d4d's Avatar

d4d

@zakfedotkin

Zak Fedotkin All thought are mine and mine alone

671
Followers 102
Following 26
Posts 27.11.2024
Joined
Posts Following

Latest posts by d4d @zakfedotkin

Post image

The Fragile Lock: Novel Bypasses for SAML Authentication will premiere this Wednesday at 10:20 at Black Hat Europe! I'll show you how to chain XML parser quirks to achieve complete authentication bypasses on multiple popular libraries #BHEU @blackhatevents.bsky.social

08.12.2025 15:49 πŸ‘ 4 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

I am very proud of this h1 achievement!

20.11.2025 13:37 πŸ‘ 8 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

07.10.2025 14:55 πŸ‘ 26 πŸ” 6 πŸ’¬ 0 πŸ“Œ 0
Preview
WebSocket Turbo Intruder:Β Unearthing the WebSocket Goldmine Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...

17.09.2025 12:44 πŸ‘ 13 πŸ” 6 πŸ’¬ 0 πŸ“Œ 0
Preview
Join the PortSwigger Discord Server! A place where security professionals, hobbyists, and passionate Burp users can hang out, chat, and collaborate. | 12858 members

WebSocket security testing is so painful that this ever -expanding attack surface is largely overlooked. Learn how to dive where others fear to tread with WebSocket Turbo Intruder.
Join me live on Sept 17 at 4PM (GMT+1)

discord.gg/portswigger?...

11.09.2025 15:36 πŸ‘ 4 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Cookie Chaos: Exploiting Parser Discrepancies - Zack
Cookie Chaos: Exploiting Parser Discrepancies - Zack YouTube video by SteelCon

For a visual walk‑through, see the @steelcon.info livestream recording: youtu.be/wxu1axAdPhw?...

03.09.2025 14:56 πŸ‘ 4 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Cookie Chaos: How to bypass __Host and __Secure cookie prefixes Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

03.09.2025 14:54 πŸ‘ 12 πŸ” 14 πŸ’¬ 1 πŸ“Œ 0

I love discrepancies so much that I decided to introduce them to my nickname too @d4d89704243.bsky.social β†’
@zakfedotkin.bsky.social

Because why be consistent when you can keep people guessing?

25.07.2025 13:48 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image
26.06.2025 14:00 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

Thrilled to announce: I’ll be presenting a major new version of WebSocket Turbo Intruder at Black Hat Arsenal 2025! This open-source toolkit makes high-speed, advanced WebSocket attacks practical and painless.

26.06.2025 13:56 πŸ‘ 9 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0
Preview
Drag and Pwnd: Leverage ASCII characters to exploit VS Code Control characters like SOH, STX, EOT and ETX were never meant to run your code - but in the world of modern terminal emulators, they sometimes do. In this post, I'll dive into the forgotten mechanics

If you missed the original research, you can find it at portswigger.net/research/dra...

28.05.2025 15:00 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

Active Scan++ just got sharper - we’ve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store

28.05.2025 14:56 πŸ‘ 10 πŸ” 6 πŸ’¬ 1 πŸ“Œ 0
Preview
Upcoming Conference Talks - PortSwigger Research Find details of upcoming talks from the PortSwigger Research team. We also have research papers and recordings available from previous conferences and events.

I'm thrilled to announce my talk "Cookie Chaos: Exploiting Parser Discrepancies" at @steelcon.info ! Catch it live in Sheffield, or later on YoutTube. Check out the full abstract here: portswigger.net/research/tal...

07.05.2025 13:51 πŸ‘ 24 πŸ” 5 πŸ’¬ 0 πŸ“Œ 1

Thank you @agarri.fr fixed

01.05.2025 12:28 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Drag and Pwnd: Leverage ASCII characters to exploit VS Code Control characters like SOH, STX, EOT and EOT were never meant to run your code - but in the world of modern terminal emulators, they sometimes do. In this post, I'll dive into the forgotten mechanics

portswigger.net/research/dra...

