ICYMI: I created an LLM-powered tool to detect CVEs before they're even published - and it's now powering https://t.co/Tom5BRqpKA.
This is a simple GitHub page statically generated using vulnerability-spoiler-alert-action. Check out the backtest findings at https://t.co/VZ8WTWTGGF and let me know what you think the hit rate is!
I'm running this open-source vulnerability intelligence project using a personal API token, but maybe @AnthropicAI... or @OpenAI might want to support this? 👀
“Breaking malicious tasks into innocent-looking ones — that works. I naturally start a new chat whenever I want something done, and I also disable memory to keep previous context from slipping into the current conversation.”
We believe this is the first documented case of a large-scale AI cyberattack executed without substantial human intervention. It has significant implications for cybersecurity in the age of AI agents.
Read more: https://t.co/VxqERnPQRJ
Concerned about LLMs replacing pentesters? We've made enhancing your own workflow with AI easier than ever - you can now build your own AI features directly inside Repeater with Custom Actions. Here's one I built for myself which guesses param meanings:
IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue: https://t.co/X3dkMz9gwK
I have published a tool based on jadx that helps analyze Java applications.
https://t.co/jVTKEM9fIc
BFScan generates HTTP requests and OpenAPI specs based on config files and class/method annotations.
It also searches strings that look like URIs, paths, or secrets.
This is a great infoleak exploit chain targeting YouTube by @brutecat. Love the use of a DoS flaw to make the attack stealthier!
https://t.co/aIqLDq9T9z
Curious to know how diverse the bug bounty community is! 🤔
Are you doing bug bounty hunting from an IT background or a non-IT background?
I honestly feel a lot of non-IT folks are doing really good. 🔥
Here's a poll to settle this.
#BugBounty#cybersecurity
When users register with a mobile number, but the payment gateway requires an email, companies often use dummy emails like @dummylegitdomain.com and submit to pg. These domains can be taken over by setting up a catch-all email, allowing access to payment information.
Developers often hardcode test or random Gmail addresses in GitHub repositories or elsewhere. If these Gmail accounts are available for takeover, they could potentially receive sensitive information.
check out my new tool everythingjs
https://t.co/EncGdOPsYO
- suports jsonl output
- extract endpoints, bucket links, secrets, dom sinks, beautified file js store & key search
- provides web UI
- support monitor mode (2s, 1d etc)
- support slack alerts
- pip install everythingjs
CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
Find out about the Next.js vulnerability CVE-2024-51479 that could have exposed sensitive data. Take the necessary measures to secure your Next.js application.
https://t.co/aD1aGZhS9b
CAPTCHAs like "I'm not a robot" might vanish as AI agents rise, replaced by biometrics or behavior-based authentication for smoother human-AI internet use.