From "Log in with OAuth" to "Your Account Is Mine" I just published my first write-up on my blog: blog.mirzadzare.net/from-log-in-... This article is based on a recent #OAuth vulnerability I discovered. I hope you enjoy it! ❤️‍🔥🙌 #BugBounty #cybersecurity

It’s been a while since my last update, but I’m thrilled to share some exciting news about my project called Fback 1/5 #bugbounty #bugbountytips #bugbountytools #recon #hacking #CyberSecurity

Subdomain Enumeration - Finding subdomains that are hidden in the cloud. We need to conduct a certificate search on the IP ranges of cloud providers such as Amazon, Digital Ocean, Google, and Microsoft. 1/3

Root Detection & SSL Bypass Script github.com/0xCD4/SSL-by...

Bypass Cloudflare's /h/b/jsd challenge using 100% python github.com/xkiian/cloud...

I’ve updated the bug bounty & content creators starter pack with classic research group @hackerschoice.bsky.social! Let me know if you’re not on this list and would like to be added. go.bsky.app/GD7hKPX

I’ve added a new feature to Robofinder, and now you can extract old parameters from archived robots.txt files. This is very useful for your recon process because you may find hidden or deprecated parameters that other tools might miss. Github: github.com/Spix0r/robof...

During #x3ctf, I discovered an unintended solution that turned out to be a pretty cool generic technique. It allows you to detect the result of a selector during CSS Injection, bypassing any CSP restricting external requests! Check out the writeup below: jorianwoltjer.com/blog/p/ctf/x...

Robots.txt File And #Reconnaissance What is a robots.txt file? The robots.txt file is designed to restrict web crawlers from accessing certain parts of a website. However, it often inadvertently reveals sensitive directories that the site owner prefers to keep unindexed. 1/3

Writeup-Miner is live again on T.me/Daily_Writeups Join to be among the first to access the latest cybersecurity write-ups! Source Code: github.com/Spix0r/write...

Find out about new JavaScript security vulnerabilites in npm packages on the Node.js Security newsletter: www.nodejs-security.com/newsletter/n...

To hack a thing, first learn to build it.

Hey BlueSky! I case you missed it: I've created cspbypass.com A site where you can search for known CSP bypass gadgets to gain XSS. It already contains a bunch of useful gadgets with contributions from your favourite hackers. If you have some CSP bypasses to share, feel free to contribute!

I'm building two web security tools at the moment: Shazzer - A shared online fuzzer shazzer.co.uk Hackvertor - Web security conversion tool hackvertor.co.uk

I've created a repo for top Nuclei templates from the security community. Contribute your templates or find powerful ones for CVE scans, fuzzing, and more! Let's build the largest Nuclei template library together! github.com/Spix0r/Nucle...

github.com/veikkos/bmw Guide on there for the BMW app should work on any other app

Can you drop every useful resources about hacking Wordpress websites? 👇🏻

If you write Python scripts, make yourself a favor and use the Rich library to beautify their output 🐍 🧑‍💻

Cloudrecon - This script is used to search for cloud certificate entities such as Amazon, Azure, and others that have been extracted by the kaeferjaeger[.]gay provider. github.com/Spix0r/cloud...

A younger me, as a pentester and bug hunter, had exactly the bias described in this article 🤫 Luckily, I later worked with and for "the other side" and it changed my mind 🤯 I hope young people reading it will avoid taking years to understand the complexities of fixing bugs in a timely manner 🤞

Hackvertor BApp pro tip: 🛠️ Did you know you can use Hackvertor tags inside custom tags? This also works with globally declared variables! Example set a global in a request: <@set_var(true)>1337<@/set_var> Custom JS tag: output = convert("< @get_var />") Now that's power 💪

While everyone waits for the next @bsideslondon.bsky.social, here are my slides from the previous event. This isn't entirely for self-promotion 😆, it's also because of the lack of resources out there for SOSL injection Apex and Java code for Salesforce. github.com/N1ckDunn/SOS...

I've developed a Python tool called Fback that generates wordlists for fuzzing backup files. It takes a JSON-based pattern file and a seed wordlist as input and produces a target-specific wordlist as output. Github: github.com/Spix0r/Fback #bugbounty #bugbountytools #cybersecurity

I've updated the bug bounty starter pack with some more hitters - re-subscribe to get them in your timeline. There's still 65 open places remaining so just let me know if you'd like to be added! bsky.app/starter-pack...

I've just updated Shortscan to support reading a list of URLs to scan from a file (and included a minor bugfix). Feedback welcome! The latest version is v0.9.2 and can be found on Github: github.com/bitquark/sho...

I've put aside Hunt for a month and I'm studying for my bachelor's courses so I can get into a master's program. In our country, we have to take an exam called the "Konkur" before we can start studying for a master's. I really miss Hunt! :) I hope I can hang in there for these two months.☠️

piping websocat to jq had weird buffering, so here's an ugly bash oneliner that infinitely listens to jetstream for some seconds, writing identity records to a file, then processing them to add bidirectional mappings for DID and Handle to redis gist.github.com/richinseattl...

What are the top 3 books you have read in your entire life?

I've done a whole bunch of talks, interviews and stuff on other people's YouTube channels over the years so I'm going to try and catalog them here. First up is a video with my good friend STÖK in which I demo some big bounty workflow stuff. This one is special. youtu.be/l8iXMgk2nnY

Last year, I developed a tool called Robofinder. It retrieves historical robots.txt files from archive[.]org, offering valuable insights for web application recon and information gathering. You can access the tool here: github.com/Spix0r/robof... #CyberSecurity #BugBounty #InfoSec

I’ve created a tool called Writeup-Miner to fetch the latest write-ups on any topic (specified by #hashtags) from Medium, store them in MongoDB or .txt, and send notifications to Telegram/Discord. You can access the tool here: github.com/Spix0r/write...

Here's another: make a looping gif into a non-looping gif, without messing up the palette: ffmpeg -i in.gif -loop -1 out.gif -filter_complex "[0:v] split [a][b];[a] palettegen [p];[b][p] paletteuse"

Apropos of nothing: if you want to embed subtitles into a video file you can do it with ffmpeg: ffmpeg -i infile.mp4 -i subs.vtt -c copy -c:s mov_text outfile.mp4

Tons of new URL validation bypasses were added to the @portswigger.bsky.social cheat sheet 💎

I've put together a comprehensive guide for anyone interested in configuring a #DNS server for Out-Of-Band ( #OOB ) data #exfiltration. This resource will enhance your understanding of how DNS operates. 1/3

Do we have any free platforms where I can run my #Python #script (Telegram bot)?

I’ve analyzed numerous tools, blogs, tweets, and other resources on bypassing 403 #Forbidden errors using HTTP Headers #Fuzzing techniques. After extensive research, I’ve compiled a list of headers you can fuzz to potentially #bypass 403 restrictions. 1/2 #BugBounty #bugbountytips #infosec #pentest

I've just dropped a #Python tool to exploit #Django RCE by leveraging #deserialization in session cookies. It forges a malicious cookie that executes system commands remotely. 🔗 Check it out here: github.com/Spix0r/djang... #CyberSecurity #BugBountyTools #RCE #BugBounty #Exploit #BugBountyTips

Bluesky now has over 10 million users, and I was #318,252!

The magic you're looking for is in the work you're avoiding.

Spent 2 days trying to learn Go by reading. Didn't work. So today I built hacking tools with Go instead. Awesome! Getting your hands dirty is the best way to learn. #go #golang #programming

What Are The Best Books or Websites To Learn Golang? #programming #golang #go

This is my first tweet? feed? thread or ....😂 Just testing blueSky... =)