This was an interesting challenge. Instead of right-click and open in new tab, I found you can also use drag-and-drop into a popup window to achieve the same effect! With CSS you can make it convincing like clickjacking: gist.github.com/JorianWoltjer/…

JS, Python & Ruby all disagree on this regex rule 🤔👇

a lot of programmers experience back and neck pain but it's not from posture it's because they deserve it

Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->

soundcloud.com/ytcracker/ytcr…

bugcrowd Very well said. Sadly, the "hackers are partners" view is not very common among #BugBounty programs, and not even platforms.

PHRACK is coming to DEF CON! We're printing ~10,000 zines and giving an hour-long talk you won't want to miss! Stay tuned. 🔥 #40yrsOfPhrack #phrack72

Our team recently used a novel technique to increase the impact of what seemed to be only a blind SSRF. This novel technique involving HTTP redirect loops and incremental status codes led to full HTTP response leakage. Read more on Searchlight Cyber blog here: slcyber.io/assetnote-secu…

Used this trick go find a bug in a big AI app where I could read everyone’s private conversations! TLDR: You can do greater/less-than queries against UUIDs because in Supabase they’re stored like 128-bit integers Thanks to Joseph Thacker and Justin Gardner for the shoutout on the pod!

New blog post about all the fun I had red teaming at National CCDC this year! Covers some of the fun we had this year specifically relating to the web side of things, as well as some tips and resources for competitors & those interested in participating sshell.co/red-teaming-at…

When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (Ian Carroll and I) discovered a vulnerability that could allow an attacker to access the over 64 million chat records using the password "123456". ian.sh/mcdonalds

xEHLE detailed how a Django ORM injection in an online shooter game allowed them to steal crypto from the game wallet.

Hackers that hack to "Make the internet a safer place" are about as honest as politicians who go into politics to "make the country better". It's a way to make a living - myself included.

I found a vulnerability to be able to access any Microsoft building, leaking guest/visitor and Microsoft employee PII. Here is the writeup: blog.faav.top/break-into-any… #BugBounty #bugbountytips

🚨 1- CVE-2025-53770 is a variant of CVE-2025-49704 - a critical auth bypass in SharePoint's ToolPane.aspx endpoint. It lets attackers reach a page that can parse webparts without valid credentials, and with a chained deserialization bug, they can achieve RCE entirely in memory

I forgot to post this, here's how I hacked Minecraft Realms: blog.faav.top/hacking-minecr… #Minecraft

I must decline your offer for a product demo. It poses a conflict of interest. The interest in question? Preserving my will to live.

You’re probably using WebViews wrong. There are a million ways to use a WebView wrong. Properly securing a WebView is hard. In this thread, we’ll cover common vulnerabilities in wallet WebView implementations and the ways to properly secure WebViews.

I found another vulnerability to leak Microsoft Employee PII ($7500 Bounty) and 700M+ Microsoft partner records. Here's the writeup: blog.faav.top/microsoft-part… #BugBounty #bugbountytips