Ansar Uddin

Chained CSPT into full account takeover using a 2FA bypass technique I hadn't seen used in bug bounty before. whoareme.com/blog/cspt-acco…

We got frustrated with dealing with vendor dependencies when reverse engineering large applications. @ITSecurityguard from @SLCyberSec’s Sec Research Team built Hyoktesu to solve this problem forever: github.com/assetnote/hyok… - releasing this today! Blog: slcyber.io/research-cente…

Today, we’re releasing watchTowr Labs’ @chudyPB’s BlackHat .NET research, owning Barracuda, Ivanti and more solutions. Enjoy the read as Piotr explains a new .NET Framework primitive, used to achieve pre- and post-auth RCE on numerous enterprise appliances. labs.watchtowr.com/soapwn-pwning-…

📞 Microsoft fixed an authenticated RCE in Windows Telephony Service (CVE-2026-20931), discovered by our researcher Sergey Bliznyuk @justbronzebee Read the write-up: swarm.ptsecurity.com/whos-on-the-li…

@assetnote @SLCyberSec My work on the novel SSRF technique that landed a critical payout at a Live Hacking Event: slcyber.io/assetnote-secu…

This is your last chance to nominate research for the top ten web hacking techniques of 2025! Nominations close at 0800 UTC tomorrow. Form linked below.

Oracle has patched two new critical CVEs (CVE-2025-53072 & CVE-2025-62481) in the Marketing Administration component of Oracle E-Business Suite. Given the recent Cl0p activity, exploitation is likely. Patch ASAP. Need help assessing exposure? watchTowr.com

As a homage to the work of @Blaklis_, our Security Researcher @softpoison_ debuts his first research post on reverse engineering a critical unauthenticated RCE in Magento (SessionReaper) CVE-2025-54236 at @SLCyberSec: slcyber.io/assetnote-secu…

The watchTowr team has broken down the Oracle EBS unauth RCE exploit chain (tagged as CVE-2025-61882). Important to note: it is not one vulnerability, but multiple chained together. As always, we'll share more soon.

My favourite finding from @SLCyberSec's Security Research team in 2025 so far is a secondary context path traversal in Omnissa Workspace One UEM (CVE-2025-25231). Really interesting bug, and fun kill chain to RCE. slcyber.io/assetnote-secu…

At @defcon, I presented my research on client-side deanonymization attacks in @Google's Privacy Sandbox! Privacy research doesn't get as much attention, but ad-tech is increasingly embedded in everything - it's all about your attention and data. spaceraccoon.dev/client-side-de…

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

Sometimes, SQL injection is still possible, even when prepared statements are being used. Our researcher @hash_kitten has written up a blog post about a novel technique for SQL Injection in PDO’s prepared statements: slcyber.io/assetnote-secu…

New blog post with @infosec_au: We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here: samcurry.net/hacking-subaru

During @x3ctf, I discovered an unintended solution that turned out to be a pretty cool generic technique. It allows you to detect the result of a selector during CSS Injection, bypassing any CSP restricting external requests! Check out the writeup below: jorianwoltjer.com/blog/p/ctf/x3c…

Introducing the Cookie Sandwich, a tasty technique to steal HttpOnly cookies using legacy RFC features: portswigger.net/research/steal…

From HTTP request to ROP chain in Node.js! 🔥 Our latest blog post explains how to turn a file write vulnerability in a Node.js application into RCE – even though the target's file system is read-only: sonarsource.com/blog/why-code-…

Excited to release my latest research today. Exploiting CORS can be a tricky in modern web apps, but there are still critical cases out there if you know what to look for. If you want to learn more about CORS exploitation, the research is available at outpost24.com/blog/exploitin…

Love a good client-side exploit chain! This crazy cross-product chain targeting Google by @rebane2001 is a great example of the type of exploit that gets easier the longer you spend targeting a single company lyra.horse/blog/2024/09/u…

Couldn't make @garethheyes Splitting the Email Atom event earlier this week? We'll be sharing the recording on our Discord next week. 👀 Make sure you've joined the official PortSwigger Discord 👉 discord.com/invite/portswi…