I'm excited to share that I recently found a XSS in Quasar Framework. The CVE-2025-43954 has just been published to document this security issue. You can learn more about it here: - github.com/advisories/G...

You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study. portswigger.net/research/sam...

Great resource on secret leakage, I invite you to read it.

I’ve updated the bug bounty & content creators starter pack with classic research group @hackerschoice.bsky.social! Let me know if you’re not on this list and would like to be added. go.bsky.app/GD7hKPX

Thanks for your all your votes! The public vote is now closed, and we're kicking off the panel vote with fifteen quality nominations. In the meantime we just published a new technique ourselves - check it out here:

24 hours remaining until voting closes on the Top 10 (new) Web Hacking Techniques of 2024! If you haven't already voted now's the time to do it. portswigger.net/polls/top-10...

Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...

I've pushed some updates to Dom-Explorer: - Allow multiple pipeline embed - Short links for sharing/sync - Support for DomPurify triggers - User settings Give it a try and share your findings! yeswehack.github.io/Dom-Explorer

Last part/EP with @aethlios.bsky.social & @penthium2.bsky.social 😘 www.youtube.com/watch?v=UeOS...

youtu.be/67DIr_OmXVk cc @penthium2.bsky.social @aethlios.bsky.social 🌹

A younger me, as a pentester and bug hunter, had exactly the bias described in this article 🤫 Luckily, I later worked with and for "the other side" and it changed my mind 🤯 I hope young people reading it will avoid taking years to understand the complexities of fixing bugs in a timely manner 🤞

www.youtube.com/watch?v=adf3... with @aethlios.bsky.social & @penthium2.bsky.social 💝

Yo ! 🧙‍♂️ Prochain stream demain -mardi 10 Dec- à 21h ! Au programme ? We Deep Dive ! 🧐 - Reset-tolkien par @AethliosIK (X) 🗝️ - Portainer & UID remap par @penthium2 (X) 🐳 www.twitch.tv/thelaluka

Bonjour, Bienvenue dans ce live-skeet du procès de Florent Curtet, ce trentenaire poursuivi pour des extorsions numériques, jugé en cette fin de mois à Paris par le tribunal judiciaire.

A really comprehensive resource on CORS attacks. I'm going to rework my course slides based on this research, thank you for your contribution!

Custom lists are super cool! I enjoy reading social posts, but want to make sure I never miss a quality writeup or technique. To achieve this, I'm building a 'high signal web security' list of topic-focused accounts, which you can pin next to 'Following' if you want :) bsky.app/profile/jame...

I'm glad to see so many people switching over to Bluesky and following me! Take the time to discover my open source tool on sandwich attacks : 👉 github.com/AethliosIK/r...

In case you're a professional Burp Suite user, there's a few seats left for the Q1 2025 training sessions hackademy.agarri.fr/2025

Any bug bounty people around? I'm creating a starter pack of people to follow but it's pretty brief currently! Let me know if you'd like to be added: go.bsky.app/GD7hKPX

My second article on time-based secrets has just been published! 🚀 I explore a new usecase of the sandwich attack to set up a scenario for real-time monitoring of web application invitations. - English version: aeth.cc/public/Artic... - French version: aeth.cc/public/Artic...

Following #bugbounty findings, I started focusing my research on time-based secrets. This research began for me a year ago, and enabled me to take the time to implement my open source tool: “Reset Tolkien”. 🚀 I've written an article detailing my research : - 🇬🇧 EN : www.aeth.cc/public/Artic...