Honored to receive a reward and certificate of contribution from NCIIPC India for supporting the protection of critical information infrastructure by identifying key vulnerabilities. #bugbounty #hacking #nciipc

Huge Congrats to Last Week’s Top Hackers! Let’s celebrate the outstanding achievements of our top-3 leaderboard heroes: 🥇 blank – Setting the standard for excellence! 🥈 Ranjeet Singh – Pushing boundaries with every report! 🥉 Saurabh – A powerhouse of

HackenProof Hall of Fame: Weekly Edition! Say hello to our cyber rockstars who crushed it this week: 🏅 MVP: K A V E Y J O E – The ultimate Web3 guardian! ⚡ Rising Star: Ranjeet Singh – Making waves with every report! 🔥 Top Contributor: Kerolos Ayman – A powerhouse of skills!

⚠️ Giveaway time! ⚠️ 👇 📢 Our new course "Attacking AI" will be Feb 27-28! This two-day course equips security professionals with the tools and methodologies to identify vulnerabilities in AI systems. It's gonna be a BANGER. Syllabus: payhip.com/b/2qPZ1 We are giving

We just released a new article on how we made 50,000$ in #BugBounty by doing a really cool Software Supply Chain Attack🔥 🔗Link: landh.tech/blog/20250211-…

Leaking the email of any YouTube user for $10,000 brutecat.com/articles/leaki…

This bug is NUTS. xssdoctor spent so much time, moved heaven and earth, and bent the app to his will. Normally something like this would be a Critical Thinkers drop on the CTBB Discord. But today, we'll drop the explanation live, and the lab will be in Cters on Discord.

the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with inzo that led to CVE-2025-29927 (9.1-critical) zhero-web-sec.github.io/research-and-t… enjoy the read!

🚨 1st KNOXSS GIVEAWAY of 2025 ! 🚨 LIKE + SHARE this to have a chance to win one of the following subscriptions: 1 Pro 3-month 1 Pro 6-month 1 Pro 1-year Winners of the draw will be announced next week. Good luck! 😀 knoxss.pro - XSS for pros.

I think many people are familiar with the topic of blind CSS exfiltration, especially after the post by Gareth Heyes \u2028 However, an important update has occurred since then, which I wrote below ->

<img srcset=1 onerror=alert(1)>

This includes a fun trick with User Activation. It can be used to detect when actions like shortcuts and clicks happen inside cross-origin iframes:

This #NahamCon2025 talk has generated over $50,000 in bounties for YS and a few other hackers: Puny-Code, 0-Click Account Takeover. 🎥👉🏼youtu.be/4CCghc7eUgI

10 ways to encode IPs to bypass validations 👇 8.8.1028 → Partial Decimal (Class B) Combines the 3rd and 4th octets: 4 × 256 + 4 = 1028 8.525316 → Partial Decimal (Class A) Combines the last three octets into one decimal number 0x08.8.004.004 → Mixed Encoding Hexadecimal +

2 AM in a Tokyo hotel room: Assetnote x Depi find a Dependency Confusion vuln that lands RCE on Netflix ! 🚀 Shout-out to shubs for the "keep digging" spark & Netflix security for stellar triage. Full write-up in thread 🧵

This is how DOM clobbering works. When you create an element with an id, the browser automatically creates a global variable for that ID: <a id="foo"></a> Now window.foo points to that single element. But when you create multiple elements with the same id: <a

I like to bypass XSS filters and sanitizers, so I keep forgetting to test for CSS exfiltration when I have HTML injection. This reminded me of the sic tool by d0nut 🦀 from a Singapore LHE, but there's also a cool list from PortSwigger 👇 github.com/PortSwigger/cs…

Facebook page admin and email disclosure philippeharewood.com/page-admin-and…

Slonser's Chrome 0day

josephthacker.com/hacking/2025/0…