payloadartist
@payloadartist
Followers
42K
Following
14K
Media
895
Statuses
6K
Yapping about AI, AppSec, Hacking, & Cybersecurity • Helped secure organizations like Google • Opinions are my cat's • Part-time shitposter
$HOME
Joined August 2018
If you are tired of googling for #BugBounty writeups, I made a little tool that lets you search writeups easily. You can also pull the search data in JSON format if you need it. #cybersecurity #bugbountytips #infosec #100DaysOfCode
65
1K
2K
There seems to be an open source competitor to "Xbow" called "Cybersecurity AI (CAI)" (h/t @luijait_) which is solving web CTFs with ease and, claims to be a #bugbounty ready AI framework.
3
34
162
2 weeks in. Now I'm at 640. My pace of testing on this target is a bit slow. Repeater tabs now look horrible, because I'm messy with naming them. But there ya go.
0
0
4
Does that mean one vulnerability/misconfig in either of these Oauth implementations could potentially drain your wallet?.
🔥 NEW: MetaMask introduces Social login, enabling sign-in with Google and Apple. No seed phrases required.
1
0
9
RT @intigriti: by @payloadartist is a search engine to find new bug bounty write-ups, reports, and other web hackin….
0
73
0
Imagine someone exploiting a prompt injection in this extension through a website you're visiting. Based on a quick look, this extension should need a lot of permissions. That's a deep attack surface.
We’ve developed Claude for Chrome, where Claude works directly in your browser and takes actions on your behalf. We’re releasing it at first as a research preview to 1,000 users, so we can gather real-world insights on how it’s used.
2
1
6
didn't get any bounty, but still asked to perform a retest 🤨. is it normal?
6
1
65
Pentester: "Your new AI chatbot leaked all the user data.". Devs: "That's weird, we vibecoded it with Claude. It shouldn't do that.". Auditor: "Is the AI GDPR compliant and has it completed its annual bias training?".
1
2
25
Saw a guy vibe coding an exploit PoC today.Tab 1: ChatGPT.Tab 2: Gemini.Tab 3: Claude.Tab 4: Grok.Tab 5: DeepSeek. He fed each one the CVE details.Pasted the 5 resulting payloads into 5 separate shells.Launched them all against the target.Picked the one that popped root first.
12
22
302
"Kudos don't pay bills". truer words were never spoken 👍. #bugbountytips.
@payloadartist I, personally, do it like this: I keep all my exploits and techniques private until I have monetized them in the best be way possible. Only then, I’ll publish them. Why? Because I’m not a charity org, and kudos don’t pay my bills 🤷♂️.
0
1
9
RT @kuzushi: I was thinking more about the post about websec getting harder. I think there is a reality of seasonality to vulnerabilities….
0
1
0
RT @BugBountyDEFCON: Giveaway brought to you by @hackinghub_io:.5x Blind XSS vouchers.5x Web Exploitation vouchers. How to enter:.1⃣ Follow….
0
171
0
My pentester friends out there, do you feel the same?
60
37
949
"Localhost tracking" - How Meta bypassed Android sandboxing to track users browsing other websites with Meta's embedded pixel. Fun fact: 22% of the most visited websites across the world embed Meta's pixel.
0
8
19
1
4
20
did you know there is a public, searchable database of every SSN?. let's speed-run the chaos and just get it over with.
7
19
100
CISSP ❌. CRTP ❌. the actual hands-on red teaming course with 1.337% pass rate 👇✅. bonus, it is taught on real systems
3
5
28