Olivia
Online
webhak
@webhak
Hacker, bug bounty hunter, security researcher etc. I love everything security
Oslo, Norway
Joined May 2008
832 Following
483 Followers
2.2K Posts
@garethheyes Awesome! I can confirm that it is working for me on the latest version. Thank you
Hey @garethheyes is there a way to make hackvertor tags work when sending a websocket request to repeater? It only sends the actually tag, not replacing it with a value on the latest Burp :(
Pretty neat Pre-Auth RCE in Oracles identity manager, good read https://t.co/EXOs2VXN0I
Is your target leaking CSP violations left and right? Mikhail Khramenkov reveals how to hijack the onsecuritypolicyviolation event to trigger JS in hidden inputs - when unsafe-inline is in play and styles are blocked. Now live on our XSS cheat sheet.
Link to vector👇
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
https://t.co/SgsSyxoEMR
1/4
We are super excited to share that we acquired the Shift Plugin (https://t.co/HatVFq6dTo) and we are making it free to Caido paid users 🚀
Shift is a Caido plugin that is a smart AI companion for your hacking. It can craft payloads, Match&Replace rules, HTTPQL queries and much more.
All details here: https://t.co/gZ42VATrFR
🚀 New on the BApp Store: UnUnicode
🔍 Automatically decode nested Unicode sequences in requests, responses, and WebSocket messages.
🧩 Custom tab for viewing unescaped content, enhancing visibility for manual inspection.
📄 Includes "pretty print" functionality for JSON content
When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (@iangcarroll and I) discovered a vulnerability that could allow an attacker to access the over 64 million chat records using the password "123456".
https://t.co/dBqpRpdp9T
How do we turn bad SSRF (blind) into good SSRF (full response)? The @assetnote Security Research team at @SLCyberSec used a novel technique involving HTTP redirect loops and incremental status codes that leaked the full HTTP resp. It may work elsewhere! https://t.co/CTSTEtKiD1
Love this! Have to step up my dependency confusion game - https://t.co/Eg7gIdFSHO
After @0xLupin's great article on dependency confusion on Netflix, some people suggested that I added a detector for npm packages in jxscout. I think this will be a great addition, I'll make a new pro release soon with this detector!
Original article: https://t.co/rSpsBSzYra
Did you know an input can use the form attribute to link to a form by ID letting it submit with the form even if it’s placed outside of it!? 👀
In this PHP example, an input outside the form adds a URL argument and only the second parm value (1337) is echoed.
S/O to @encodeart and @ctbbpodcast! 🔥
AI is so hot right now that in a short while, specializing in AI will be about as common as specializing in software development.
Everyone SHOULD learn how to adapt to it, but also everyone WILL learn it. Find a way to keep your skillset niche and unique.
“Please limit your traffic to 2 requests per second when testing” my brother in planet earth, a legit website browsing would generate more requests per second
I just built a custom action to let you test for race conditions with a single click! No tab groups required, and it uses the cutting edge single-packet attack under the hood.
💡 Tip!
When looking for subdomain takeover vulnerabilities, don't just examine the CNAME records... 👀
Inspect the HTTP response too, as it can reveal more accurate signs of a third-party service that might be susceptible to subdomain takeovers! 😎
I've recently put more work into my ffuf fork, uff, and I think every ffuf user should at least give it a try - and maybe even switch to it.
Here's why, in a #bugbounty 🧵
Sharon Brizinov made ~$64k by recovering secrets from deleted files in public Git repos. Even after using git rm, files remain in the history stored in the .git/objects dir until garbage collection runs.
Here's the command to use:
Last Seen Users on Sotwe
Memek lover
Seen from Indonesia
Rawan
EXPRESS 🔞
Seen from Germany
Horny Man 
Seen from Saudi Arabia
Barnabé —
Seen from Indonesia
Anggi 🍓
Seen from Indonesia
Young Cuckold Couple
Seen from Lebanon
辻 愛沙子|arca | happy pride🏳️🌈
Seen from Japan
❤ les trans
Seen from Turkey
Kiên nứng buồi
Seen from Vietnam
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers