Top Tweets for #WebApp_Security
#AppSec
#WebApp_Security
"A Large-Scale Study of Telegram Bots", Mar. 2027.
]-> Dataset https://t.co/HCAcGFim3Y
// This research provides the first large-scale characterization of Telegram bots by analyzing over 32K bots and 492M messages. The authors developed an automated interaction system to classify bots, uncovering both beneficial applications and sophisticated malicious infrastructures
#tools
#NetSec
#WebApp_Security
"Reducing Excessive Trust in the Web PKI Ecosystem", 2026.
https://t.co/vApENZWFp8
// examines the possibility of developing an add-on for mitmproxy project to add drift detection for root CA certificates, incorporate policy-based controls over which CAs are allowed, and leverage an ensemble of existing technologies to reduce the level of trust placed in the public Web PKI. The result is a PoC tool, CertGuard, that provides a higher-security browsing experience and enables security - conscious users to make more informed risk decisions when browsing the web
#WebApp_Security
#Offensive_security
Top 10 New Web Hacking Techniques of 2025
https://t.co/jLDppuSxxC
// The top web hacking techniques of 2025 include parser differentials, HTTP/2 CONNECT exploits, cross-origin leaks, cache poisoning, and novel SSRF methods
#AIOps
#WebApp_Security
#Malware_analysis
"MalURLBench: A Benchmark Evaluating Agents’ Vulnerabilities When Processing Web URLs", 2026.
]-> https://t.co/PaDFd6S8t3
// The first benchmark for evaluating LLMs' vulnerabilities to malicious URLs
#AppSec
#Threat_Research
#WebApp_Security
ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants
https://t.co/3EqlqVANdS
// Attackers are tricking victims to copy/paste OAUTH URLs, including credentials, to a fake CAPTCHA
#AIOps
#WebApp_Security
"When Bots Take the Bait: Exposing and Mitigating the Emerging Social Engineering Attack in Web Automation Agent", 2026.
]-> Repo - https://t.co/Czrw8p3sZU
// The first systematic study of social engineering attacks against web automation agents and design a pluggable runtime mitigation solution. On the attack side, we introduce the AgentBait paradigm, which exploits intrinsic weaknesses in agent execution: inducement contexts can distort the agent's reasoning and steer it toward malicious objectives misaligned with the intended task. On the defense side, we propose SUPERVISOR - lightweight runtime module that enforces environment and intention consistency alignment between webpage context and intended goals to mitigate unsafe operations before execution
#WebApp_Security
Top 10 web hacking techniques of 2025: https://t.co/Loil61EIPP
Nominations - last updated 2026-01-06
]-> Eclipse on Next.js: Conditioned exploitation of an intended race-condition - https://t.co/69u7uajJOb
]-> Next.js, cache, and chains: the stale elixir - https://t.co/d8vGkPMPq3
]-> Unexpected security footguns in Go's parsers - https://t.co/fGUMBhOhmn
]-> Under the Beamer - https://t.co/2sx3DOMOvl
]-> Opossum Attack - https://t.co/kV7ojTCMnK
]-> The Fragile Lock: Novel Bypasses For SAML Authentication - https://t.co/OIuizXnzgj
]-> Funky chunks: abusing ambiguous chunk line terminators for request smuggling - https://t.co/tlH5POkFQE
]-> Funky chunks addendum: a few more dirty tricks - https://t.co/1U5ZWriGlf
]-> Cross-Site WebSocket Hijacking Exploitation in 2025 - https://t.co/SPsuBaVyWK
]-> SVG Filters - Clickjacking 2.0 - https://t.co/smznZ0LLev
]-> Nonce CSP bypass using Disk Cache - https://t.co/muj9t0UcwW
]-> Novel SSRF Technique Involving HTTP Redirect Loops - https://t.co/rcxpPrhO5l
]-> SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL - https://t.co/HZ06iN9ZuB
]-> Forcing Quirks Mode with PHP Warnings + CSS Exfiltration without Network Requests - https://t.co/ZvvVnYlTte
]-> ORM Leaking More Than You Joined For - https://t.co/QOXMn9e2Tt
#Analytics
#WebApp_Security
OWASP Top 10 2025:
The Ten Most Critical Web Application Security Risks
https://t.co/LWkk31PrKj
#tools
#WebApp_Security
"PixelPatrol3D: An In-Browser Vision-Based Defense Against Web Behavior Manipulation Attacks", 2025.
]-> PixelPatrol3D (PP3D) browser framework - https://t.co/Ik2h6YRzxq
// Pixel Patrol 3D (PP3D) - first end-to-end browser framework for discovering, detecting, and defending against behavior-manipulating SE attacks in real time. PP3D consists of a visual detection model implemented within a browser extension, which deploys the model client-side to protect users across desktop and mobile devices while preserving privacy
#AIOps
#Fuzzing
#WebApp_Security
"In-Browser LLM-Guided Fuzzing for Real-Time Prompt Injection Testing in Agentic AI Browsers", 2025.
