We won the MVH title at #h1702 🔥 @NahamSec @ajxchapman

LFI via SVG 👀 Glad you enjoyed it @aretekzs!

This might be the most important post you read today. @AnthropicAI just dropped the most insane blog. A hacking group, suspected to be a Chinese APT, has just pulled off the first documented case of a large-scale cyberattack executed without substantial human intervention. It

Our CTF is live and open to everyone right now until tomorrow 6pm UTC👇 Give it a try to learn some new techniques, and maybe pop some 0days 👀 https://t.co/u67h4tvHCK

The CTF platform is available for anyone to play with. Enjoy! https://t.co/a7MY3MVzOP thank @ethiack !

When testing GraphQL APIs make sure to run graphw00f ( https://t.co/hwqZeNFSW6) to fingerprint the specific GraphQL implementation the application is running. Then you can review the Threat Matrix to get likely attack vectors.

If you still haven't: set up a JS file monitor to send you notifications via Telegram or Slack every time your target app JavaScript gets updated, a great way to stay on top of updates 👾 https://t.co/2EMAXp2ZzP There's also a fork with Discord support:

Also, if you are part of a security team and want to check for this kind of stuff, there's a really awesome product by Lupin & Holmes @0xLupin :

If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀 Check for it quicker using this cool new tool by JSMon: https://t.co/zjdmSzRfqy 👇

Your AI agent is powerful. But is it safe enough for production? @0xacb from Ethiack showed how to implement robust safety techniques like guardrails and LLM firewalls.

You can also use https://t.co/g4cVw8l9Xi to find potential new vectors 🥷

Looking into a potential SSRF or OR but the server checks against a URL whitelist? Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not. Here's an example payload:

Looking into a potential SSRF or OR but the server checks against a URL whitelist? Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not. Here's an example payload:

Tomorrow I'll be speaking at @lisbonai_! We're building faster than ever with AI. But are we building securely? I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do. See you there:

As attack surfaces grow exponentially, driven by AI-accelerated development and increasing technical debt, security must scale accordingly. We've been intensely focused on building the future of security, and our Co-founder, André Baptista (@0xacb) is pulling back the curtain on

Just had an amazing time working with @ShopifyEng in Toronto 🍁 Thanks @Hacker0x01 for organizing such an incredible event and bringing awesome researchers together. #togetherwehitharder #h1416 #shopify #hacking #goleafs

The BsidesLisbon CTF Qualifiers are officially closed! Huge congrats to the Top 10 teams who will be moving on to the intense onsite finals. See the final rankings on the scoreboard here👉 https://t.co/wegj3fRIfR

If you found a dangling DNS record, you might be able to take control of it 👀 Be sure to check https://t.co/GzWbYJAT0o, which has an extensive list of vulnerable services and guides on how to claim them.

Here's a quick little hacking tip that's landed me some interesting bugs. When you see an ID parameter, give it a little manual fuzz and see what happens: - Positive integer - Negative integer - Decimal points - Letters - Symbols - Really big number - 0 (Yeah, this one dumped

I found out that you can use "ftp::" to convert a limited Dom Clobering situation into a full CSPT. Then, while talking about it with @LooseSecurity, he found that we can also use "https::" This can be used to prevent URL parsing of href, allowing us to hit other endpoints

Modern websites use a lot of intermediary servers - caches, load balancers, proxies, and so on. You can try to send the 'Max-Forwards' header with your request to limit the amount of servers it will reach. It's defined in HTTP specs primarily for TRACE and OPTIONS methods,