Spring is just around the corner, and that's when I offer online training courses on Burp Suite Pro 👨‍🏫 Two sessions are planned (in English and French), and there are still a few spots left in each. Contact me to get an early-bird discount code! 💰

Thanks to everyone who nominated & voted in the top ten! The panel of @irsdl.bsky.social , @agarri.fr , @liveoverflow.bsky.social and myself are hard at work reviewing the 15 finalists... we're hoping to announce the winners next week!

In case you didn't vote yet (2 days left!), let me tell you that your participation is critical 🗳️ Indeed, the panel (that I'm part of) will only process the top X results and it may contain some sh*tty entries (because of ballot stuffing 🥴) So please do your part! 🙏

It's time to vote for your favorite Web Hacking Techniques of 2025 🗳️ portswigger.net/polls/top-10...

The 2026 online public sessions of my "Mastering Burp Suite Pro" course have been published 📅 - March 24th to 27th, in French 🇫🇷 - April 14th to 17th, in English 🇬🇧 hackademy.agarri.fr/2026 PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon 🎁

I'm slowly going though the talks from the CCC congress. Here's my favorites so far... ⤵️

Anna’s Archive is an incredible project aimed at preserving humanity’s knowledge and culture Their latest exploit is a near-full backup of Spotify. It includes 86 million songs, representing around 99.6% of listens 🎶 annas-archive.org/blog/backing...

Anna’s Archive is an incredible project aimed at preserving humanity’s knowledge and culture Their latest exploit is a near-full backup of Spotify. It includes 86 million songs, representing around 99.6% of listens 🎶 annas-archive.org/blog/backing...

Looks like the final OWASP Top 10 (2025) has been published: owasp.org/Top10/2025/. Based on commits, looks like this happened 5 days ago.

Good read github.com/readme/guide...

THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free. Updated monthly. Try: curl ip.thc.org/1.1.1.1 Raw data (187GB): ip.thc.org/docs/bulk-da... (The fine work of messede 👌)

#Protip Need to go really fast and HEAD is disabled? Use GET and the Range header...

The wait is over! Phrack 72 40th Anniversary Edition is available now. Order straight to your doorstep — the perfect gift for your fellow hacker, just in time for the holidays 🎄 No need to go to rely on the warez scene with scans anymore 😅 Order here: www.lulu.com/shop/phrack-...

THC Release: 🎄Smallest SSHD backdoor🎄 - Does not add any new file - Survives apt-update - Does not use PAM or authorized_keys Just SSHD trickery....adds one line only. More at thc.org/tips 👌

Looking for a Christmas gift for yourself? #burp #training #2026 There’s 9 seats left for the English-speaking session, and 5 for the French-speaking one

Great article 💎

Printed version of Paged Out #7, collected during GreHack 2025 🤩

This vulnerability was the inspiration for the first step of the Panel challenge we played during last week’s Grehack CTF But we found a dumb bypass 😎

📜 L’4N551 4 un3 m1551on 9our vou5. S1 vou5 l’4cc3973z, vou5 s3r3z 4m3n3 4 : *53rv1r l’1nt3r37 g3n3r4l 37 9ro73g3r l4 N471on f4c3 4 l4 m3n4c3 cy83r ; *1nc4rn3r l’3xc3ll3nc3 fr4nç4153 3n m4713r3 d3 cy83rd3f3n53. 9our 7rouv3r vo7r3 m1551on : 🔗 www.welcometothejungle.com/fr/companies...

Stealth (from Team-Teso, Phrack staff and other groups) passed away earlier this year 😢 I didn't know him personally, but his groundbreaking research has been a constant influence on my career www.thc.org/404/

Here's the recording of the stream we made earlier this week with @laluka.bsky.social, @thesytten.bsky.social and @rhynorater.bsky.social If you speak French, you may appreciate its title: "Caido de Noël" 😄 🎁 🎅 www.youtube.com/watch?v=JvUm...

I really want to know the full story behind this epic hack, and yet I also hope it is never solved.

