Lupin
@0xLupin
Followers
13,565
Following
552
Media
413
Statuses
2,770
Roni Carta alias Lupin. Co-Founder of Lupin & Holmes. R&D. Red Teamer. Bug Hunter. Musician 🤘
127.0.0.1
Joined January 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
América
• 494356 Tweets
Flamengo
• 186374 Tweets
#JUVBECKYXANGELS
• 170980 Tweets
HAPPY TRIP WITH BECCCA
• 169544 Tweets
Gojo
• 82018 Tweets
#jjk260
• 79373 Tweets
Chargers
• 52866 Tweets
Sukuna
• 44131 Tweets
Chivas
• 41982 Tweets
Grabois
• 35473 Tweets
マイクラ
• 35424 Tweets
Nitro
• 32367 Tweets
Apolinho
• 32046 Tweets
Nature Campaign
• 30384 Tweets
Marra
• 29246 Tweets
Gerson
• 28212 Tweets
サマソニ
• 26957 Tweets
#jjkspoilers
• 25945 Tweets
Gege
• 21766 Tweets
Marín
• 21313 Tweets
古畑任三郎
• 16479 Tweets
優三さん
• 15556 Tweets
ファンタジースプリングス
• 13385 Tweets
チェコ出身
• 13304 Tweets
アリーナツアー
• 12989 Tweets
複数の目
• 12946 Tweets
ミャクミャクの友達誕生
• 12903 Tweets
PINKYPROMISE XCRY Y TRESAM
• 12646 Tweets
関西テレビ
• 12589 Tweets
アサクリ
• 12574 Tweets
#MHA423
• 12444 Tweets
学級閉鎖
• 12173 Tweets
ガラス製の生き物
• 11962 Tweets
黄緑の体
• 11588 Tweets
友好の架け橋
• 11050 Tweets
국회의장
• 10843 Tweets
Azteca
• 10766 Tweets
Pinned Tweet
Excited to announce the start of our company with my brother: Lupin & Holmes !
We focus in offensive cybersecurity and social engineering. We aim to inspire ourselves from the Hacking Culture to innovate with the spirits of Lupin & Holmes.
Ready to hack the planet! 🎩🔍🌍🔐
31
21
387
In a few hours I'm going to release my first video on Youtube ! 🔥
The title: Bypassing a WAF by Finding the Origin IP
Hope you'll enjoy the video 🤟
34
276
1K
Today I received a $12,000 bounty using the Sandwich Attack ! 🤑
The vulnerability allowed me to enumerate the API Keys of other users 🤯
How did I do that ? Well the API key was a UUIDv1. If you are not familiar with UUIDv1s you need to know that they are constructed in 6
34
280
1K
Started today my first job as a Security Analyst !
That was an insane day, already learned a lot 🤟
31
16
704
How I found XSS to RCE ! 🤟
Use wp-wordlist() to generate a list of all available
#WordPress
plugins and themes!
Use the wordlist to fuzz your target and find CVEs or 0days to report🔥
#infosec
#bugbounty
#bugbountytips
#bugbountytip
24
205
610
In 2 hours the video about how we made 5,000$ in
#BugBounty
with a super cool technique resulting in a 0 Click ATO 🤟
This is by far the best video I ever made and I'm looking forward to hear all your feedbacks about the
#bugbountytips
that we are sharing 🔥
Stay tuned !
7
74
484
In this article
@rez0__
,
@Rhynorater
and I managed to hack
@GoogleVRP
AI for 50,000$
Link 👇
Enjoy 🤟🔥
16
160
485
I've just released my first video about Bypassing a Web Application Firewall by Finding the Origin IP ! 🔥
Thanks to
@securitytrails
for sponsoring the video and
@Cloudflare
for the participation
Do not hesitate to share the video as much as you can 🤟
15
126
442
In 2 hours
@rez0__
,
@Rhynorater
and I will release an article on how we managed to hack
@GoogleVRP
AI scope for 50,000$
Stay tuned 🔥
17
38
336
In 2 hours I'm going to drop the video on how
@rez0__
,
@Rhynorater
and I managed to hack
@GoogleVRP
AI scope for $50,000 🤑
I'm so excited !!! 🔥
10
30
314
1/🧵When I report an XSS vulnerability I always try to escalate its impact, especially when I know that the Security Team is mature about those subjects.
However, what happens when I find an XSS on a WordPress site that is used only for branding ?
Here is how I do it ;)
6
74
281
The video just came out ! Go check it now !!! 🔥
15
58
244
🏆🎉 I can't believe we won a trophy in Las Vegas with
@ReeverZax
at
@Hacker0x01
's
#H1702
event !
