🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

We recently asked what popular tools the community uses to automate JWT Exploitation! 😎️ Here are the top 3 popular tools recommended! A thread! 👇️

My mate Nolan redesigned my book cover. He did a much better job than me! I've also updated the content to include more Server-Side Prototype Pollution and a few new XSS vectors. Please RT to support my work leanpub.com/javascriptforh… amazon.com/JavaScript-hac…

RIP Captchas 💀🪦

Only bug bounty hunters can relate zzz 　＜⌒／ヽ-､_＿_ ／＜_/＿＿＿＿／ ￣￣￣￣￣￣￣ 　　 ∧_∧ Is my submission 　　 (･ω･) triaged yet? 　 ＿|⊃／(＿＿_ ／　└-(＿＿＿_／

Finally I reached that 10K reputation milestone HackerOne. Cheers! hackerone.com/fousekis

Ok fam. I’m giving away TWO free tickets to my course which takes place in two/three weeks. All you have to do to win is like, retweet this tweet, and reply with “tbhmlive.com!” I’ll pick winners next week! If you haven’t seen my course, check out the link!

🎄SQLi was first reported 25 years ago, by a researcher once known as Rain Forest Puppy, in Phrack Magazine on this day in 1998. 🎁 Happy birthday SQLi! 🎁 🐛Despite being around for 25 years, it's still essential knowledge for pentesters.

Happy to be selected as HackerOne Ambassador for Greece🇬🇷. Bug hunters in Greece feel free to join our club h1.community/greece-hackero… We are looking for people to join the team for the Ambassador Cup. If you are interested or have any question feel free to reach out. #BugBounty

Check out my write-up on a seemingly harmless and limited send() in GitHub (CVE-2024-0200) and how it could be used to obtain environment variables from a production container and to achieve remote code execution in GitHub Enterprise Server: starlabs.sg/blog/2024/04-s…

Awesome read! XSS in PDF.js codeanlabs.com/blog/research/…

My JAR-swapping research from Dec 2022 never got the blog post it deserved, but I uploaded the slides from the talk for those who rather read than watch: speakerdeck.com/fransrosen/sto…

Curious about how a PDF can show different content in Safari, Chrome, and Firefox? I’ve just released proof of concept code that lets you generate fickle PDFs. portswigger.net/research/fickl…

🔥 XSS on any website with missing charset information? 😳 Attackers may leverage the ISO-2022-JP character encoding to inject arbitrary JavaScript code into a website. Read more in our latest blog post: sonarsource.com/blog/encoding-… #appsec #security #vulnerability

This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n

Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Neither did we. Enjoy! portswigger.net/research/bypas…

🪼 Medusa 3.0.0 is out! 🪼 Dynamic module config, clearer class hooking output, and new modules for Medusa. Mango gets TruffleHog integration for secret scanning & Firebase key exposure analysis. Details: github.com/Ch0pin/medusa/…

CVE-2025-29805: My latest contribution involved discovering a vulnerability in Outlook for Android that could have allowed attackers to read and write sensitive user data. msrc.microsoft.com/update-guide/e…

I made a tool to help test archive (zip/tar) extraction bugs (synk working directory into archive, add path traversals, links, permissions, etc): github.com/avlidienbrunn/…

While vendors dismiss the risk of vulnerabilities that require a third-party app to exploit, considering such scenarios unlikely to occur in practice Google bans Google Bans 158,000 Malicious Android App Developer Accounts in 2024 thehackernews.com/2025/01/google…

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓↓↓