THE ASYNCHRONOUS PROBLEM Blind + background thread Nightly cronjob Blind + event-‐triggered Second order SQLi, command injection... Blind XSS Blind + no time delay Blind XXE, XPath...

Template injection can also arise by accident, when user input is simply concatenated directly into a template. This may seem slightly counter-intuitive, but it is equivalent to SQL Injection vulnerabilities …

Abstract PDF documents and PDF generators are ubiquitous on the web, and so are injection vulnerabilities. Did you know that controlling a measly HTTP hyperlink can provide a foothold into the …

Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain …

Why join the hunt Obvious vulnerabilities are dwindling Evasive vulnerabilities are accumulating Becoming essential for high-value targets

While this feature is crucial for referencing any resource from a relative path, it's also the source of many vulnerabilities. It's possible to exploit dot-segment normalization by leveraging the discrepancies …

A partial history of desync attacks 2004: "HTTP Request Smuggling" – Watchfire (largely forgotten) 2016: "Hiding wookies in HTTP" – Regilero (largely ignored) 2019: Exploit header parser …

Cache Key Injection - Akamai Another classically unexploitable issue is client-side vulnerabilities affecting keyed headers, for example, XSS in the Origin header:

Hackability Created to test capabilities of unknown web rendering engines