This was my first time meeting Brice, even though we've been friends online for over 2 years now. We got a trophy for Best Collaboration on one of the 3 customers participating 🤯
7
7
234
XSS with no parenthesis 🔥
Thanks to
@Rhynorater
for sending me this target with a really weird filter. It was a fun challenge 🤟
Btw I'm not the one that discovered the use of instanceof for XSS ;)
#bugbountytips
6
45
225
Live Hacking Events are awesome mainly because we can meet so many 1337 people ! 🤟
1
4
196
I'm super happy ! I found a couple of days ago a cool GraphQL Attack Vector that I've never seen before ;D
Turns out there is only 1 article talking about this issue and it is not going too in depth.
If I can disclose the report, I'll share the technique for
#bugbounty
🤟🔥
2
8
159
Here is a little graphic to understand How to Become a Full time Bug Hunter 👀
#BugBountyTips
8
26
154
🎅🎄 It's time for a Xmas challenge! 🎁
Can you solve our Xmas Challenge and trigger the alert on this page? 🤔
DM me your solution for a chance to win
@garethheyes
' book "Javascript for Hackers"! 5 winners will be chosen at random until the 30th 📚
12
27
153
Yesterday night I coded a cool tool to find more GraphQLs for my recon.
Basically I'm using a Headless Chrome browser to open a bunch of URLs and then I check the network activity of the browser.
It's used like:
cat urls.txt | python3 traceql[.]py -H "Header: Value"
What's
3
19
154
Last year for my birthday, I was a high schooler that just received his first bounty on
@Hacker0x01
triaged by
@pxmme1337
.
Exactly one year later, I'm happy to have a full time position at
@ManoMano_FR
as a Security Hunter (Red Team).
Time flies 🤟
11
2
153
If you ever do static analysis on Android applications that are compiled with React you'll need to read the code of the assets/index.android.bundle file.
However this file is a Hermes JavaScript binary that needs to be decompiled.
This tool saved my life:
1
29
140
Hi everyone ! Here you can find my talk from
@Hacker0x01
's HacktivityCon in Las Vegas 🔥
In the presentation I talk about 3 vulnerabilities that I've found in the past. A Fun, A Weird and a Technical 🤟
Enjoy ;D
1
30
140
If you like XSS, and do not know where to start WAF Bypassing, here is a link for you:
A lot of people are focusing on bypassing the HTML blockers but not the Javascript. This link can give you at least 3 powerful WAF bypasses 🤟
1
43
136
Let's face it. All the work you see on Twitter, Discord and other social medias is not done in 5 seconds. If you think that someone has the power to find a bug without even trying you're deeply wrong. There is hours of work and years of failing before finding something.
4
14
115
I love this picture because it captured an amazing brainstorming moment with
@zseano
and
@JonathanBouman
Hack the planet ✌️🔥
1
4
116
🏆🎉 Excited to share the great news with all of you! Our team
@ReeverZax
,
@DoomerOutrun
, Snorlhax and myself have won the Best Collaboration trophy at the
#H1407
event !
7
6
115
Hey everyone !
I’m happy to share with you that I’m now part of
@Hacker0x01
‘s Hacker Advisory Board 🤟
4
0
108
Just bypassed a 403 mod_rule fix of one of my old reports by using the simplest and dumbest trick ever:
Adding the "Referer" header pointing to the same page I wanted to fetch bypassed the rule. I don't think it's even a
#bugbountytips
xD
Taken from Byp4xx by
@lobuhisec
3
22
99
Can someone manage to guess which type of exploit I'm currently writing ?
Bonus point if you can guess the impact !
14
10
96
I'm currently conducting a research based on
@Nick_Aleks
book "Black Hat GraphQL" and already found 2 major widespread misconfigurations that can result in multiple impacts.
Currently writing some reports and see how program will triage them 🔥
6
4
96
Recipe of the day:
- Take Axiom by
@pry0cc
- Add gently Cracking the Lens by
@albinowax
- Incorporate some automation
- Slowly have a night of sleep
When you'll wake up you'll find +1k of those
It's for a
#bugbounty
program on
@Hacker0x01
🤟
2
8
93
WE WON THE WORLD CUP 🇫🇷🥖
This event was amazing we loved to hack along all of the teams. The real victory IMO is that we Hacked the Planet from the entire Globe 🌍
I wanted to add that I'm proud of every member of the French Team. 🔥
Huge round of applause to
@Arl_rose
!!!
