Trickest

Verified account

@trick3st

Visualize, operate & scale everything offensive security in one-platform.

Dover, Delaware

Joined May 2020

17 Following

10.9K Followers

1.5K Posts

trick3st retweeted

Nenad Zaric @ZaricNenad_

9 months ago

One weak password. Full control. Earlier this year, attackers opened a dam valve for hours. The press called it “sophisticated.” The reality: an exposed admin panel and weak credentials. Once you understand the process, execution is trivial. https://t.co/6dMhyBefr5

ZaricNenad_'s tweet photo. One weak password. Full control.

Earlier this year, attackers opened a dam valve for hours. The press called it “sophisticated.”

The reality: an exposed admin panel and weak credentials.

Once you understand the process, execution is trivial.

https://t.co/6dMhyBefr5 https://t.co/OsXATfAnZ8

0

3

2

1

856

trick3st retweeted

André Baptista

10 months ago

If you need a list of trusted resolvers, e.g. to be used with puredns for active enumeration, @trick3st has a great one. Just run this: ⌨️ curl https://t.co/qRAi2eIwYn -O More stuff at👇 https://t.co/oaiALPCrh9

0xacb's tweet photo. If you need a list of trusted resolvers, e.g. to be used with puredns for active enumeration, @trick3st has a great one.

Just run this:
⌨️ curl https://t.co/qRAi2eIwYn -O

More stuff at👇
https://t.co/oaiALPCrh9 https://t.co/mgaoYAQ3sZ

0

64

12

58

4K

11 months ago

Tools aren't enough. Trickest modules combine multiple techniques into complete workflows. Our admin panel scanner finds exposed admin interfaces across various technology stacks.

trick3st's tweet photo. Tools aren't enough. Trickest modules combine multiple techniques into complete workflows.

Our admin panel scanner finds exposed admin interfaces across various technology stacks. https://t.co/djBQVSVXMR

0

3

0

5

787

11 months ago

Check it out here 👇 https://t.co/zLRUC5i25H

0

1

1

0

514

Who to follow

Verified account

Stay ahead with updates on high-profile vulnerabilities, expert tutorials, essential safety tips, and the latest Netlas developments.

Youssef Sammouda (sam0)

Security Researcher/Hacker 1st in Meta bug bounty program for 6 years Opinions are my own and not my employer's.

encodedguy - jsmon.sh

Verified account

Co-founder of @jsmonsh

11 months ago

ToolShell coverage has been all over the place. We held off publishing until we could reconcile the discrepancies between the original exploit reports, Microsoft’s advisories, public PoCs, and vendor writeups. Appendix breaks down the CVE mixups and variant exploits

trick3st's tweet photo. ToolShell coverage has been all over the place.

We held off publishing until we could reconcile the discrepancies between the original exploit reports, Microsoft’s advisories, public PoCs, and vendor writeups.

Appendix breaks down the CVE mixups and variant exploits https://t.co/hSwRKUrQfi

2

6

2

1

860

11 months ago

Why spend hours building in-house security workflows when you can deploy proven ones instantly? Trickest's workflow library lets you copy and run comprehensive attack chains on your targets with just a few clicks. From web server discovery to credential hunting - battle-tested automations ready for immediate deployment. Security testing shouldn't require reinventing the wheel every time.

trick3st's tweet photo. Why spend hours building in-house security workflows when you can deploy proven ones instantly?

Trickest's workflow library lets you copy and run comprehensive attack chains on your targets with just a few clicks. From web server discovery to credential hunting - battle-tested automations ready for immediate deployment. Security testing shouldn't require reinventing the wheel every time.

1

3

2

0

914

11 months ago

Modern attack surface management means having your security data at your fingertips. Query, filter, and analyze your external footprint in real-time to stay ahead of threats and maintain visibility across your entire digital infrastructure. Learn more: https://t.co/a0SFY1BFK0

0

3

1

1

520

12 months ago

Which of these checks will you add to your workflow first?

0

0

0

0

177

12 months ago

6/ SAST-type scans Do a quick pass for known bad patterns and dangerous functions using static analysis. This won't replace manual review, but it gives you a starting point, especially useful when you’re short on time or scanning large codebases.

1

0

0

0

190

12 months ago

5/ Secret scanning Scan for hardcoded secrets, tokens, and credentials in JS files. The frontend might be handling things it shouldn't, or something was left behind during development. Hardcoded "Authorization" headers with high privileges pop up more often than you'd expect

1

0

0

1

168

12 months ago

Your JavaScript analysis automation should do these 6 things before handing you the code 🧵👇

1

2

0

3

473

12 months ago

4/ Component scanning Your automation should extract all imported packages, then for each one, check: 🔵 is it outdated and potentially vulnerable? 🔵 is it unclaimed in a way that allows takeover?

1

0

0

0

163

12 months ago

Your automation should extract all endpoints from JS code, but also log where each one was found (filename, line number, etc). That context helps you track down how an endpoint is used and what parameters it needs.

1

0

0

0

149

12 months ago

3/ API endpoint extraction A lot of app logic lives in JS calling APIs. You won’t catch everything through the UI because a feature might: 🔵 be behind a feature flag, admin access, or a user tier 🔵 trigger after a specific interaction you missed 🔵 not be fully developed yet

1

0

0

0

150

12 months ago

2/ Resolve source maps What looks like one giant code blob may have started as a dozen source files bundled by a JS build tool. Before trying to prettify or de-obfuscate code, check for source maps. If available, they can help you reconstruct the original source files.

1

0

0

1

141

12 months ago

Your automation should: ✅ mirror the output directory structure to match the live website ✅ keep track of which pages referenced which JS file That way, you can hop around quickly without needing to search your proxy history over and over again.

1

1

0

0

140

12 months ago

1/ Download the code while maintaining context You want the full JS codebase in one folder so you can navigate, search, and build context quickly. But you also don't want to waste time later figuring out: ❓ where a file came from ❓ which page loaded it

1

1

0

0

127

about 1 year ago

Trickest ASM demo https://t.co/jM1D3CXxSi

0

1

0

3

489

about 1 year ago

High per-asset fees? Rigid scans? Legacy ASM can’t keep up. Trickest ASM gives you: 🔵 Zero per-asset fees ➡️ map every asset with no surprise costs 🔵 Drag-and-drop builder ➡️ easily customize discovery logic 🔵 Scale for 100K+ assets in parallel ➡️ no blind spots Check out the demo ⬇️

trick3st's tweet photo. High per-asset fees? Rigid scans? Legacy ASM can’t keep up.

Trickest ASM gives you:
🔵 Zero per-asset fees ➡️ map every asset with no surprise costs
🔵 Drag-and-drop builder ➡️ easily customize discovery logic
🔵 Scale for 100K+ assets in parallel ➡️ no blind spots

Check out the demo ⬇️

1

3

0

1

466

about 1 year ago

Which pitfall has tripped you up before?

0

1

0

1

769

about 1 year ago

Subdomain DNS brute force isn't just blasting "word + domain" DNS queries Here are six common pitfalls and how to avoid them:

1

99

21

144

14K

about 1 year ago

🚩Traffic saturation Flooding DNS queries too fast can overwhelm your local resources and lead to inaccurate results. Benchmark your setup, understand how your tool manages concurrency and sockets, and if speed is critical, distribute the workload across multiple machines.

1

2

0

2

897

Last Seen Users on Sotwe

Trends for you

Most Popular Users