🚀 **Hack Like a Pro:** Extract IPs from Shodan HTML in Seconds! 🔥
Sick of digging through HTML? Let `grep` do the work! 💻
```bash
grep -oP '(?<=<strong>).*?(?=</strong>)' ip.html > ips
```
1️⃣ **Save Shodan page source as HTML**
2️⃣ **Run this command**
3️⃣ **BOOM 💥** — All IPs extracted to `ips`!
Master your toolkit! #KaliLinux #HackingTips #CyberSecurity #Shodan #OSINT
Confused by HTTP Request Smuggling? Spend 30 seconds reading this post, and you'll understand it forever.
HTTP Request Smuggling occurs when two network components (like a proxy and a backend server) process the same request but disagree on where the request ends.
This is typically caused by a mismatch in how the servers interpret two critical headers:
Content-Length (CL), and Transfer-Encoding (TE).
The Attack:
An attacker sends a request containing conflicting or obfuscated CL and TE headers.
The front-end proxy uses one header (e.g., CL) to determine the request boundary. The backend server uses the other header (e.g., TE) and sees an extra, leftover payload - the "smuggled" request.
This smuggled payload is then prepended to the next legitimate user's request, allowing the attacker to bypass security controls.
#CORS Misconfiguration If we see https://t.co/Vc9XuYwtJS is in the response
Request:
GET /about HTTP/2
Host: https://t.co/xs9L9fYLcD
Origin: https://t.co/Vc9XuYwtJS
Response:
HTTP/2 200
Access-Control-Allow-Origin: https://t.co/Vc9XuYwtJS
Access-Control-Allow-Credentials: true
Google Dorks are still undefeated in 2026. 🔍
Found a "sussy" config leak today full SMTP access was just sitting there in plain text.
Impact verified, report sent, and awareness raised.
credit: @0x0smilex#bugbountytips#ethicalhacking
Why to use a simple #XSS vector like this 🤔
<img src=x onerror=alert(1)>
When you can use a much better one? 🤩
1'//"//</Script><Img/Src%0AOnError=alert(1)//
The vector above pops in HTML and JS scenarios for single and double quotes! 🤯
Try here:
https://t.co/CqQkOoexzs
PDF file for XSS, it can bypass any waf
for who looking for Stored XSS , and it can be changed to blind if you want to
Simply I encoded the payload as ASCII hex
You can edit the payload over notepad++
https://t.co/LKbMKHUafk…
credits: @GodfatherOrwa#bugbountytips
PowerShell for Hackers, Part 1: The Basics
As a cybersecurity specialist, whether in an offensive or defensive role, you must be comfortable using PowerShell:
https://t.co/dONmPkrk24
@three_cube
Ladies adn Gentlemen , infosec Girls and infosec Boys, the #P1 Specialist @bugcrowd, We are more than honoured to have @XHackerx007 as our Speaker @BsidesMussoorie Don't loose your chance to meet, greet and attend his insigntful Session in April 2026,
Registrations Opening Soon
🛡️ AI-Powered SQL Injection Just Got Real - 𝗦𝗤𝗟𝗠𝗮𝗽 𝗔𝗜 𝗔𝘀𝘀𝗶𝘀𝘁𝗮𝗻𝘁
An SQL Injection testing assistant powered by AI.
Came across a powerful tool blending LLMs with offensive security.
🔗 https://t.co/ljN4zKO4Ea
#CyberSecurity
HTTP/2 is designed to eliminate many of the request smuggling flaws in HTTP/1.
But there’s a catch.
Many front-end servers still downgrade incoming HTTP/2 requests to HTTP/1 before passing them to the back end.
This is common because:
1️⃣ Legacy infrastructure still runs on HTTP/1
2️⃣ Reverse proxies often default to downgrading (sometimes with no disable option)
3️⃣ HTTP/2 and HTTP/1 carry equivalent data, so conversion is “easy”
The risk?
When HTTP/2 downgrades to HTTP/1, it reintroduces HTTP/1’s inherent ambiguity in request length handling.
Suddenly, a protocol that’s normally immune now has three ways to specify request length - the core weakness behind request smuggling attacks.
HTTP/2 downgrading is a silent, widespread risk.
If your upstream connections still use HTTP/1, your “secure” HTTP/2 site might be far more vulnerable than you think! 😮
Learn more: https://t.co/BrGgA4TbFH
#cybersecurity #http2 #websecurity #bugbounty #infosec
I found a weird WAF bypass.
soloboy");alert(origin);// => 403
solo,boy");alert(origin);// => 200
When I add a comma to the name, WAF gets bypassed. Application behaviour always surprises me.
🚨 New Writeup Alert! 🚨
"Host Validation Bypass via Connection State Attack: Multiple Requests Over the Same TCP Connection" by Bash Overflow is now live on IW!
Check it out here: https://t.co/LBYHGalI7w
#connectionreuseexploit#bugbounty#routingbasedssrf#ssrfviahostheader #hostheaderattack