PortSwigger’s “Top 10 Web Hacking Techniques of 2025” shows where web attacks are headed, from side channels and protocol quirks to framework bugs and Unicode/SOAP tricks. Good read for Blue Teamers.

#AppSec #WebSecurity #BugBounty #Infosec 🔗 https://zurl.co/j3wBR

Two days ago, a proposal to add "unsafe-webtransport-hashes" to the Content Security Policy specification was merged.

https://github.com/w3c/webappsec-csp/issues/683
https://github.com/w3c/webappsec-csp/pull/791

Here is how I understand the proposal, based on reading it and the documentation for WebTransport. I'm by no means an expert on WebTransport - I had never heard of it before today.

WebTransport is intended to replace Web Sockets; it allows a website to connect to a server over HTTP/3.

One feature of WebTransport is serverCertificateHashes, which is passed as an argument when creating a new socket.
serverCertificateHashes allows a website to bypass the normal public key infrastructure, instead telling the browser what certificates to trust.
It does this, as the name suggests, by providing the hashes of the certificates.

There is, of course, an inherent risk which comes with replacing the existing PKI with DIY. Allowing websites to restrict usage of this feature helps mitigate some of this risk.

This proposal builds on the existing connect-src CSP policy, which controls technologies like XHR, Fetch, etc.

If a website does not set connect-src in its Content Security Policy or doesn't have a CSP, then it can use serverCertificateHashes as it wishes.

However, if it sets connect-src, then serverCertificateHashes is disallowed.

That is where unsafe-webtransport-hashes comes into play. A website can allow specific certificates to be used with serverCertificateHashes by specifying the hashes of those certificates in unsafe-webtransport-hashes, which is part of the CSP and falls under connect-src.

So, as I understand it:

• no CSP or no connect-src: can use any certificates in serverCertificateHashes
• connect-scr set but no unsafe-webtransport-hashes: can not use any certificate in serverCertificateHashes
• connect-scr is set and contains unsafe-webtransport-hashes: only certificates allowlisted in the CSP are allowed for serverCertificateHashes, all others denied

All of this is based on reading the issue thread and doing a little background research. I probably got some of it, or all of it, wrong.
Point being; it is an interesting but very niche proposal.

#WebTransport #WebSecurity #ContentSecurityPolicy #CSP

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 2, 2026 to February 8, 2026)

Last week, 121 vulnerabilities were disclosed in 100 WordPress Plugins and 10 WordPress Themes.

Severity breakdown:
- Critical: 4
- High: 31
- Medium: 86

Review the report to ensure your site is not affected:

https://www.wordfence.com/blog/2026/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-february-2-2026-to-february-8-2026/

#WordPress #WebSecurity #Wordfence

WebSocket Penetration Testing: How to Test for WebSocket Hijacking, IDOR, Injection & More
This article discusses using the WSStrike extension in Burp Suite for comprehensive WebSocket penetration testing. The vulnerability class includes WebSocket hijacking, IDOR (Insecure Direct Object References), and injection attacks. The root cause lies in weak implementation of WebSocket security measures, such as lacking proper authentication or validation checks. Researchers exploited this by intercepting WebSocket traffic using WSStrike, injecting malicious payloads to manipulate application behavior. For instance, an IDOR issue was exposed when the researcher manipulated a user's session token to access another user's data. The technical details revolve around analyzing and interacting with WebSocket communication protocols and their security flaws. The impact of these vulnerabilities can range from unauthorized access to sensitive data, account takeover, or even complete system compromise. WSStrike helped reveal a bounty of $10,000 for finding multiple critical issues in a platform. To prevent such attacks, enforce strong authentication and authorization mechanisms, validate input data, and regularly audit WebSocket implementation. Key lesson: Always prioritize security when implementing WebSocket communication. #BugBounty #WebSecurity #WebSocket #IDOR #Injection

https://medium.com/@exploitersorigin/ws-strike-a-burp-suite-extension-for-websocket-penetration-testing-b2fe9676da07?source=rss------bug_bounty-5

The Logic Flaw That Leads to Total Control: Mastering Account Takeovers in 2026
This vulnerability falls under the Authentication Bypass class, specifically Logical Account Takeover. ZACK0X01's tutorial reveals that attackers can bypass multi-factor authentication (MFA) by exploiting subtle disconnects in authentication flows. The researcher manipulates responses and leverages Insecure Direct Object References (IDOR) to gain control of any user account. By observing patterns in error messages, the researcher found opportunities to intercept MFA codes or bypass MFA checks entirely. The critical severity (CVSS ~9.8) demonstrates the devastating impact: complete account takeover and unauthorized access to sensitive data. The tutorial offers actionable insights for finding this high-impact vulnerability class in web applications. Key lesson: Look beyond syntax errors, focus on business logic flaws to master account takeovers. #BugBounty #WebSecurity #AuthenticationBypass #IDOR #AccountTakeover

https://infosecwriteups.com/the-logic-flaw-that-leads-to-total-control-mastering-account-takeovers-in-2026-aecef6d30bd9?source=rss------bug_bounty-5

My Bug Bounty Tool Stack (2026 Edition)
In this article, the author discusses their essential tool stack for bug bounty hunting in 2026. The focus is on automating repetitive tasks to improve efficiency while maintaining an intuitive understanding of vulnerabilities. Essential tools include Burp Suite, ZAP (ZenMap & Active Scanner), Aquatone, Nuclei, and Amass. The researcher leverages Burp Suite for web application analysis, using its Proxy, Intruder, and Repeater modules to test for vulnerabilities such as SQL injection, XSS, and SSRF. ZAP (ZenMap & Active Scanner) helps discover network-related issues like open ports, misconfigured servers, and SSL/TLS weaknesses. Aquatone is used to visualize IP addresses associated with a target domain, which can aid in enumeration efforts. Nuclei provides a library of templates for automating vulnerability scanning against various CVEs. Amass uncovers subdomains, email addresses, and hosts related to a target domain, allowing the researcher to expand their attack surface. The author stresses the importance of staying updated on tools and techniques, as well as utilizing open-source intelligence (OSINT) for gathering information about targets. Key lesson: Efficient bug hunting requires a mix of automated and manual tools, combined with continuous learning and OSINT. #BugBounty #Cybersecurity #WebSecurity #Infosec #ToolStack

https://medium.com/bug-bounty-hunting-a-comprehensive-guide-in/my-bug-bounty-tool-stack-2026-edition-5bcd6d23928d?source=rss------bug_bounty-5

A critical arbitrary file upload vulnerability (CVE-2026-1357, CVSS 9.8) was discovered in the WPvivid Backup & Migration plugin, which is installed on over 800,000 WordPress sites.

The flaw allows unauthenticated attackers to upload arbitrary files, potentially achieving remote code execution and full site takeover.

Update to version 0.9.124. Wordfence Premium users received firewall protection on January 22.

https://www.wordfence.com/blog/2026/02/800000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-wpvivid-backup-wordpress-plugin/

#WordPress #WebSecurity #Wordfence