A curated list of Awesome Threat Intelligence resources github.com/hslatman/aweso…

Sometimes the most illogical approach wins. XBOW discovered XSS in Salesforce Aura by testing aura.format=JSON - which counterintuitively returns text/html content type instead of JSON. The kind of discovery that comes from systematic testing without assumptions. Full hunt

afterEveryRelease redd.it/1ltqonn

Check this XSS affecting every /aura instance on the internet 🎉 again, fully discovered by XBOW We’ve shared the full trace in case anyone is interested.

Firefox has a cool hidden feature for phishing investigations 😄 CTRL+SHIFT+M opens up responsive design mode, a menu for simulating mobile devices via preset user agents and screen resolutions. Great for bypassing user agent blocks and seeing the "real" #phishing pages.

🕷️The Hunt for Spidy Phishing Domains🎣 The "KQL" to sniff out the web across your MDE & MDO telemetry 🤣 blog.checkpoint.com/research/expos… KQL: detections.ai/rules/1fb925e9…

Introducing Havoc Professional: A Lethal Presence We’re excited to share a first look at Havoc Professional, a next-generation, highly modular Command and Control framework, and Kaine-kit our fully Position Independent Code agent engineered for stealth! infinitycurve.org/blog/introduct…

See you soon on #OOTB2025BKK to talk a bit about Phising and new things :) Thank you very much for the confidence as always to the Out Of The Box Security Conference team and specially to l33tdawg <3 ootb.net/talks/cloud-ed…

Holy shit it’s happening. OpenAI wants to own ALL the distribution.

Jump in :) chatgpt.com/g/g-686f5a77f3…

A student research team I lead discovered and reported a path traversal vulnerability in WinRAR. This vulnerability is not limited to WinRAR; it also affects various other software applications.

When standard SQL injection vectors fail, dig deeper. ⚡️New XBOW discovery: Z-Push vulnerability hidden in Basic Authentication username field. Response timing differences revealed PostgreSQL time-based injection where obvious targets were clean. Full analysis:

This is what happenes when you touch the untouchable :(

send this vid to your teammate every time they find a bug

When the CTF team enters the arena...

Adding a drag and drop schedule builder for organizers to cfp.directory #CFPDirectory

I asked Cursor AI to make my PoC Rust project production ready. It converted it to C.

excited to be back in vegas for my second DEF CON, and second talk on the creator stage! i’ll be diving into a mix of my favorite things: network fingerprinting, honeypots, and ai agents! tool drops in a few days--stay tuned 👾defcon.org/html/defcon-33… wallofsheep

CVE-2025-22224 (VMware ESXi)

Google has just used AI and threat intel to foil a zeroday before it could launch. Working from artifacts gathered by GTIG, Big Sleep was used to identify a vuln before actors could ramp up exploitation. It doesn’t get much better than this in intel. blog.google/technology/saf…