Quick post regarding sqlite injection. TLDR, when using it for file creation, create a VIEW rather than a TABLE:

Earlier this year, @infosec_au and I discovered multiple vulnerabilities that allowed us to access the back office admin panel of ClubWPT Gold (the World Poker Tour's website) where we could manage customer data, KYC, and more. Read the writeup here: https://t.co/K2402UPWYk

Late last month, @SLCyberSec Security Researchers Adam Kues (@hashkitten) and Dylan Pindur presented on Finding Critical Vulnerabilities in Adobe Experience Manager at @BSidesCBR. Today, we’re releasing our research post and presentation slides: https://t.co/phzQWUJgCP.

This is how @infosec_au and @samwcyo tracked and unlocked every @subaru_usa 👉🏼 https://t.co/ML86wJvr6k (includes a free lab!)

Hey, could you watch our boss for a minute? Happy National Boss’s Day to all of the amazing bosses at SERVPRO franchises and headquarters who encourage us to do our best work each day! 🎥: SERVPRO of Cheviot Hills & Wilshire SERVPRO of Jackson/Crockett County SERVPRO of

We just posted our AttackerKB @rapid7 Analysis for the recent Cisco ASA 0day chain; CVE-2025-20362 and CVE-2025-20333. The auth bypass appears to be a patch bypass of an older 2018 vuln. The buffer overflow is in a Lua endpoint, but unsafe native code operations allow a buffer to

Ever stumbled on an AEM box and thought “ok… now what?” 😏 We dropped hopgoblin — new research + tool XXE, SSRF, XSS & more (CVE-2025-54251, -54249, -54252, -54250/47/48/46). 👀 time for some crits eh? 👉 https://t.co/mt7Hy0L8DN

Today, members of our research team at @SLCyberSec, Dylan Pindur and Adam Kues (@hash_kitten), presented on pre-auth vulns in Adobe Experience Manager at @BSidesCbr. Will publish a blog post and slides in early Oct. For now, you can grab the tooling here: https://t.co/AthjRM1NNZ

My favourite finding from @SLCyberSec's Security Research team in 2025 so far is a secondary context path traversal in Omnissa Workspace One UEM (CVE-2025-25231). Really interesting bug, and fun kill chain to RCE.

Today I have a more serious topic than usual, please consider reposting for reach: My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/3]

At @defcon, I presented my research on client-side deanonymization attacks in @Google's Privacy Sandbox! Privacy research doesn't get as much attention, but ad-tech is increasingly embedded in everything - it's all about your attention and data.

We'll make an effort to make any future tool we create at Searchlight/Assetnote also be a part of this tool's site, even if we release an open-source repo of the direct tool. We want to make our tools and ideas accessible to everyone. Wordlists will always be free (0 credits).

More tools on the site: Expired Domain Checker, Registered Domain Search, Subdomain Takeover API, and Nowafpls, all accessible as an API. Credits replenish monthly, and every sign-up gets 100 credits. There are no paid plans; this is a free community project maintained by us.

We rebuilt Surf (SSRF Candidate Discovery) from scratch and made it something you can easily use inside your browser. Put in up to 1000 hosts, and we'll let you know which hosts are worth trying when exploiting SSRF. I use this tooling all the time when exploiting SSRF.

We also took feedback from the community, and our newest tool (Newtowner) now has a web version! This allows you to test access control bypasses by sending traffic from any Cloudflare datacenter region, or via AWS US-East-1.

Wordlists are now super easy to search for and download in bulk. Everything is API accessible, but you can DL from the web interface too. These wordlists have resumed updating from last month. I know a lot of people get value from these wordlists, so it's great to evolve it!

Today, we're releasing the new Searchlight Cyber (@SLCyberSec) tools website, which allows you to use several of our open-source tools for free via a web interface. You can self-register at https://t.co/eG7mEH9QYo (+ all our wordlists will be released there from now on!)

KEYNOTE: Not All Vulnerabilities Are The Same 10 years ago, @infosec_au spoke at the first BSidesCbr. Now Australia’s top bug bounty hunter, he’s back to unpack enterprise zero-days, building Assetnote’s team, and what makes a vuln actually matter.

The @SLCyberSec research team is releasing our final research post for our Christmas in July efforts, two RCEs and one XXE (all pre-auth) in Adobe Experience Manager Forms. One of the RCEs and the XXE still do not have official patches:

I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 https://t.co/SgsSyxoEMR 1/4

Blog for ToolShell Disclaimer: The content of this blog is provided for educational and informational purposes only. https://t.co/gT0aoKXkig #SharePoint #ToolShell