suspect I'll submit a pull request when the time is right 😁
October 28, 2025 at 12:17 PM
Well then... I can tell by looking at the vulnerable domains that this is working. Interestingly, the PDS scan may be identifying things my own tool has missed. Even if not, its ability to go ahead and try out 0.CL / CL.0 is super fancy. I suspect I'll submit a pull request when the time is right 😁
I often end up re-watching research presentations because I'm terrible at absorbing new information the first time around. This has so often given me a new lead or idea for a tweak in my tooling, that I often re-watch them on a whim even when I'm fairly sure I've understood 100% of the content.
October 26, 2025 at 10:17 AM
I often end up re-watching research presentations because I'm terrible at absorbing new information the first time around. This has so often given me a new lead or idea for a tweak in my tooling, that I often re-watch them on a whim even when I'm fairly sure I've understood 100% of the content.
Expect is the gift that just keeps on giving. It's almost never consistent, but it's almost always interesting behaviour...
October 23, 2025 at 7:27 AM
Expect is the gift that just keeps on giving. It's almost never consistent, but it's almost always interesting behaviour...