I've uploaded the slides of my recent talk "JS Engine Security in 2025": saelo.github.io/presentation.... I think there'll also be a recording available at some point (otherwise I can make one as not everything's in the slides). Fantastic conference as usual, big thanks to the PoC Crew!

The 2026 online public sessions of my "Mastering Burp Suite Pro" course have been published 📅 - March 24th to 27th, in French 🇫🇷 - April 14th to 17th, in English 🇬🇧 hackademy.agarri.fr/2026 PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon 🎁

A little command-line trick... 🛠️ 🤓 You can use `rev` twice in order to process something from right to left. For example, in order to sort /etc/passwd by shell: cat /etc/passwd | rev | sort | rev

La Quadrature du Net n'est pas contente des récents articles sur GrapheneOS, et elle a bien raison ! 👿 🇫🇷

This year, I have gone back to talk at cybersecurity conferences, presenting the talk "app.alert(1) is the new alert(1)", at BSides Sofia and BSides Krakow. I have analyzed 4 CVEs: now you can find 3 PoCs in my GitHub :) because slides are cool, but code is better: github.com/luigigubello...

POV: you are a young woman celebrating a recent academic success

Hoy, c'est CE SOIR à 21H ! Dernier heads-up, mettez votre meilleur rappel / mémo / réveil, ou demandez à votre chat de vous ping ! Au programme : Hack Web / Hack IoT / Devops / Troll / Stories / CLI Tools / AI / Red-Team & Le QUIZZ ! Ah, et des goodies à gagner aussi, bc why not ! 🙃

🔗 Conférence complète/Full Talk: youtu.be/pq0NMN9HHOY 🎟️ Billets/Tickets NorthSec 2026: nsec.io #NorthSec #cybersecurity #infosec

Argument injection (and RCE) in three distinct AI agents blog.trailofbits.com/2025/10/22/p...

How the hack of a card shuffler presented at Blackhat 2023 by IOActive was used IRL by the mafia and some NBA members archive.is/7Pm1E

LA soirée du 200ème épisode est annoncée ! 👀 RDV ce Mardi 18 à 21h sur (oui comme d'hab en fait..) : 💌 www.twitch.tv/thelaluka 💌

AppSec Ezine - 612th edition #AppSec #Security 📚 pathonproject.com/zb/?2aa664fa...

Both Chrome and Firefox will disable XSLT in 2026 🪦 I fully agree with them: nobody uses this technology anymore in a browser, and it's full of bugs (as my previous research demonstrates) bugzilla.mozilla.org/show_bug.cgi... developer.chrome.com/docs/web-pla...

The release candidate of the OWASP Top 10 2025 has been released owasp.org/Top10/2025/0... The definitive release should be out on November 20th

Bizarrement, personne ne brandit l’article 40 du CPP pour les vidéos de Sainte-Soline publiées par Libération… 🥴 www.dailymotion.com/video/k1Tvpm...

AppSec Ezine - 611th edition #AppSec #Security pathonproject.com/zb/?7a6539c0...

The release candidate of the OWASP Top 10 2025 has been released owasp.org/Top10/2025/0... The definitive release should be out on November 20th

If you still haven't: set up a JS file monitor to send you notifications via Telegram or Slack every time your target app JavaScript gets updated, a great way to stay on top of updates 👾 https://github.com/robre/jsmon There's also a fork with Discord support:

"who radicalized you" Nothing radicalized me, I was born with basic empathy. The world decided that was radical.

If you want to see beautiful pictures (and that’s an euphemism) in your feed, simply follow @armandsarlangue.bsky.social

If this is NOT corruption, then I wonder what corruption looks like 🤔

How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia: techcrunch.com/2025/11/03/h... #exploit #exploitation #zeroday #infosec #informationsecurity #cybersecurity

Ackman’s take is ridiculous 🤡

In France, we had a somewhat related story last year. In the end, Florent Curtet was sentenced for criminal conspiracy and complicity in attempted extortion www.lemonde.fr/pixels/artic...

This is a cool attack, create a machine running in Hyper-V on a victim's machine and do all your attacking through that while it runs in the background. www.theregister.com/2025/11/04/r...