Zak Fedotkin All thought are mine and mine alonehttps://bsky.app/profile/zakfedotkin.bsky.socialhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3m7ieyaslvc2zThe Fragile Lock: Novel Bypasses for SAML Authentication will premiere this Wednesday at 10:20 at Black Hat Europe! I'll show you how to chain XML parser quirks to achieve complete authentication bypasses on multiple popular libraries #BHEU @blackhatevents.bsky.social08 Dec 2025 15:49 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3m7ieyaslvc2zhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3m62vagikgs2bI am very proud of this h1 achievement!20 Nov 2025 13:37 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3m62vagikgs2bhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3m2mf2utytk2xI’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social07 Oct 2025 14:55 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3m2mf2utytk2xhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lyzufuwsds2cDive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster. The blog post is live! Read it here: https://portswigger.net/research/websocket-turbo-intruder-nbsp-unearthing-the-websocket-goldmine17 Sep 2025 12:44 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lyzufuwsds2chttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lyl37pksrk24WebSocket security testing is so painful that this ever -expanding attack surface is largely overlooked. Learn how to dive where others fear to tread with WebSocket Turbo Intruder. Join me live on Sept 17 at 4PM (GMT+1) https://discord.gg/portswigger?event=141064041764041531211 Sep 2025 15:36 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lyl37pksrk24https://bsky.app/profile/zakfedotkin.bsky.social/post/3lxwv5pbpwc2lWe've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure-cookie-prefixes03 Sep 2025 14:54 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lxwv5pbpwc2lhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lus6st4xx223I love discrepancies so much that I decided to introduce them to my nickname too @d4d89704243.bsky.social → @zakfedotkin.bsky.social Because why be consistent when you can keep people guessing?25 Jul 2025 13:48 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lus6st4xx223https://bsky.app/profile/zakfedotkin.bsky.social/post/3lsjbqumzck2rThrilled to announce: I’ll be presenting a major new version of WebSocket Turbo Intruder at Black Hat Arsenal 2025! This open-source toolkit makes high-speed, advanced WebSocket attacks practical and painless.26 Jun 2025 13:56 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lsjbqumzck2rhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lqahlofwc22nActive Scan++ just got sharper - we’ve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store28 May 2025 14:56 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lqahlofwc22nhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lolk6p3dik2yI'm thrilled to announce my talk "Cookie Chaos: Exploiting Parser Discrepancies" at @steelcon.info ! Catch it live in Sheffield, or later on YoutTube. Check out the full abstract here: https://portswigger.net/research/talks?talkId=30 https://portswigger.net/research/talks?talkId=30@steelcon.info07 May 2025 13:51 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lolk6p3dik2yhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lnzt4tfcm22xThink you’ve seen every OS command injection trick? Think again, read our latest blog post! Link in the comments👇30 Apr 2025 12:44 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lnzt4tfcm22xhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lknwqx5wls2yI’m excited to introduce Namespace Confusion, a novel attack discovered during Gareth's and mySAML Roulette: The Hacker Always Wins research. We uncovered a brutal attack on XML signature validation that destroys authentication in Ruby-SAML! [contains quote post or other embedded content]18 Mar 2025 15:01 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lknwqx5wls2yhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3ljn3uzv7u22zToday's update to the URL Validation Bypass Cheat Sheet includes a new trick: bypassing domain allow lists using a full URL in the query, submitted by Alexis Hapiot! This idea came after our previous update from @dyak0xdb, which sparked great discussions! More updates are live. Link in the reply 👇05 Mar 2025 13:35 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3ljn3uzv7u22zhttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lhiqvfx2mk2wWe've updated our URL validation bypass cheat sheet with this shiny Domain allow list bypass payload contributed by dyak0xdb!06 Feb 2025 09:17 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lhiqvfx2mk2whttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lgdnf6nb6c2gHot out of the oven! The Cookie Sandwich – a technique that lets you bypass the HttpOnly protection! This isn't your average dessert; it’s a recipe for disaster if your app isn’t prepared: https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique22 Jan 2025 15:06 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lgdnf6nb6c2ghttps://bsky.app/profile/zakfedotkin.bsky.social/post/3ldqj77hbms2oNew in SignSaboteur v1.0.6! Now supports Ruby on Rails Encrypted Cookies: - Brute force secret keys - Decrypt cookie values Update now:20 Dec 2024 13:40 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3ldqj77hbms2ohttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lcihjmv5js2cI really liked how this research turned out. I hope you did too. [contains quote post or other embedded content]04 Dec 2024 15:24 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lcihjmv5js2chttps://bsky.app/profile/zakfedotkin.bsky.social/post/3lbwt6luxqc2nHi, Blue Sky! I am a web security researcher at PortSwigger. You can find my latest researches and tools at https://portswigger.net/research/zakhar-fedotkin27 Nov 2024 15:04 +0000at://did:plc:ipjbzqbe5op5xmlcojtyeqzr/app.bsky.feed.post/3lbwt6luxqc2n