🏆 The wait is finally over. Congratulations to the Bordeaux HackerOne club for becoming the Champions of the Ambassador World Cup 2022. And congrats to all the teams who participated — thanks for making it so exciting! See you next year? 😏
#h1ambassadorworldcup
12
35
232
12
3
97
Some of you already know it but I'm in the middle of an important research.
Yesterday we did a great leap forward with
@0xbeefed
. After successfully generating 1.3k
@pdnuclei
templates we got more than 5k hits vulnerabilities.
Thanks to
@codecancare
to have run the scan !
8
10
90
A few weeks ago I started a PoC based on one of
@IAmMandatory
's article for my own research.
@albinowax
said: "The easiest way to get started is to find some promising research by someone else, build on it by mixing in other techniques". I was awarded 3000$ this weekend ! 🔥
2
2
85
Imagine if there is a video dropping in a few about how we made 5,000$ in
#bugbounty
with a single vulnerability ?
That would be a cool
#bugbountytips
right ?
Art by
@GJowTv
4
10
84
Hey !
Are wondering how to perform a Red Team operation from A to Z ?
Here is how
@ManoMano_Tech
we performed one using a 0day in Zoom :D
Hope you'll like it 🤟🔥
0
28
83
Wish us luck on
@Bugcrowd
with
@MrMustacheMan3
!
#CSRF
#XSS
#RCE
#BugBounty
#ItTakesACrowd
#hacker
#hacking
8
5
81
Today I got a bounty.
Just wanted to tell you that this whole process is not about money but about friendship. When I see the relations that
@d0nutptr
and
@NahamSec
have or when
@stokfredrik
discover new things with
@securinti
or
@TomNomNom
, I see the real value of hacking.
5
2
80
Recently
@UnderscoreTalk
released the replay video of my interview !
Since then I received a lot of messages asking how to get started in Web Application Bug Bounty Hunting.
Here are some tips that helped me at the beginning and I'll try to take out the obvious ones👇
1
15
77
PwnFox from
@BitK_
is a life saviour ! To be honest the productivity gain when using
@Burp_Suite
is so big !
1
10
77
I just passed the 10k followers on Twitter 🥳
Thanks a lot everyone, the past 3 years in the infosec community has been an amazing journey and I'm looking forward for what's ahead ;)
Great things are coming in the future, so stay tuned 🔥
4
1
74
Part I:
I read
@samwcyo
's report on Apple (along with
@bbuerhaus
@nahamsec
@erbbysam
@_StaticFlow_
), and I found a cool PoC for a Stored XSS on icloud.
This motivated me to find my own stored XSS on my email provider.
3
20
74
🌉 Depi: Bridging the Gap in Software Supply Chain Security 🔗
Introducing Depi, a groundbreaking solution that aims to revolutionize Software Supply Chain security 🔒
Depi is the result of 4 years of intensive research and development by our team at Lupin & Holmes. Depi’s
4
11
76
To whomever sent a message trough my DNS Server while I was exploiting Dependency Confusion:
You made my day 🤣
3
1
73
The answer is a UUIDv1 Sandwich Attack.
You can read the amazing article by
@VerSprite
if you want to know more about it:
Can someone manage to guess which type of exploit I'm currently writing ?
Bonus point if you can guess the impact !
14
10
96
2
17
72
Also every XSS on WordPress can be rotated with a single script I wrote on
@hakluke
github to a Remote Code Execution :
What is better than blackbox testing a wordpress website? Whitebox testing of course!
@0xLupin
has a great
#BugBountyTip
for enumerating plugins and hunting down bugs in their source code!
#BugBountyTips
2
37
167
3
22
67
Hey !
@NahamSec
just uploaded on his channel my Nahamcon talk about Managing the Coolest Bug Bounty Program on
@Hacker0x01
as a Hacker🤟
We talk about bugs, disclosure, scope and how to get 1337 Bounties at
@ManoMano_Tech
BBP 🔥
Enjoy 😜
0
9
66
Hey everyone !
Do you know a good DNS permutator to generate more subdomains ? I'm currently using dnsgen and I wanted to know if there was faster and more performant alternatives ?
Thanks ! :D
9
5
62
This week I had the amazing opportunity to attend
@Agarri_FR
‘s Mastering Burp Suite training 🤟
I thought I knew Burp after using it for 3 years, but Nicolas mind broke me several times those past days with awesome tips 🤯
I’ve learned so much useful tricks for Bug Bounties 🔥
2
3
64
I'm currently testing Chatbot UI 🔥
It's An amazing
#ChatGPT
interface clone that uses
@OpenAI
API with your own organisation key.
