I just published a blog post about how npm could be used for privilege escalation in windows, show-casing some CLI and desktop security issues medium.com/@demonia/windo…

Anyone got mohd farzaan BSQLi source code? i wanna do some analysis too

I’ve been deep into desktop app pentesting for bug bounties and wanted to share one of the tools I built along the way. Walker is designed to find secrets in binaries using ReGex, do uncover hidden attack surfaces too like URLs in desktop apps. github.com/DEMON1A/Walker

Switch to Hetzner they say

I built the most useless tool ever, check how much hackers have made on HackerOne, publicly github.com/DEMON1A/bc

How I do my recon and end up finding hidden assets and vulnerabilities before anyone else Pt.1 medium.com/@demonia/how-i… #bugbounty #bugbountytips #bugbountytip

Inspired by Zwink I built zzl, an enhanced version of his script sslDomains_v3.py with performance improvements and more features <3 github.com/DEMON1A/zzl

I'm kinda cooking, stay tuned

Anyone wanna collaborate on some bug bounty? DM me if you down

Going live, bug bounty twitch.tv/mohammeddief

I just published a blog post showing how you can effectively use subwiz by Hadrian and automate the subdomains prediction process for your recon setup medium.com/@demonia/utili…

Hunting hackers is much more fun than bug bounty, I been ruining a hacker group called (NIGNOG) operation for days now, Every single time they re-claim access to the servers my automation just takeover their servers again, I expected more from the creators of FritzFrog malware

These Chinese hackers out there are actually scary, they're way much smarter than other hackers

Even though it wasn't considered a security issue, this report is one of my favourites so far, Love how clean and well explained this source code review is hackerone.com/reports/3133379

New disclosure: CRLF Injection in curl via --proxy-header While not a vuln by design, it's still dangerous in insecure usage. PoC + HackerOne report + curl team response github.com/Oblivionsage/c… hackerone.com/reports/3133379 #bugbounty #infosec #curl #CWE93 #hackerone

Id rather build 20 customizable fuzzers rather than go through a C/CPP codebase manually, Think about it

I reported a DNS takeover, the POC is a TXT DNS record. Report says "dig TXT poc.domain". Triager opens domain in the browser. Claims is not reproducible... What!?

Super interesting take from one of the greatest hackers He says Mythos is not as good as they claim, because zero-day vulnerabilities are not that hard to find for skilled hackers I'm far from the hacking world but sounds reasonable Any thought?