]-> Complete fuzzing platform - https://t.co/lzs5RrwNIe
// LLM based agents integrated into web browsers offer powerful automation of web tasks. However, they are vulnerable to indirect prompt injection attacks. We present a novel fuzzing framework that runs entirely in the browser and is guided by an LLM to automatically discover such prompt injection vulnerabilities in real time. We demonstrate that our in-browser LLM-guided fuzzer can effectively uncover prompt injection weaknesses in autonomous browsing agents while maintaining zero false positives in detection
#AppSec
#WebApp_Security
1⃣ Hacking Veeam:
RCE, LPE, Auth. Bypass, NTLM Relay to Account Takeover, Broken Access Control & IDORs
https://t.co/231Xk2RNNh
// CVE-2024-29849, CVE-2024-42024, CVE-2024-29850, CVE-2024-29853, CVE-2024-29852
2⃣ Next.js Security Testing Guide
https://t.co/jDS5Yftnej
// How to assess Next.js apps for SSRF, XSS, CSTI, SSTI, CSRF, cache issues, and data leaks. Practical tips, checks, and tools
3⃣ Spring Cloud Gateway:
complicating evaluation context
https://t.co/baAxuNuBmo
// CVE-2025-41243 Complete exploit
#WebApp_Security
#Offensive_security
The Phantom Extension:
Backdooring chrome through uncharted pathways
https://t.co/7OWHtYL45i
// by leveraging a simple disk write primitive, it becomes possible to silently install custom extensions on Chromium‑based browsers deployed within Windows environments
#WebApp_Security
1. Anthropic MCP Inspector Vulnerability
- From XSS to RCE (CVE-2025-58444)
https://t.co/bGO7Za1Iox
2. XSS-Leak: Leaking Cross-Origin Redirects
https://t.co/Abs9n73jkT
#tools
#WebApp_Security
"Automated Testing of Broken Authentication Vulnerabilities in Web APIs with AuthREST", 2025.
]-> https://t.co/mR7JH6oro4
// AuthREST automatically tests web APIs for credential stuffing, password brute forcing, and unchecked token authenticity
#AppSec
#WebApp_Security
1. Critical UXSS in Opera Browser
https://t.co/o083RixkLs
// Leak open tab URLs (flag included)
2. Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more
https://t.co/jL9YsooeaS
// deep dive into Electron CVE-2025-55305
3. RCE though vulnerability in Facebook Messenger for Windows
https://t.co/2fxvNVBFOh
// Attacker: Pixel Fold, Android 14. Victim: Windows 11 Home 22H
#WebApp_Security
1. Cache Deception + CSPT: Turning Non Impactful Findings into Account Takeover
https://t.co/wBQPxmpMdU
2. Smuggling Requests with Chunked Extensions: A New HTTP Desync Trick
https://t.co/nL7pNI7TG0
3. Sitecore Experience Platform Cache Poisoning to RCE
https://t.co/RKfdLR5xv4
#Research
#WebApp_Security
34th USENIX Security Symposium:
"The Silent Danger in HTTP: Identifying HTTP Desync Vulnerabilities with Gray-box Testing", 2025.
]-> https://t.co/HOcOExaBGS
// HDHunter - automatic HTTP discrepancy detection framework using the gray-box coverage-directed differential testing technique
#Threat_Research
#WebApp_Security
HTTP/1.1 must die: the desync endgame
https://t.co/OfuoFRbCsw
// details about new types of HTTP/1.1 desync attacks it uncovered. These attacks are particularly critical for organizations using middleboxes to translate from HTTP/2 to HTTP/1.1
#WebApp_Security
1. Exploiting an ORM Injection to Steal Cryptocurrency from an Online Shooter
https://t.co/gzF2Y8s0hW
2. Delivering PHP RCE to the Local Network Servers
https://t.co/Uui4VcPNik
3. XSS in Google IDX Workstation
https://t.co/MgaRFurLeZ
#cryptography
#WebApp_Security
"SSH-Passkeys: Leveraging Web Authentication for Passwordless SSH", 2025.
]-> SSH Authentication with WebAuthn - https://t.co/KY1NiL90lE
// We propose the utilization of passkeys for SSH authentication, with SSH-passkeys framework by utilizing PAM and Web Authentication API. We evaluate the prototype, comparing it with 36 authentication schemes, and find favorable security, deployability and usability characteristics. We experimentally validate the prototype, confirming the poor usability of key-based baselines and the ability of our approach to remedy those known problems
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.2M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.4M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers