After about five years of sifting through and triaging thousands of vulnerability reports, I’ve got a pretty good sense of what makes a report stand out, and what makes it a slog to read. Lately, I’ve noticed more and more folks using AI to jazz up their reports with flowery,.

RT @nav1n0x: Simple LFI using my path traversal script on GitHub. Used @0xAsm0d3us’s ParamSpider to gather URLs, filtered for relevant para….

We're hiring in Pune for Product Security Analyst roles! . If you're passionate about ethical hacking, cybersecurity, tackling real-world challenges to enhance internet safety, or just want to help in making the internet a safer place for the world, we want to connect with you.

Interesting Read! . DevOps Tools Targeted for Cryptojacking: Wiz Threat Research identified a broad cryptojacking campaign targeting publicly accessible DevOps web servers including exposed Nomad, Consul, Docker and Gitea applications.

Some good news!! OpenID Connect (OIDC) Support for npm Registry is coming soon. Which means, the attack surface for supply chain attacks targeting npm will cut down to some extent. OIDC support will allow you to publish npm packages from your CI/CD workflows without managing

Good weekend read!. Localhost dangers: CORS and DNS rebinding.

Stealing HttpOnly cookies with the cookie sandwich technique - by PortSwigger's Research.

If you are someone who writes/manages GitHub actions. This piece of writing is a must-read. How to secure your GitHub Actions workflows with CodeQL:

One of the most fascinating vulnerabilities in tech history, a true relic of the past. In 2017, CloudFlare had a severe buffer overflow vulnerability, later termed as "Cloudbleed," which led to the exposure of sensitive customer data, including HTTP cookies, authentication

RT @edwardzpeng: Sharing our slides for Blackhat Asia 2025 and NDSS 2025:

RT @xvonfers: (CVE-2025-1920)[$7000][398065918][maglev]Type Confusion..

This is pretty neat phishing technique . Google Spoofed Via DKIM Replay Attack: A Technical Breakdown.

RT @xvonfers: (CVE-2025-0612)[385155406][$8000][compiler]OOB memory access is now open. Simplified repro:. https://t….

RT @flatt_sec_en: We have published a blog post by RyotaK @ryotkak !. It showcases techniques for achieving RCE by chaining multiple issues….

RT @ryotkak: SECCON CTF 13 Finalsで出題した「super-fastcgi」と「not-that-short」に関しての作問者Writeupを公開しました。.

Fun Fact: The term "pwn" was created accidentally by the misspelling of "own" due to the keyboard proximity of the "O" and "P" keys.

Google is winning the AI war so far; by a good margin.

nerve: The Simple Agent Development Kit (by @evilsocket).