Firefox Security Response to pwn2own 2025
At Mozilla, we consider security to be a paramount aspect of the web. This is why not only does Firefox have a long running bug bounty program but also matur...
General
20 articles
Document My Pentest: you hack, the AI writes it up!
Tired of repeating yourself? Automate your web security audit trail.
Updated GPG key for signing Firefox Releases
The GPG key used to sign the Firefox release manifests is expiring soon, and so we’re going to be switching over to a new signing subkey shortly. The GPG fin...
SAML roulette: the hacker always wins
Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Ent...
Enhancing CA Practices: Key Updates in Mozilla Root Store Policy, v3.0
Mozilla remains committed to fostering a secure, agile, and transparent Web PKI ecosystem. The new Mozilla Root Store Policy (MRSP) v3.
Shadow Repeater:AI-enhanced manual testing
Have you ever wondered how many vulnerabilities you've missed by a hair's breadth, due to a single flawed choice?
Bypassing character blocklists with unicode overflows
Unicode codepoint truncation - also called a Unicode overflow attack - happens when a server tries to store a Unicode character in a single byte.
Stealing HttpOnly cookies with the cookie sandwich technique
In this post, I will introduce the "cookie sandwich" technique which lets you bypass the HttpOnly flag on certain servers.
Bypassing WAFs with the phantom $Version cookie
HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities.
New crazy payloads in the URL Validation Bypass Cheat Sheet
The strength of our URL Validation Bypass Cheat Sheet lies in the contributions from the web security community, and today’s update is no exception.
Concealing payloads in URL credentials
Last year Johan Carlsson discovered you could conceal payloads inside the credentials part of the URL .
Introducing the URL validation bypass cheat sheet
URL validation bypasses are the root cause of numerous vulnerabilities including many instances of SSRF, CORS misconfiguration, and open redirection.
Gotta cache 'em all: bending the rules of web cache exploitation
Through the years, we have seen many attacks exploiting web caches to hijack sensitive information or store malicious payloads.
Splitting the email atom: exploiting parsers to bypass access controls
Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepa...
Listen to the whispers: web timing attacks that actually work
Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them.
Fickle PDFs: exploiting browser rendering discrepancies
Imagine the CEO of a random company receives an email containing a PDF invoice file. In Safari and MacOS Preview, the total price displayed is £399.
A hacking hat-trick: previewing three PortSwigger Research publications coming to DEF CON & Black Hat USA
We're delighted to announce three major research releases from PortSwigger Research will be published at both Black Hat USA and DEF CON 32.
Firefox will upgrade more Mixed Content in Version 127
Most of the web already supports HTTPS: In fact, 93% of requests made by Firefox are already HTTPS. As a reminder, HTTP over TLS (HTTPS) fixes the security s...
Refining your HTTP perspective, with bambdas
When you open a HTTP request or response, what do you instinctively look for? Suspicious parameter names?
Introducing SignSaboteur: forge signed web tokens with ease
Signed web tokens are widely used for stateless authentication and authorization throughout the web.