Last year I found a XSS bug in Google IDX here's a detail writeup about it. Hope you will enjoy it's kinda lengthy :p Shoutouts to @MtnBer for finding the original bug in Gitlab and @kl_sree @sivaneshashok for the required chains to complete the exploit. https://t.co/L3e5rCrUuy

https://t.co/b8rKtYZlB3

Pwning OpenAI Atlas Browser, nice exploit starting with a postMessage XSS, by @S1r1u5_ and @sudhanshur705 https://t.co/Kshvwy2Uv4 Who said XSS is just about alert() popups ?

The writeup for the first challenge is cool, but the first one existed just as a warm up for the actually cool tricks in the second one. Go solve it.

One more to the list 🙇‍♂️ Learned about Mojo IPC calls this time, was tough compared to Comet browser as it was all internal. Hope you will like the blogpost ,tried to make it a little bit more detailed this time https://t.co/5acc9ngN36

Has anyone from India have ordered pc build parts from these online vendors? I have to buy a motherboard, amazon is selling overprice(-10k diff). The listed ones have mixed reviews so not really sure whom to trust elitehub,variety,vedant... https://t.co/ZyfyaowkMj

New blog - documented our CVE research process - patch analysis, setting up debug environments across different stacks, and keeping research organized. https://t.co/tJ7EZb4d87

Securing Perplexity’s AI Browser from a One-Click UXSS, good finding by @S1r1u5_ and @sudhanshur705 https://t.co/r5OL3q3zNr

If a closing tag doesn’t match </[A-Za-z] (e.g. </~), browsers enter the Bogus Comment state and ignore everything until the next >. <? does the same because of ancient PHP/XML compatibility. That means #XSS like these are possible: https://t.co/5Z93fakGbC

I'm really excited to share my first research article related to hacking Google Gemini! https://t.co/e7GcJuGLCb #bugSWAT #GoogleVRP

You can now audit Chrome extensions for common bugs using the @HacktronAI CLI! hacktron --agent chrome_extension

Today I discovered an SQLi vulnerability in a PostgreSQL application where the injection point was path-based with strict length restriction (32 chars). Spaces, slashes, quotes, and parentheses e.t.c. resulted in a 400 Bad Request error and the path wasn't URL-decoded

We helped secure @perplexity_ai's comet browser from a critical vulnerability that could let attackers hijack the agent to exfiltrate local files, read emails, and bypass SOP. Read the full blog: https://t.co/Tj3gCOuDxE

Thanks to @S1r1u5_ and AI my dream of finding such bugs in browsers coming to reality 😆. Check out the blogpost for details many more browsers on the line up as well.

Hey everyone! I’ve been building rep+, a lightweight HTTP Repeater inside Chrome DevTools. No proxy setup or certificates. Just open DevTools and start poking requests. It also has built-in AI for explanations and attack ideas. I’ll share one rep+ feature every day. Try it 👇

I talked a bit on BugBounties, Collaboration, AEMs and Burnout with @AseemShrey Go check it out! https://t.co/mEEc4scMlf

HTML tag names must start with an ASCII letter. If they don’t… https://t.co/2aWlwx6FdI #xss

When I built the toy version, I gave it to Harsh and he started popping 0-days left and right and his work became strong data point for my AI pivot. He just published one of that research

Really enjoyed presenting the talk “Catching WordPress 0-Days on the Fly” at DeepSec conference in Vienna 🔥

With only 48 hours remaining in a bug bounty event, I used @HacktronAI CLI to perform large-scale analysis of several JDBC drivers. Netting $85,000 in total rewards. This write-up shows how AI-assisted vulnerability research is speeding up the work of researchers and leading to

@pyn3rd In the end we had shell (I was asleep when this happened).@rootxharsh is so exceptionally good combining with @HacktronAI he becomes lethal but at the same time he works really hard as well !!