We won the MVH title at #h1702 🔥 @NahamSec @ajxchapman

If you still haven't: set up a JS file monitor to send you notifications via Telegram or Slack every time your target app JavaScript gets updated, a great way to stay on top of updates 👾 https://t.co/2EMAXp2ZzP There's also a fork with Discord support:

Also, if you are part of a security team and want to check for this kind of stuff, there's a really awesome product by Lupin & Holmes @0xLupin :

Following cybersecurity stocks ? AI Cybersecurity Stocks to Watch and the Race for $234 billion Market by 2032 There is a lot of money on the table for both sides and leading cybersecurity stocks like @Cycurion (NASDAQ: $CYCU), Crowdstrike Holdings ( NASDAQ: $CRWD),Check Point

If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀 Check for it quicker using this cool new tool by JSMon: https://t.co/zjdmSzRfqy 👇

Your AI agent is powerful. But is it safe enough for production? @0xacb from Ethiack showed how to implement robust safety techniques like guardrails and LLM firewalls.

You can also use https://t.co/g4cVw8l9Xi to find potential new vectors 🥷

Looking into a potential SSRF or OR but the server checks against a URL whitelist? Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not. Here's an example payload:

Looking into a potential SSRF or OR but the server checks against a URL whitelist? Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not. Here's an example payload:

Tomorrow I'll be speaking at @lisbonai_! We're building faster than ever with AI. But are we building securely? I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do. See you there:

As attack surfaces grow exponentially, driven by AI-accelerated development and increasing technical debt, security must scale accordingly. We've been intensely focused on building the future of security, and our Co-founder, André Baptista (@0xacb) is pulling back the curtain on

Just had an amazing time working with @ShopifyEng in Toronto 🍁 Thanks @Hacker0x01 for organizing such an incredible event and bringing awesome researchers together. #togetherwehitharder #h1416 #shopify #hacking #goleafs

The BsidesLisbon CTF Qualifiers are officially closed! Huge congrats to the Top 10 teams who will be moving on to the intense onsite finals. See the final rankings on the scoreboard here👉 https://t.co/wegj3fRIfR

If you found a dangling DNS record, you might be able to take control of it 👀 Be sure to check https://t.co/GzWbYJAT0o, which has an extensive list of vulnerable services and guides on how to claim them.

Here's a quick little hacking tip that's landed me some interesting bugs. When you see an ID parameter, give it a little manual fuzz and see what happens: - Positive integer - Negative integer - Decimal points - Letters - Symbols - Really big number - 0 (Yeah, this one dumped

I found out that you can use "ftp::" to convert a limited Dom Clobering situation into a full CSPT. Then, while talking about it with @LooseSecurity, he found that we can also use "https::" This can be used to prevent URL parsing of href, allowing us to hit other endpoints

Modern websites use a lot of intermediary servers - caches, load balancers, proxies, and so on. You can try to send the 'Max-Forwards' header with your request to limit the amount of servers it will reach. It's defined in HTTP specs primarily for TRACE and OPTIONS methods,

🚨@BsidesLisbon CTF Quals starts now! 🔓Join at:  https://t.co/O4ZWIHQLz5 #CTF #BSidesLisbon

Prototype pollution is often missed. Here's how to find it. Prototype pollution is a powerful client-side vulnerability that can lead to XSS. The main requirements to exploit it are: - Unsafe parsing of user-controlled objects (via URL parameters, JSON, postMessages, etc.) - A

As a homage to the work of @Blaklis_, our Security Researcher @softpoison_ debuts his first research post on reverse engineering a critical unauthenticated RCE in Magento (SessionReaper) CVE-2025-54236 at @SLCyberSec:

Proud to announce that @ethiack will host this year’s #BSidesLisbon CTF! Test your offensive security skills in realistic challenges and compete against top hackers. 🗓️ Quals start Friday, 9PM Register now 👉 https://t.co/wa8XoYsT06 #CTF #Cybersecurity #OffensiveSecurity

Recon tip: Run xnl-h4ck3r's waymore on the target you're testing. It searches for URLs from multiple sources, the Wayback Machine, Common Crawl, URLScan and more. It also provides a lot of options to filter your results. Check it out here 👇 https://t.co/Npto8caKYR