30.04.2025 12:44 πŸ‘ 7 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Video thumbnail

Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the commentsπŸ‘‡

30.04.2025 12:44 πŸ‘ 27 πŸ” 9 πŸ’¬ 1 πŸ“Œ 1

I’m excited to introduce Namespace Confusion, a novel attack discovered during Gareth's and mySAML Roulette: The Hacker Always Wins research. We uncovered a brutal attack on XML signature validation that destroys authentication in Ruby-SAML!

18.03.2025 15:01 πŸ‘ 23 πŸ” 6 πŸ’¬ 0 πŸ“Œ 0
Preview
URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security Academy This cheat sheet contains payloads for bypassing URL validation. These wordlists are useful for attacks such as server-side request forgery, CORS ...

Check out the newest version here:
portswigger.net/web-security...

Null byte tricks:
portswigger.net/web-security...

05.03.2025 13:35 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

Today's update to the URL Validation Bypass Cheat Sheet includes a new trick: bypassing domain allow lists using a full URL in the query, submitted by Alexis Hapiot!

This idea came after our previous update from @dyak0xdb, which sparked great discussions! More updates are live. Link in the reply πŸ‘‡

05.03.2025 13:35 πŸ‘ 19 πŸ” 5 πŸ’¬ 1 πŸ“Œ 0
Preview
URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security Academy This cheat sheet contains payloads for bypassing URL validation. These wordlists are useful for attacks such as server-side request forgery, CORS ...

Check it out hereπŸ‘‡
portswigger.net/web-security...

06.02.2025 09:18 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

We've updated our URL validation bypass cheat sheet with this shiny Domain allow list bypass payload contributed by dyak0xdb!

06.02.2025 09:17 πŸ‘ 28 πŸ” 9 πŸ’¬ 1 πŸ“Œ 0
GET /%0D%0ASet-Cookie: foo=bar 403 Forbidden GET /%E4%BC%8D%E4%BC%8ASet-Cookie: foo=bar 200 OK Set-Cookie: foo=bar

GET /%0D%0ASet-Cookie: foo=bar 403 Forbidden GET /%E4%BC%8D%E4%BC%8ASet-Cookie: foo=bar 200 OK Set-Cookie: foo=bar

Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique.

portswigger.net/research/byp...

28.01.2025 14:01 πŸ‘ 38 πŸ” 22 πŸ’¬ 0 πŸ“Œ 0
Preview
Stealing HttpOnly cookies with the cookie sandwich technique In this post, I will introduce the "cookie sandwich" technique which lets you bypass the HttpOnly flag on certain servers. This research follows on from Bypassing WAFs with the phantom $Version cookie

Hot out of the oven! The Cookie Sandwich – a technique that lets you bypass the HttpOnly protection! This isn't your average dessert; it’s a recipe for disaster if your app isn’t prepared: portswigger.net/research/ste...

22.01.2025 15:06 πŸ‘ 34 πŸ” 13 πŸ’¬ 0 πŸ“Œ 4
Post image

Ruby secret_key_base can be decrypted from credentials.yml.enc file using following java code:

20.12.2024 14:00 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

New in SignSaboteur v1.0.6!
Now supports Ruby on Rails Encrypted Cookies:
- Brute force secret keys
- Decrypt cookie values
Update now:

20.12.2024 13:40 πŸ‘ 8 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0

I really liked how this research turned out. I hope you did too.

04.12.2024 15:24 πŸ‘ 14 πŸ” 4 πŸ’¬ 1 πŸ“Œ 0
Preview
Researcher - Zakhar Fedotkin Zakhar Fedotkin is a security researcher at PortSwigger, known for his work in exploiting vulnerabilities in image processing libraries and HTTP clients.

Hi, Blue Sky! I am a web security researcher at PortSwigger. You can find my latest researches and tools at portswigger.net/research/zak...

27.11.2024 15:04 πŸ‘ 40 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0