Critical Thinking - Bug Bounty Podcast Episode 163: Best Technical Takeaways from Portswigger Top 10 2025
Feb 26, 2026
A fast tour of the PortSwigger Top 10 techniques for 2025. They unpack parser differential quirks like YAML tags and duplicate headers. Deep dives cover XSS-leaks via cross-origin redirects and HTTP/2 CONNECT port-scanning. There are clear breakdowns of Next.js cache poisoning, SOAPwn .NET quirks, ETag length leaks, Unicode normalization attacks, ORM injection leaks, novel SSRF redirect chains, and new SSTI error tricks.
AI Snips
Chapters
Transcript
Episode notes
Hosts Immediately Ran Cloud Code And Found Real Bugs
- Both hosts ran Cloud Code immediately after reading parser differential research and found exploitable issues in live targets.
- Example: Joseph and Rhynorater kicked off automated tests; Rhynorater's Cloud Code returned PII and found a bug while reading the talk.
Block HTTP2 CONNECT Or Treat It As SSRF Risk
- Check whether your targets accept HTTP/2 CONNECT and block or harden it if unnecessary.
- Example: HTTP/2 CONNECT multiplexes streams and can be abused to port-scan internal hosts and act as an SSRF/proxy if servers support it.
Internal Framework Caches Are Distinct Attack Targets
- Framework internal caches can be poisoned independently of CDN caches and cause wide breakage.
- Example: Next.js treated data requests differently and failed to include query parameters in cache keys, letting attackers cache JSON for an HTML route and cause DOS or stored XSS.