Let's dive into how it can help find vulnerabilities and contribute to
#BugBounties
🕵️♀️
4
9
59
Good news ! I'm featuring a french newspaper :
11
3
59
The next article is coming in about 1 hour our 2 🔥
Title: The Tale of a Click leading to RCE 🤟
#bugbountytips
#RedTeam
#hack
1
2
59
Trouble to Bypass a WAF/Filter for your XSS ?
You can send onxxxx=a
But can't send onerror=a ?
You could try this little script I made to generate an Event Handlers Wordlist to bypass a Black List based Filter🔥
#bugbountytips
1
22
60
500 websites from the TOP 1 Million Alexa are vulnerable to disclosure of their database password.
To find that issue with
@Coffee_n_Weed
we extracted 100k websites and scanned with a specific
@pdnuclei
template the information disclosure.
6
7
54
About this entire LHE Invite Drama:
I think people are confusing Hunters and Hackers. When
@Hacker0x01
invites someone they are not necessarily inviting a top performer but a true Hacker.
Hacking is about passion, sharing, ingenuity and creativity
4
1
56
Hi everyone !
Friday 5pm GMT+2 I will be streaming a beginner friendly session cohosted by
@yellowcap_ghost
on :
How To bypass
#WAF
for your
#XSS
🔥
I hope afterward you will get some leet
#bugbountytips
and be a pro at
#BugBounty
!
Join there :
2
20
56
Just pulled 7 hours of bounty and then submit a critical report at 5am. I’m broken x)
I hope I’ll be able to disclose the report in the future ✌️
I need coffee ☕️
0
0
54
It was amazing to speak at the first
@hackthebox_eu
meet up in Paris ! 🤟🇫🇷
We don't think you're ready for this... 🔥
We are on the first onsite
#meetup
in Paris, along with
@_Euzebius
and
the amazing
@0xLupin
,
@_nwodtuhs
,
@rayanlecat
, and
@DarkCoderSc
!
#HackTheBox
#HTBMeetup
#Hackers
#CyberSecurity
#Community
7
23
127
1
0
52
Some time ago I did a shooting with a really talented French photographer called Eve ! She did an amazing job since I asked her to take photo inspired by some people from the Infosec Industry !
Here is her instagram profile:
5
3
53
Thank you
@Hacker0x01
,
@martenmickos
and
@luketucker
for the gift! I love this T-Shirt 🤟
#bugbounty
#hacking
#swags
3
1
52
The last
@LiveOverflow
's video is amazing !
I've used
@OversecuredInc
in the past but never managed to get the gist of how Intents are used between 2 applications !
Android App scope seems super interesting to dig especially since it's code review 🤟
0
6
51
Here is a small screen grab of the next video on the channel. It’s about a great
#bugbounty
story with a really nice payout 🤑
We’ll release the video in a few days 🔥
0
3
51
Started doing that today and I have to say, it's wow 🤯
Finding vulnerabilities got easier.
Pair
@WeaselJs
+ Cursor by
@anysphere
.
Javascript analysis will never be the same
6
120
520
1
2
52
Here is my interview on
@France3tv
@f3Alpes
where we talk about ethical hacking and
#bugbounty
on platforms as
@Hacker0x01
,
@intigriti
and
@Bugcrowd
Awesome experience ! 🤟
(sorry it's in French but I hope that some subtitles will come in the future)
11
4
49
After a few attempts I managed to generate something close to a Bug Bounty report using GPT4All 🔥
What is super cool is that I'm running one of the smallest model on my Mac M1 and that the generation is really fast 👀
1
5
48
Hack for good 🤟
Great interview (in French) with whitehat hacker Roni Carta
@0xLupin
, 18 years old --- Hack for good!
3
3
31
2
3
49
The editing of my next video on the channel is over and I’m so hyped right now. The story will be on how we made $5k with a single bug in
#BugBounty
🔥
2
0
47
Found a P1 vulnerability in 10 minutes after reading the last article 😬🔥
3
3
44
@ajxchapman
One quick tip: You can find more UUIDv1s by checking older data set. Some company I found were using V1 and then migrated to V4.
If you can leak some old IDs using wayback machine for instance, you might be able to brute force sequentially the ones after.
It's a cool technique
0
1
46
In less than 30 minutes
@Hacker0x01
's Ambassador World Cup starts !
We are really excited at the French Team ! 🇫🇷
#H1AmbassadorWorldCup
5
3
44