Making desync attacks easy with TRACE
Have you ever found an HTTP desync vulnerability that seemed impossible to exploit due to its complicated constraints?
Threat Intelligence Feed
Aggregating 4272 articles from trusted cybersecurity sources
Latest News
Using form hijacking to bypass CSP
In this post we'll show you how to bypass CSP by using an often overlooked technique that can enable password theft in a seemingly secure configuration. What...
Top 10 web hacking techniques of 2023
Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web s...
Hiding payloads in Java source code strings
In this post we'll show you how Java handles unicode escapes in source code strings in a way you might find surprising - and how you can abuse them to concea...
Top 10 web hacking techniques of 2023 - nominations open
Update: The results are in!
Finding that one weird endpoint, with Bambdas
Security research involves a lot of failure.
Mozilla VPN Security Audit 2023
To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that ...
Blind CSS Exfiltration: exfiltrate unknown web pages
This is a gif of the exfiltration process (We've increased the speed so you're not waiting around for 1 minute). Read on to discover how this works.
The single-packet attack: making remote race-conditions 'local'
The single-packet attack is a new technique for triggering web race conditions.
How to build custom scanners for web security research automation
In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundarie...
Version 2.9 of the Mozilla Root Store Policy
Online security is constantly evolving, and thus we are excited to announce the publication of MRSP version 2.9, demonstrating that we are committed to keep ...
Smashing the state machine: the true potential of web race conditions
For too long, web race condition attacks have focused on a tiny handful of scenarios.
Data Breaches
Luxury Cosmetics Giant Rituals Discloses Data Breach
The company is notifying My Rituals members that hackers downloaded part of their data, including names and addresses. The post Luxury Cosmetics Giant Ritual...
RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace
Leaked data from RAMP reveals Russia’s ransomware ecosystem, analyzing 1,732 threads, 7,707 users, and 340,000 IP records from the forum. RAMP was not just a...
Vercel Finds More Compromised Accounts in Context.ai-Linked Breach
Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled ...
Xinference PyPI Breach Exposes Developers to Cloud Credential Theft
A severe supply chain attack has compromised the popular Python package Xinference, exposing developers to massive data theft. Threat actors uploaded malicio...
Agoda refutes claims of massive data breach
Asia-centric booking platform Agoda has denied the alleged theft of 82 million records from its systems just a week after its parent firm Booking Holdings di...
Almost 600K reportedly impacted by separate US healthcare breaches
Three healthcare providers across the U.S.
Discord-Linked Group Accessed Anthropic’s Claude Mythos AI in Vendor Breach
Anthropic is investigating a vendor breach after a Discord-linked group accessed its Claude Mythos AI model, with no evidence of impact on core systems.
Adaptavist Group investigates security breach amidst ransomware claims
The breach was detected in late March when an attacker exploited compromised login details.
Cyberattack on French government agency triggers phishing alert
France Titres, a French government agency, has disclosed a data breach that may have exposed user data from its online portal. France Titres, also known as t...
Bluesky Back Online After DDoS Attack, as Iran-Linked 313 Team Takes Credit
Bluesky is back online after a roughly 24-hour DDoS attack disrupted services, with the Iran-linked 313 Team claiming responsibility and no data breach repor...
SEC cybersecurity disclosure rules: What security leaders must know
SEC rules require fast breach reporting and stronger cyber risk disclosures.
Vercel confirms April 2026 security incident linked to third-party AI tool
Cloud development platform Vercel has confirmed a security incident involving unauthorized access to parts of its internal systems, following a breach disclo...